In the article “Are Insider Threats IT’s Fault?,” I discussed how the lack of focus on permissions granted by groups in Active Directory (AD) could be a contributing factor to insider threats and pose a potential security risk. With over one-third of organizations reporting that they do not implement any kind of least-privilege model1, this threat should come as no surprise. After all, if a least-privilege model were to be implemented, it would involve a review of who is in what groups and of what permissions they have for which systems and data. This would be a necessary step to ensure that users haven’t received any additional or extraneous permissions by, for example, not being removed from a group of which they no longer need to be a member.
The unfortunate reality is that, like every other IT professional (myself included), you never go back into an AD group unless you’re adding someone new to it, right? Why is that? Let’s look at three reasons that may keep groups from getting the right focus within your organization.
- They’re Unimportant: They’re just groups, right? You may see them as simple AD objects with memberships that don’t need ongoing management. From that perspective, most people would say they’re unimportant, too. However, groups are also AD objects that represent the foundation for granting privileges within AD, enterprise applications, file systems, and corporate data. When viewed from this persective, groups seem to be much more important, don’t they?
- It’s Mundane: Everyone loves a good challenge — such as setting up a Hyper-V cluster or getting some new enterprise application running. This is much more engaging than rummaging through AD groups and tracing the permission sets of those groups for hours on end in an effort to find that one user who isn’t in Accounts Payable any longer so they can be removed. I get it. It’s a thankless task that few would consider among their favorite ways to spend time. However, as mundane as that task may be, when you consider the impact that leaving them alone can have, it may be time to reconsider whether groups should be looked at periodically.
- You Aren’t Making the Connection: It’s not always obvious how a simple membership assignment can grant a user all kinds of access within the organization. When a group is created, that’s the point when there is a clearer understanding of what privileges are being granted. However, over time, that focus on a given group diminishes, and the privileges increase. During that prolonged period, users have changed roles within the organization, and it’s very likely that these users were never removed from their original groups. Also, nesting of groups has probably also occurred, further adding to the degrees of separation from member to permissions. In some ways, it’s not so much that you don’t make the connection as much as it is that you no longer can make the connection easily.
With the importance of the role that groups play in defining and granting permissions, it’s evident that groups deserve more attention – not just to clean up AD, but as part of an overall security strategy to ensure that users have appropriate privileges within the organization.
To read more on this topic, check out the Imanami whitepaper, Managing AD Groups: Simple IT Headache or Security Hazard?
1 Ponemon, Corporate Data: A Protected Asset or a Ticking Time Bomb? (2014)