In previous articles, we’ve discussed the reasons why IT often doesn’t pay attention managing groups in Active Directory (AD), as well as how security threats can arise from not doing so. In this article, we are going to review the steps required to manage groups in AD effectively and efficiently.
Before we start, let’s establish the foundational reasons why you want to manage groups, and then we’ll get into some best practices. The #1 reason to manage groups in Active Directory is…
Groups Grant Permissions
That’s it. This is the only reason you’ll need. Because groups are a very common tool for connecting user accounts to critical data, applications, and systems (and because you aren’t actually managing them today), it’s imperative that you establish some best practices for truly managing groups.
Upon examining the data available on Imanami’s free Health Meter service, we can observe some extremely interesting facts about the current state of AD groups:
- 70% of AD groups have no owner.
- 50% of groups have no description.
- Over 2,000 groups have zero members.
Based on these statistics, it’s clear that AD groups would benefit greatly from proper management.
What does “proper management” of AD groups look like? It’s more than just an occasional check of the Members tab of the group. Effective group management derives from a clearly defined process.
To address this, let’s start with what we’re trying to accomplish with group management. In essence, we want to ensure that the right people have the correct permissions. Achieving this objective requires a two-step process:
- Validate Permissions: Someone needs to periodically certify that the permissions assigned to a group are still correct. This requires an owner of the data and/or application in question to perform this task. (Note: A group may be given permissions to several systems, each with a separate owner.)
- Validate Membership: Someone needs to certify that the user accounts in the group are current. This would probably fall on either a department head or the same person who is the owner of the data/application.
When you think about this process from a macro perspective, there is also a third validation that should be included. The process needs to address the question of whether the group itself should even exist or not. Therefore, the third step is as follows:
- Validate the Group: Someone needs to attest to the continued need for a given group in the first place. Given that 2,000+ groups were found to have no members at all, there is an obvious need for some cleanup.
Lastly, it’s important to note that this process isn’t a one-time thing. It needs to be an ongoing process, performed at establish intervals. Depending on the size of your company (which usually dictates the number of groups), this process may need to be executed on a monthly or quarterly basis. Yearly would be the absolute minimum.
The important thing to take away from this discussion is to do it in the first place. Get the process started. Assign accountability to groups, to memberships, to permissions — and then ask the appropriate people to do a review of their respective parts of the group. Your organization will be much more secure for it.
To read more on this topic, check out the Imanami whitepaper, Managing AD Groups: Simple IT Headache or Security Hazard?