Every organization today wants to be secure; it's just a given at this point. With so much potential for cyber-attacks, and the focus on credentials, the need for AD security is critically important. And given the expansion from on-premises AD to one sync'd with Azure AD either for use with Office 365 or Azure AD-compatible applications, today's organizations are even more at risk.
In Conversational Hybrid AD Security, the "parent" to this mini-edition book, I pointed out the fact that because your hybrid-AD's security is based on the security configuration of your onpremises AD. It's necessary to put even more focus on the state of on-prem AD security to ensure a protected stance overall.
And that's what this mini-edition book is all about: Assessing the current state of your hybrid AD environment and how secure it is.
Performing a regular assessment of your hybrid AD security posture provides a few benefits to the organization:
To give you some sense of what you should be assessing, the rest of this book will cover four distinct assessment areas of your Hybrid AD environment that need to be scrutinized:
The overarching goal here is to look at your domain from a high level, and ensure the domain and its services are intact, that there are no signs of compromise, and that there are no unauthorized changes to the overall configuration.
Start with a simple overview of the domain and the objects it contains. During a cyber-attack, bad guys will misuse accounts with access to create objects in AD; they will create additional users they can leverage to obfuscate their dastardly activities. So, build a report that helps you understand the number of OUs, users, groups, computers, etc.
Without third-party tools, this is likely going to fall to PowerShell commands like the following as part of your reporting:
(get-aduser –filter *).count
Now, you already have a handle on the growth of new computers and users, so you should have some idea of whether the counts look right with each assessment.
Another part of your AD to review is the configuration of your domain controllers – because these boxes are the lifeblood of AD, this is more critical to service availability than it is security, but since you're already doing an assessment, it's a good time to check your FSMO roles, AD sites, etc.
This takes the premise of assessing the state of the domain into the realm of security. Here, you are wanting to review every part of the domain where a simple misconfiguration can create a gap in security.
So, what configuration detail needs assessing?
The list below provides some guidance on areas you should be assessing – some are obvious, while others may surprise you:
Attackers typically gain access through an endpoint, and work to both compromise accounts with elevated privileges and gain access to systems via SMB, RDP, and other access methods.
Assessing your domain's security configuration is one way to look for gaps in security that an attacker could take advantage of.
Much of this section involves manual work, using a number of disparate tools and consoles, or an equally disparate number of PowerShell cmdlets.
But, beyond the rather large amount of work (or scripting, as the case may be) needed to complete this kind of assessment, one option for doing these in the first place is to ascertain changes by comparing assessment reports. This is going to be difficult at best, and will increase your chances of being compromised, making third-party solutions a viable choice to simplify this process.
This part of your assessment digs MUCH deeper, looking at just about every single account in your domain that has rights to anything of value to an attacker. It should be noted that this assessment isn't about the rights your security principles have – that's in the next section. Here, I'm more concerned about whether your security principles themselves are secure and are configured properly.
So, what security principle detail should you assess?
In general, you are looking for any kind of foothold (in the form of an insecure configuration) an attacker can exploit, as well as any indication that an attacker may have already exploited a security principle. This includes:
Once again, turning to PowerShell with cmdlets like Get-ADUser and Get-ADGroup is the obvious choice to speed up the process of collecting the needed information. For example, the following command would provide the password last changed date and time for a given set of users: get-aduser -filter * -properties passwordlastset However, if you are looking for a consolidated or formatted report (or both), you're either going to need to work some real powerful PowerShell voodoo, or turn to third-party solutions to centrally capture this detail.
In lieu of auditing and detecting changes made to AD, performing periodic assessments to report on who has access to what is critical. And even with some form of monitoring of changes made in place, you still need to have visibility into the overall state of access presented in a way that provides stakeholders with intelligence and insight to make good decisions on what needs changing.
So, what privileges should you be assessing?
Let's dig into this.
Because your organization is utilizing Azure, it's important to note you may want to also consider assessing the privileges assigned to Azure resources that potentially give access to the rest of your environment, such as VMs and disk storage. Having access to these can potentially be the equivalent to physical access to a Domain Controller or Server.
When you take the resource-centric route, you may find some success with PowerShell or even application-specific consoles to provide you with needed privilege details. However, going user-centric is just about impossible to do manually because none of the detail resides in AD. This means you need to somehow query each and every system, application, and data set, inquiring as to whether a given user has permissions anywhere in each system – a task even the best PowerShell guru will find challenging.
That last bit about assessing privileges not necessarily within your hybrid AD raises the question of what else has been extended to the cloud and is it secure? Staying within the realm of Microsoft alone, there is your Office 365 implementation that includes your OneDrive environment, Teams, SharePoint Online, and more. In most cases, this all ties back one way or another to your hybrid AD within Azure. But be certain you've considered your specific implementation to ensure this extended environment – that is probably more susceptible to attack than your on-prem environment – is secure.
Assessing the state of your hybrid AD's security is critical to understanding where your risks are, and what needs to change to improve your security stance. While it's possible to compile just about every piece of information highlighted in this book using PowerShell, it isn't necessarily the right way to do it. You can dig a 6' x 6' x 6' hole in the ground with a teaspoon, but that doesn't make it the right tool for the job.
The goal of an assessment is not the gathering of all the data; it's about making sense of the information gathered and making good business decisions based on it. And as the assessment data set grows, so will the complexity necessary to make sense of it.
No matter your methods – whether DIY or using a third-party solution, assessments need to be done on a regular basis, making automation key to their success. Find a way to properly put a complete view of the state of your AD in view quickly and efficiently, and you're well on your way to a more secure hybrid AD.
The success of an assessment is solely based on the value of the detail gathered. If the act of reviewing the assessment data takes days to correlate and cross-reference data points, it's likely there's no real insight provided, keeping your organization from making good decisions to improve security.
Quest Enterprise Reporter provides visibility into the configuration, settings, and security of your hybrid AD and Windows environments. It's a scalable solution for auditing, analyzing and reporting on your most critical systems and resources, including, but not limited to:
With its complete visibility and turnkey in-depth reporting, the process of gathering needed information becomes fully automated and scheduled – making assessments a fast, simple, and repeatable task.
If you have a domain migration or consolidation, Enterprise Reporter can help ensure a smooth migration by inventorying what needs to be migrated and cleaning up what doesn't need to migrate.
And if you haven't made the leap to Office 365 just yet, Quest UC Analytics, a solution similar in strengths to Enterprise Reporter, focuses on not only Exchange on-premise and Exchange Online, but also your Skype for Business, and Cisco environments. It has the ability to identify who has access to mailboxes, who is sending off emails, who is a member of a distribution group, how active are those groups, inactive mailboxes, the size of the mailboxes, and much more.
UC Analytics also goes beyond pre-migration analysis, giving organizations insight into their UC investments by looking at adoption rates of the technologies that Office 365 provides.
With Quest Enterprise Reporter and UC Analytics it's easy to perform compliance and security assessments, and pre- and post-migration analyses - enabling your Hybrid AD, Exchange and Windows environment to be more secure and efficiently managed.