Diamond IT Blog

How healthy is your Active Directory?

Written by Martin Thurgate | April 5, 2017

Active Directory (or AD as it’s commonly referred to in the IT world) is the centre piece of your Windows network’s security, but if you’re like most people, you’ve probably never heard of it. If you have heard of it, chances are it was only mentioned by your IT provider in vague terms – something to do with usernames and passwords, right?

But do you know how healthy your Active Directory environment is? Does your IT provider shares this information with you?

Active Directory is a directory service for Microsoft Windows domain networks. Its part of the Windows Server operating system, and it stores directory data and manages communication between users and domains, including user logon processes and authentication with a wide range of related services such as email.

So it’s a really big deal!

If something goes wrong with Active Directory, your whole network will basically stop working.

It’s a continual surprise to me when I’m asked to perform audits of businesses networks, how poorly these essential services are maintained by most IT providers. It’s not uncommon to see user accounts from 10 years ago still active on the network, or standard staff accounts with the highest level of privileges (called domain administrator).

These examples and many others are like leaving home with your windows wide open. Sure, you may be lucky and avoid being burgled, not you’re certainly inviting a lot of trouble!

Below are common examples of an unhealthy Active Directory, and what it means to your business:

  • No password policy configured: The default settings for Windows Servers with Active Directory are very basic, and need expert knowledge to modify these lax default settings. Arguably the most important default setting that needs to be changed is your Password Policy. Password Policy controls a range of attributes of user passwords, such as their minimum length, complexity requirements, and a range of other configurable options. It’s absolutely essential that Password Policy is enabled, as a brute force attack (which I’ve explained in detail here) are specifically designed to target users with weak passwords, such as ‘Password1’. Enabling Password Policy ensures that you’re not an easy target
  • 3rd Party Vendor accounts: For a variety of reasons, 3rd party hardware and software vendors may need a special account configured for some specific purpose, like a multi-function printer with scan to mail. But all too often, lazy IT providers will setup these accounts with full domain administrative access, as well as remote access. And to compound the problem, they often use simple username and passwords combinations, like username: printer with password: printer. In this case, you’re not just leaving the windows open, you’re leaving the front door open too!
  • Domain users with full Local Administrator access on PCs/Laptops: This one is a little technical, but in simple terms, your Windows PC/Laptop has it’s own security database, with the highest level of local access called the Local Administrators group. Lazy IT providers often include all domain user accounts in the Local Administrator group, thereby granting access for users to do pretty much whatever they want on the local PC/Laptop! While this is usually done for convenience, it’s a gapping security hole because if a user accidently executes something they shouldn’t (like a virus), the damage will be significant more than if the user doesn’t belong to the Local Administrators group. There are a variety of techniques you can use to maintain ease of use whilst keeping the PC/Laptops secure, so there’s really no excuse for this poor IT hygiene.

In recent times, Ransomware attacks have changed strategies from primarily email/SPAM based, to botnets that directly try to access your network remotely. It’s not uncommon for systems to receive thousands of brute force attempts, and without a heathy Active Directory, it’s only a matter of time before you become a victim of a cyber attack.

How can Diamond help?

If you’re concerned about how healthy your Active Directory may be, or any aspect of your network’s security, contact us today. Please fill out the inquiry form below or call us today on 1300 307 907 or why not take our online security assessment below to gauge how vulnerable your business may be...

 

 

Diamond ICT Security Assessment

Take our tailored Security Assessment to gauge how protected your business is from potential online attacks...