Active Directory (AD) is a Microsoft proprietary directory service developed for Windows domain networks. It is included in most Windows Server operating systems, enabling network administrators to create and manage domains, users, objects, privileges, and access within a network.
The AD layout follows a tiered structure made up of domains, trees, and forests. A domain is a group of objects (such as users or devices) sharing the same AD database. A tree is a collection of domains, and a forest is a collection of trees. Objects in separate forests can’t interact with each other, and this acts as a structural security boundary. This means that your domains aren’t protected from each other unless they’re in separate forests.
The Active Directory groups are a collection of Active Directory objects. The group comprises users, computers, and other AD objects, and groups collected into manageable units. In contrast with individual objects (such as users and computers), working with groups help simplify network administration and maintenance. There are two categories of Active Directory groups: Active Directory Distribution Groups and Active Directory Security Groups.
Cybercriminals generally target Active Directory networks to gain access to organization resources or data. This is why it’s important to pay attention to AD security. In this article, we’ll discuss AD security groups, permissions, best practices, and tools for managing AD security groups. Hopefully, this will help you gain better insight into how to protect Windows AD networks.
AD Security Groups and Permissions
Active Directory group management is the classifying and managing of users and devices across a network by bundling them together into AD groups.
AD security groups enable network administrators to manage permissions, policy settings, and group access to shared resources among a collection of users or devices all at once, rather than manually assigning permissions to individual users one at a time. For instance, if you want to grant staff in the HR department access to a specific network folder, you need to create a security group made up of staff from that unit.
This simplifies network administration by allowing you to assign permissions once to multiple users. Users can be added or removed from the group as the need arises. The change in group membership automatically takes effect everywhere. With AD security groups, network admins can:
- Assign user rights: User rights can be assigned to a security group. This helps to control what the users within the group can or cannot do within a domain or forest. For some security groups, user rights are automatically assigned for administration purposes which in turn can be inherited by members of the group. It’s critical that you pay special attention to those automatically assigned user rights to ensure that they are within required boundaries.
- Assign permissions for resources. User permissions are distinct from user rights. Rights define the capabilities users possess, whereas permissions relate to access to resources. Some security groups are created by default and permissions automatically assigned when you create an Active Directory domain. Again extra care must be taken in managing those types of groups due to their automatic security permissions.
When assigning permissions for resources (such as network folders, printers), it is best practice to assign those permissions to a security group rather than to individual users. Members of a security group inherit rights and permissions assigned to that group in Active Directory.
Active Directory groups (including security groups) are characterized by their scope. The scope of the group determines the extent to which the group is applied in the domain tree or forest, and defines where the group can be granted permissions. The following three group scopes are defined by Active Directory:
- Domain local: Domain local manages access permissions to different domain resources (such as files and folders NTFS permissions, remote desktop access, etc.) in the domain where it was created; and can be applied anywhere in the domain. A domain local group can include members from trusted domains or other types of members.
- Global: The global group scope is used to provide access to resources in another domain. Global groups are usually used as role-based groups; which means that domain objects (such as users and computers) are defined based on business roles.
- Universal: Just as the name implies, with the universal group scope, you can define roles and manage access to resources that are distributed across multiple domains in a forest.
AD Security Groups Best Practices
Active Directory security groups include Administrators, Domain Admins, Server Operators, Account Operators, Users, Guests, among others. A good understanding of how to manage these security groups with a best-practice mindset is key to keeping your system secure. The following are key AD security groups best practices:
- Ensure default security groups don’t have excessive permissions: Regularly audit permissions automatically assigned by default security groups when you set up an Active Directory domain, as some of these groups have extensive permissions. Ensure that users only have just enough access rights required to carry out their daily tasks and nothing more. If higher access rights are required, it should be provided on a temporary basis as and when needed.
- Keep software regularly updated: Ensure that your Windows software and other third-party applications are regularly updated. Attackers often exploit or take advantage of known vulnerabilities to compromise systems. Regular patching can help minimize this risk.
- Good password policy: Implement password policies that encourage users to use passphrases they can easily remember instead of focusing on complexity rules. Complexity rules make passwords harder to remember, and most users end up writing them down, which defeats the whole purpose in the first place. It’s also recommended to set rules that lockout users after several failed login attempts. Adopt the use of Windows supported 2FA/MFA such as Windows Hello or FIDO for extra protection.
- Maintain a policy of zero trust: Zero trust means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network. Insider threat is a risk no organization should underestimate because it can be incredibly difficult to track the source. Adhere to the principle of least privilege access to network resources and ensure that users don’t have excessive permissions.
- Audit changes to AD Security groups: Auditing helps to detect anomalous user behavior and system events. AD related security vulnerabilities and threats can potentially be prevented through better visibility into changes that take place within the security group. Having a good auditing strategy for your AD security groups is a sure way to prevent security threats. Changes to privileged groups should be alerted in real-time to ensure that you can investigate the change and revert it if excessive permissions were created.
5 Best Tools for Managing AD Security Groups
1. SolarWinds Permissions Analyzer FREE TOOL: One of the common challenges with the Microsoft Active Directory program is that it offers poor permissions management. This is where SolarWinds Permissions Analyzer stands out. SolarWinds Permissions Analyzer enables network admins to gain better visibility into user and group permissions, check permissions assigned on Active Directory objects, browse permissions by a group or user, or analyze user permissions based on group membership and permissions even in multi-domain Active Directory Forest. Some of the key features and capabilities include:
- Identify how a user’s permissions are inherited
- Browse permissions by group or individual user
- Analyze user permissions based on group membership and permissions
Figure 1.0 Screenshot showing SolarWinds Permissions Analyzer interface
Imagine an insider threat scenario where an employee gains excessive rights to key company resources and suddenly begins to carry out malicious activities from the inside. You observe that this employee has access to all sorts of key company groups, shared network folders, and files; but nobody is fully sure what and how much. This could be a major security issue for your organization, so you need to get to the root of what’s going on quickly. One way to investigate this is to use PowerShell if you have the skill and experience to do it, but the reality is that not everyone does. That’s where SolarWinds Permissions Analyzer comes into play. With this tool, network admins can easily identify which members of their team have access privileges to sensitive data.
Best of all, SolarWinds Permissions Analyzer is available for download free of charge.
2. SolarWinds Access Rights Manager (ARM) FREE TRIAL: SolarWinds ARM is designed to assist IT and security administrators in managing and regulating user access rights and permissions to systems and data across domains, which is an important step in protecting the organizations from cyber risks. Its auditing and permissions management capabilities make it easy to analyze user authorizations, access permissions and Group Policy to give you better visualization of who has access to what, and how and when they accessed it.
Figure 2.0 Screenshot showing SolarWinds ARM dashboard
The custom report generation features allow for the quick creation of a variety of AD reports, from simpler reports for management to more technical and detailed reports appropriate for auditors.
SolarWinds ARM enables network admins to perform the following access rights management activities:
- Permission Analysis: This feature helps admins to define which users have access to which data. Some of the key activities that can be performed include: view permission settings, track access paths, understand nested group permissions, among others.
- User Provisioning: User provisioning helps admins to create and manage user accounts and groups.
- Security Monitoring: Security monitoring empowers network admins to leverage logs from across Active Directory, file servers, and other systems and tools to generate reports, alerts, and track key activities.
- Role and Process Optimization: This feature enables network admins to automate the process of determining data owners across business units and departments. Data owners play a key role in determining and defining user access rights and permissions.
3. ManageEngine ADManager Plus: ADManager Plus is web-based AD management and reporting tool that provides centralized administration and management of Windows Active Directory. It allows IT admins to manage AD objects and groups from one central location via a user-friendly GUI. Network admins can use ADManager Plus to perform the following functions:
- Generate and view granular reports of users, computers, groups such as Inactive Users, Disabled Users, Users in Nested Groups, Distribution Groups, Security Groups, Inactive Computers, among others.
- Modify the existing user account properties including Exchange Mailbox and Terminal Services properties.
- Create bulk user accounts in the Active Directory with the flexibility to import properties from a CSV file.
- Create and delegate security roles for granting/revoking permissions to security principals.
Figure 3.0 Screenshot showing ADManager Plus dashboard
ManageEngine ADManager Plus can be used to automate the report generation process. This lowers the time that would be wasted on manually navigating the Active Directory program, thereby making Active Directory more convenient. Some of the key features of ADManager Plus includes:
- Active Directory Management: This feature simplifies Active Directory management by enabling bulk creation and modification of accounts, delegation, and rep.
- AD Bulk User Management: This feature enables network admins to use CSV files and modify user attributes, reset passwords, move users, and user objects all in bulk.
- Active Directory Bulk User creation: Create and deploy users in bulk with all attributes including Exchange mailbox and terminal services and assign them to groups using CSV import.
- Active Directory Bulk User modification: Enables network admins to reset passwords, unlock users, move users, delete/enable/disable users, add and remove from groups and modify attributes including exchange and terminal services in bulk.
- Inactive/Disabled User Account Management: Enables network admins to clean up AD by generating a list of inactive or disabled accounts that can then be removed or deleted.
- Active Directory Password Management: Reset multiple users’ account passwords, configure password settings, and enable/disable users whose passwords expire.
- Mobile Active Directory User Management: Reset passwords, enable, disable, unlock, and delete user accounts from your mobile iOS or Android device.
- Active Directory Computer Management: Create computers, enable, disable, and move computers in bulk and change their general attributes and group memberships in bulk.
ManageEngine ADManager Plus is available for download on a 30-day free trial. It is licensed on an annual subscription based on the number of domains it would manage. We recommend this product to anyone looking to make Active Directory Management more convenient as well as those who want to benefit from a high-quality report function.
4. ManageEngine ADAudit Plus: ADAudit Plus by ManageEngine is an AD auditing tool that allows network admins to audit active directories, login and logoff records, file, and Windows server data, and generate real-time user activity reports. Key AD auditing features include:
- Active Directory auditing
- Windows file server auditing
- NAS device file auditing
- Windows server auditing
- Workstation auditing
- Azure AD auditing
Figure 4.0 Screenshot showing ADAudit Plus dashboard
With this tool, you can keep track of which employees did what, when they did it, and who did it on Windows and File servers. You can get reports on domain controllers and file servers and export the reports to CSV, PDF, XLSX, and HTML formats. Network admins will be able to block or prevent legitimate users from abusing their access privileges. One of the key benefits of this solution is its inherent support for industry-specific regulatory compliance. It is bundled with pre-configured standards compliance reports, which follow the SOX, HIPAA, GLBA, PCI-DSS, and FISMA standards. So, you won’t need to customize the system or set up your own reports in order to demonstrate compliance.
ADAudit Plus is available in three editions: Free, Standard, and Professional. A 30-day free trial and an online demo which includes all features of Professional Edition are all available. Overall, ADAudit Plus’ great dashboard and analytics makes it a powerful tool to gain insights and visibility into your AD environment.
5. Quest Recovery Manager for Active Directory: Human error, hardware, and software crashes do occur. AD objects can often be mistakenly modified or even deleted; and faulty scripts can overwrite attributes. This can result in a corrupt Active Directory or Group Policy data, unplanned system downtime.
Figure 5.0 Screenshot showing Quest Recovery Manager for Active Directory interface
Recovery for Active Directory is a third-party AD tool that enables network admins to pinpoint changes to their AD environment at the object and attribute level, and quickly recover entire sections of the directory (both on-premise AD and Azure AD), selected objects, or individual attributes without taking the AD controller offline. In reality, when an object is lost in Active Directory you have to restart the Domain Controller to recover it. Recovery Manager for Active Directory eliminates this inconvenience by allowing you to recover objects without going offline.
You can restore objects such as users, computers, attributes, configurations, sites, subnets group policy objects, and organizational units. Some of the key features include:
- Online restore—Restore directory objects without taking the domain controller offline
- Comprehensive recovery options—Restore any object in AD, including users, groups, computers, organizational units (OUs), sites, subnets, and Group Policy Objects (GPOs)
- Attribute-level restore—Restore only the required attributes without affecting other attributes
- Schedule of AD—Schedule backups and centrally manage system state backups for domain controllers
The main issue with Recovery Manager for Active Directory is that it comes at a relatively high price. It is therefore most suitable for organizations running multiple AD domain controllers across multiple locations. A free 30-day trial is available.