10 Active Directory Best Practices to Enhance Security and Performance
You may think that Active Directory and Azure Active Directory stand on their own, so Active Directory best practices are redundant. On their own, Microsoft Active Directory (AD) and Azure AD bring organization and standards to how identity and account data is managed and stored. However, your system-provided AD and Azure AD capabilities are more limited than you may realize.
Here are 10 Active Directory best practices to help you clean up your Microsoft AD and Azure AD user account data:
1. Perform Regular Account Analysis
One of the most effective ways to maintain a clean and secure AD and Azure AD environment is to regularly review user accounts. By reviewing account properties before an audit, you can quickly find and remediate many points with which auditors take issue, including identifying and filtering non-compliant user accounts.
2. Link Accounts to Employee Records
Another Active Directory best practice is linking every account (including non-human accounts, such as those created for services and applications) to an actual user. Your primary focus should be on accounts created for people (e.g., end users, contractors, administrators, etc.), and most importantly, linking every employee account to the employee’s master record in your HR system. Why? So that employees’ access to the network can be tied to their status and role within the organization. That way, whenever an employee’s role within your organization changes, HR can find their account and change their status and entitlements accordingly.
3. Monitor New Accounts
When you give numerous people in your IT department the authority to create accounts, you’ll inevitably end up with accounts that serve no purpose to the organization. A common strategy among hackers is to create such accounts to mask their activity and ensure multiple entrances to organizations’ environments. The only way to keep these kinds of intrusions at bay is to monitor all account creation, identify who created the account, determine if the creator is still working for your company and confirm why the account was created and if it is still necessary. By monitoring new accounts, you limit hackers’ access to your environment.
4. Automate Account Maintenance
Automation of account creation can help ensure that new accounts are created according to your standards since the process reduces the potential for human error. Typical account creation includes the following steps:
- Create the account in AD
- Set identity attributes (job title, phone numbers, etc.)
- Create the account’s mailbox in Microsoft Exchange/Office 365
- Add the account to groups that are appropriate to the user’s role
- Register the AD account in other applications, as necessary
5. Handle Departed Users and Role Changes
Ghost or orphaned user accounts are another huge security risk among organizations that use system-provided AD management tools. Organizations often fail to disable user accounts or to change entitlements when users leave the company. Many believe that searching for accounts that haven’t been logged into recently is a good enough process for handling departed user accounts. But it’s not. If a terminated person is still accessing the network, their account will not show up as dormant and will not be included in the dormant-account report.
With an approach that considers the full AD-account lifecycle, from hiring to departure and all steps in between, this problem can be eliminated. The following are three ways to effectively deal with status changes, in descending order of preference:
- Most organizations have a clearly defined and strictly executed process to remove a user’s physical access to the building; make disabling AD account part of this process.
- If your HR application includes workflow, automate it to send an email to administrators when a user is terminated, moves to a new role or reports to a different manager.
- Most HR applications allow you to schedule automatic report delivery; schedule a daily report of terminations and job changes that is delivered to account admins.
The bottom line is that, to account disablement and permissions status, updates are required for compliance with industry and government requirements.
6. Handle Dormant Accounts
Thanks to the lastLogonTimestamp attribute, handling dormant accounts is relatively easy. This replication (every seven days) enables you to query domain controllers and see the last logon times, which helps to identify dormant users.
7. Manage Non-human Accounts
Not all accounts directly correspond to a person. For instance, many organizations are turning to Robotic Process Automation (RPA) that can imitate human activities across digital tools to handle repetitive, mundane and time-consuming tasks and processes. These accounts often have privileged access to servers and data, and therefore need to be secured.
In IT audits, it’s not uncommon to discover privileged accounts that are at risk for the following reasons:
- No one is sure about an account’s purpose or why it exists
- Despite the departure of many administrators, an account’s password has not been updated, for fear of breaking an application somewhere on the network
- The account has authority to log on interactively
Non-human accounts should never be allowed to log on interactively. When you disable interactive logons, you prevent administrators (who know the account’s password) from logging on anonymously as that account, and without individual accountability.
8. Control Exceptions
There are legitimate exceptions to standards for user accounts. For instance, you might have an application that requires a user account with a specific name that violates your normal naming convention. For situations such as this one, you need a way to document legitimate, approved exceptions. The best way is with an OU named Exceptions or by flagging exception accounts in the Description or Notes fields. But simply labeling an account as an exception is not enough; the account’s purpose and owner should be documented.
9. Control Admin Authority
One reason AD is often littered with unnecessary or mystery accounts is because too many people have authority to create user accounts. To enforce the Active Directory best practice of new-account creation controls crucial for security and compliance, the number of people who can create accounts must be kept to just a few trained people.
10. Leverage Workflow Technology
Many organizations try to handle new account requests, job terminations, job changes and various approvals using only email. However, this approach makes it difficult to follow account management standards or to prove compliance. Workflow technology, such as lists in SharePoint, will never be a full automation option for account management, but it is definitely an improvement over email alone.
As you read these Active Directory best practices, you probably noticed a problem area or two within your own organization. Don’t let those security risks turn into a financial and reputational disaster.
For more details on how to implement these Active Directory best practices, check out our full white paper.