ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: What is the most serious risk to an Active Directory deployment?


Member

Posts: 6
Date: May 24, 2012
What is the most serious risk to an Active Directory deployment?
Permalink  
 


Hello All,

We're currently working on an internal security assessment project that requires us to review and prioritize risks to all critical components of our IT infrastructure.

Obviously, Active Directory is amongst one of the most critical components since we're a pure Windows Server shop, and virtually everything from DNS to security, and DHCP to Exchange is tied to Active Directory.

We've been doing an internal risk assessment of Active Directory, and what was supposed to be a three week project has already turned into a nine week project. (Perhaps we under-estimated the amount of work involved.)

Anyway, so we started listing some of the threats we thought about in order of priority, and came up with about 10 or so, but couldn't decide on the top most threat to our  Active Directory.

I figured I'd pop the question here, as it seemed like the most pertinent forum to discuss it on, and because I figured it would be something of interest to most of you as well.

So here's my $M question - What is the most serious risk to an Active Directory deployment, and why?

-Benji



__________________
Tower, this is Ghost Rider requesting a flyby!


Member

Posts: 16
Date: Jun 27, 2012
RE: What is the most serious risk to an Active Directory deployment?
Permalink  
 


Hi Benji,

That's a very good question. I would say that the most serious risk to an Active Directory to have a large number of Domain Admins.

I say so because the larger the number of Domain Admins you have, the wider your vulnerability-surface, because the compromise of a single Domain Admin could result in the compromise of the entire Active Directory.

This is one reason it is highly recommended to delegate just about whatever can be delegated in Active Directory, and only leave the most sensitive of tasks to Domain Admins, and this is also one way to reduce the number of Domain Admins.

Just my input.

Chad.



__________________


Member

Posts: 16
Date: Jun 29, 2012
RE: What is the most serious risk to an Active Directory deployment?
Permalink  
 


Hi Benji,

That's a very good question indeed. I would say that the most serious risk in Active Directory is that the Active Directory's permissions/security model is very complicated, and thus makes it very hard to accurately provision / deprovision / assess who has what access in the Active Directory.

I say this out of our experience in dealing with our own Active Directory deployment. Like most other companies, we get lots of access requests, and a fair amount of admin churn, so we frequently grant and revoke access in our Active Directory, and while its doable, its certainly painful, because we never quite know if we did right.

I suppose, if there was a way to verify change, that would be awesome, but until then, its almost like doing your best and trusting in God (and hoping that no one else can find out if we made any mistakes.)

Good question anyway - thanks!

Aaron.



__________________


Member

Posts: 9
Date: Jun 29, 2012
RE: What is the most serious risk to an Active Directory deployment?
Permalink  
 


Hi Benji,

Very good question. I would say that not having reliable insight into who has what administrative powers in Active Directory is the most serious risk to an Active Directory deployment.

I say so because anyone who has administrative powers in the Actiive Directory also has sweeping administrative powers across the infrastructure.

This is one of the biggest things we grapple with and worry about at our institution.

- Antoine.



__________________
Jugez un homme par ses questions plutôt que par ses réponses
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me