The world's most trusted forum on Active Directory Security

Post Info TOPIC: How to Implement Least Privileged Access in Active Directory Environments?


Posts: 1
Date: Aug 5, 2013
How to Implement Least Privileged Access in Active Directory Environments?

Hello Everyone,

As a part of an organization-wide Critical Systems Cyber Security Preparedness Review, we have been looking at our Active Directory deployment with an eye towards potential threats and potential areas of improvement.

We've looked at many aspects including our logical structure, replication, placement of DCs, trust relationships, administrative delegation for IdM and the AD's own mgmt model.

Its been a lot of work, but its been all worth it. We've learnt alot during the process, and we've identified various areas for improvement. For instance, providing adequate physical security for ALL DCs has been one such improvement.

One of the areas we are struggling with has to do with implementing Least Privileged Access in Active Directory environments. I'm basically referring to two aspects here - the first one has to do with having a least privilege access (LPA) based model for all our administrative delegations and the seond one has to do with have an LPA model for the management of the AD itself, i.e. which entails the management of our admin accounts and groups, and the access granted to them.

We are firm believers in using native access methodologies available in Active Directory, as opposed to using 3rd party RBAC controls, because we find it hard to sufficiently trust ANY 3rd party RBAC offerings, in regards to their stability, security and reliability.

(There is a HUGE trust issue here because we're talking control of unrestricted admin access in our environments. We're just not sure that any vendor would have the same level of maturity, reliability and security as does Microsoft's own native implementation.)

So, in a native AD environment, we wish to achieve least privileged access, both for administrative delegation of common identity and access management tasks (e.g. account creations, password resets, etc.) and for administrative management of Active Directory.

The challenge we face is not related to how to implement LPA per se, as that we understand how to do with the appropriate group types and fine-grained delegation.

The challenge we face has to do with being able to RELIABLY ASSESS / AUDIT the state of effective provisioned access in our Active Directory.

Specifically, while we can implement a really good LPA model, but in due course of time, the state of access changes, and once it changes, we then don't know whether it adheres to our initial LPA polocy or not, and that is what makes it hard to implement LPA natively.

We have tried a few things in house, such as usnig PowerShell to try and write extensive scripts to figure out the state of effective access at any time. We have also tried to infer this data using auditing but that is only partial, and thus ureliable.

So I suppose I am trying to determine how to solve this specific aspet of LPA in native Windows / AD environments i.e. how to be able to assess/audit the state of effective provisioned access in Active Directory so that we can determine whether or not it is in compliance with our LPA business policies.

I would really appeciate any inputs you guys might have in this regard, because if we can solve this issue, then we would have a reliable and trustworthy LPA model implemented natively in AD.



Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to
Members Login
    Remember Me