ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: What are the security risks associated with Delegation of Administration in Active Directory?


Member

Posts: 15
Date: May 24, 2012
What are the security risks associated with Delegation of Administration in Active Directory?
Permalink  
 


Friends,

We are in the midst of an internal audit focused on our Active Directory.

As a part of our audit, we've been tasked with determining the risks associated with the administrative delegations we currently have implemented in our Active Directory over the years.

In particlar, we've been delegating administrative authority for many years now, but given administrative churn, and the lack of any documented delegations or a single point of control, we're basically in the dark when it comes to knowing who is delegated what administrative access in our Active Directory.

Before we allocate the resources to go about making this determination, we were curious to know whether this is worth the effort. In particular, are there serious enough risks associated with administrative delegation in Active Directory, or is it something we can overlook for now? 

I'm sure some of you may have head to deal with this in your organizations as well, so I thought I'd put forth this question.

Thank you for your inputs.

Kind Regards,

Joe 



__________________
Don't mess with my Alienware!


Veteran Member

Posts: 28
Date: Jun 26, 2012
RE: What are the security risks associated with Delegation of Administration in Active Directory?
Permalink  
 


Joe,

The answer to whether this is something that needs urgent attention or whether this is something you can overlook this for now, is entirely dependent on whether or not your value your IT infrastructure's security.

If you don't value your IT infrastructure's security, you can certainly overlook it for now, but if you do,  I would say, nothing it more important than knowing who is delegated what access in your Active Directory.

Why?

Well, think about it - everything you use to protect all your IT resources, i.e. the accounts employees use to access resources, the groups that are sued to provision access to resources, and the policies that are use to protect and manage all your machines, are all stored, protected and manged in Active Directory.

When you delegate administration in Active Directory you grant various people the ability to manage and control accounts, groups and policies, and if someone can control even one of these resources, he/she can easily control the security of all IT resources being protected by these accounts, groups or policies.

As a result, the need to know who is delegated what access in your Active Directory is very very important to organizational security.

If you don't even know who is delegated what access, where in your Active Directory, there's no point trying to secure your network, implement auditing, etc. etc. because you basically don't even know who has the very keys that control the security to all your resources.

The point here is that you must absolutely know who is delegated what access in your Active Directory at all times, unless of course, like I said, you don't particularly care about organizational security.

You indicated that you've been delegating access for years, that there's administrative churn and no single point of control - these are all factors that further complicate delegations in your Active Directory, and make all IT resources all the more vulnerable to compromise.

Best wishes,

Jack.



__________________

We will NEVER forget.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me