Active Directory Management Mistakes to Avoid

Featured article by Anton Pozdnyakov, CMO at Softerra

Managing an Active Directory environment can be very technical and require highly skilled IT staff to operate. But nobody is safe from making mistakes. And the more basic those mistakes are, the harder it can be to notice. It’s often the management’s task to look into your system and identify them.

In this article we’ll discuss some of the most common mistakes in AD management and what you can do to avoid them.

Putting Too Much Info in AD

It’s often the case that Active Directory becomes a dump for all the user information that exist in your environment. AD can indeed act as a very convenient database for your staff and other kinds of objects. And it’s ok, if some sensitive data like users’ pictures or some system information is present there.

However, AD can easily get overused. A lot of companies put things like SSNs, tax/medical information or even passwords in plain text (yes, this actually happens much more often than you think). If something like that applies to your environment, you should do something about it immediately.

It’s not only because Active Directory is a frequent point of attacks. However, minimizing the damage from a breach by storing more sensitive data in more secure separate databases is a good idea. But you also need to consider that somebody from your company could see the information they are not supposed to without any sort of a breach in the first place. Also, note that storing personal information in AD, like SSNs, can be against the compliance rules or even against the law (depending on your country and the industry you work in).

Using Admin Accounts Every Day

Another common mistake is when your IT staff that have admin access use their administrators’ accounts on an everyday basis. It can often be overseen by management because they don’t even know, which accounts are used, so it can easily become a security concern.

The general best practice is to use the admin accounts only when respective actions are needed in the IT environment. For all other situations every member of IT staff must have a regular account with regular permissions. Also, the admin accounts should be subjected to more severe policies, i.e. more complex passwords that are changed more regularly, more complex policies on password self-service, etc.

Over-Delegating or Not Delegating Enough

Both scenarios happen in the real world on a regular basis and both of them indicate that something went wrong. Sometimes you can see a single administrator doing all the IT-related work, which puts a lot of constrains on the growth potential of your company. If your IT staff are unable to safely delegate tasks, it means they are not scalable. It also means that they won’t be able to tackle advance projects because of all the time-consuming routine they are buried under.

Alternatively, there is over-delegation. This usually results in too much permissions and access rights dwelling among your system. A good indicator for this would be every admin being a domain administrator. Remember that too many cooks in the kitchen is equally, if not more, harmful that having not enough.

It can be hard to find the balance point between those two states, but it is very much possible. You just need to come up with a good delegation method that would ensure that you always follow the least privilege principle. To do that, the absolute first thing you need to have is a good understanding of your business processes. Only after you have that you can hunt for the tools that make delegation easier and more efficient, like Role-Based Access Control or Approval-Based Workflows. Because irrespective of how good the tools are, if you don’t know what to use them for, they will be no good.

Conclusion

Obviously, the things we went over barely scratch the surface of all the possible mistakes that can happen in Active Directory management. There are so many other things that can go wrong, like leaving inactive accounts in AD, admins working directly from DCs, not putting adequate protection for object deletion and modification, not following the data standards, etc.

If you recognize any of them in your IT systems, that’s not so bad. This means that you’re aware and are able to take action and take care of them. The real problem would be if you have those things and never even notice.

Anton Pozdnyakov is CMO at Softerra. Softerra provides Adaxes, a management and automation solution for Active Directory, Exchange and Office 365 environments. It allows organizations of all sizes to reduce the workload on IT departments, minimize time wastages, increase security and much more. Try it yourself with a free 30-day trial.