Poor logon security can lead to devastating data breaches, but improving the way you manage access is no easy feat — especially if you rely on Windows Active Directory alone.
Active Directory provides just basic user security, checking that credentials supplied match stored user profiles and then opening up access to resources.
Group Policy settings related to Windows logon rights, can then be applied to further manage computer-based access control – but can be tedious to configure and fail to ensure a user really is who they say they are.
This leaves IT pros with no choice. More effective controls are needed that fill these gaps to stop unauthorized access before damage is done.
8 Security Holes in Windows Group Policy and How to Fix Them.
1. NO SETTING OF RESTRICTIONS BY
GROUP AND OU
& How to fix them!
Active Directory’s built in access controls around logons
are failing IT. Each hole represents a security gap that puts
you at risk from external attacks, insider threats and
non-compliance issues.
There’s no facility to establish logon time and
workstation restrictions based on these logical
users subset mechanisms, despite a wide range
of compliance standards calling for it.
N O I D E N T I F Y I N G A N I N I T I A L A C C E S S
P O I N T F R O M A N E S T E D S E S S I O N
NO CONCURRENT LOGON CONTROL
NO FORCING LOGOFF WHEN
ALLOWED LOGON TIME EXPIRES
NO RESPONSE TO EVENTS AND
FORCING A REMOTE LOGOFF
This is especially needed in situations where a
threat actor (whether internal or external) is
horizontally moving within your network. Being
able to target the initial endpoint would help kill
the entire chain of access.
AD can establish when users can log on (and not
allow logon outside those times), but doesn’t
have the ability to kick someone off your network.
Simply put, there is no centralized means
within AD to track each and every place a
user logs on.
There are many good reasons you may want to
react to an event and perform a forced remote
logoff - and is nonetheless required for major
compliance regulations.
8 SECURITY HOLES
IN WINDOWS GROUP
POLICY SETTINGS
NO SENDING PREVIOUS LOGON
NOTIFICATIONS
NO WARNING USERS THEMSELVES OF
SUSPICIOUS CREDENTIAL USE
Informing the user of irregular use of their own
credentials empowers the user to act as part of
your security team. Who better to know when a
logon was inappropriate than the user themselves!
Just letting the user know the last time they
logged on would improve security. It’s also a must
for NIST 800-53 compliance. But, without
centralized tracking of every logon, this simply
isn’t possible natively.
NO TEMPORARY CONTROLS
Without a defined time period, users end
up being left with access rules well beyond
their immediate need.
To ensure a user really is who they say they are,
organizations need to turn to more effective controls. By
adding policies, restrictions and real-time insight around
logons, organizations can act before unauthorized access
is achieved and before damage is done.
No logon, no threat.
Learn More
Read in full how UserLock can enforce these 8 controls
USERLOCK