RFID access cards are commonplace in many companies. These cards provide access to different sections of the office, often limiting access to the appropriate people, so that not everyone has access to all locations within the building. For example, not everyone has access to the server room. And sometimes, because of this, many of us may see these cards as being more an annoyance than a helpful tool.
But put those cards in the context of a thief trying to gain access to parts of your office to steal some computers. The need for an access card limits a thief’s ability to move around from location to location within your office. In fact, the “wrong” card may limit access to only your foyer. It’s because of these potential situations that your business has a need for access cards and the ability to secure the building from inappropriate access.
In a similar manner, external attackers have a tried-and-true strategy for gaining a foothold within your organization and then spreading out to as many other systems as possible in an attempt to locate and, likely, extract valuable data. In order to gain access to additional systems, attackers need credentials that have some level of elevated privileges beyond just being a user on a given endpoint. And with over half of your users having more access than they need to do their job, these over-privileged users inadvertently empower attackers to continue with their malicious actions.
So, what do RFID access cards have to do with external attackers?
In the scenario described above, let’s replace the thief with an external attacker, and the access card with a security group within Active Directory. With each over-privileged user likely getting too many privileges from belonging to too many groups within Active Directory, if attackers gain access to those credentials, it’s like giving them an access card that grants them entry into the building well beyond just the foyer.
Therefore, just as you should take your physical security seriously, by assigning badges to users and limiting which doors they can enter, you need to take your Active Directory security seriously — specifically group memberships — by ensuring that permissions assigned to groups (which provide access to systems, applications, and data) are correct and that group memberships are up to date.
What, then, should you do to put the same level of security in place for your Active Directory groups?
If you really want to take Active Directory group security seriously, there are some basic steps that you need to take to put groups back on the right track, but you’ll need to follow those steps for every single group in your Active Directory. Once you’ve cleaned up your groups, putting good group management best practices in place will keep your groups well-maintained and more secure.