Active Directory is audited loosely during SOX and ITGC audits, however, it is misunderstood and often audited ineffectively and inefficiently. This presentation will provide an overview of Active Directory design and guidelines for auditing it.
After completing this session, you will be able to:
Understand in broad strokes, Active Directory
Understand different forest designs
Understand how to use Powershell to audit AD
Understand how an AD data warehouse can be used to streamline audits
Active Directory is based off an authentication system
called Kerberos, which was built by MIT researchers in the late 1980s. The name Kerberos comes from the three-headed guard dog from Hades in Greek Mythology, most widely known from his capture by Hercules as the last of his twelve labors, additionally appeared in Homer’s Iliad. As Kerberos was the guardian Hades, to keep the dead from leaving in Greek mythology, most likely the Kerberos protocol is underpinning the logical access security on your company’s network. Arguably the most popular implementation of Kerberos in the enterprise setting is Microsoft’s Active Directory, which we will talk about today. We will go over what Active Directory is, in broad strokes, how it works, and introduce some tools that can be used to help you more effectively conduct ITGC, SOX and other logical access system audits.
Active Directory is the backbone of user authentication for a large percentage of
organizations. Although audited loosely during SOX and ITGC audits, it is often
misunderstood and often audited ineffectively and inefficiently. Traditional
compliance auditing requires screenshots of key groups, configurations, etc.,
and creates a significant burden upon IT personnel to provide the requested support.
By strictly utilizing PowerShell cmdlets, along with a broad understanding of
how Active Directory functions, the requisite audit documentation can be obtained by the
auditor, without elevated system privileges.
Common Name == Relative Distinguished Name
The primary type of container that you will create to house objects is called an organizational unit (OU). Another type of container, which is actually called a container, can also be used to store a hierarchy of objects and containers. Although both can contain huge hierarchies of containers and objects, an organizational unit can have group policies applied to it.
An Active Directory domain is made up of the following components:
An X. 500-based hierarchical structure of containers and objects
A DNS domain name as a unique identifier A security service, which authenticates and authorizes any access to resources via accounts in the domain or trusts with other domains
Policies that dictate how functionality is restricted for users or machines within that domain
A domain controller (DC) can be authoritative for one and only one domain. It is not possible to host multiple domains on a single DC.
The mycorp.com domain itself, ignoring its contents, is automatically created as the root node of a hierarchical structure called a domain tree. This is literally a series of domains connected together in a hierarchical fashion, all using a contiguous naming scheme. If Mycorp were to add domains called Europe, Asia, and Americas, then the names would be europe.mycorp.com, asia.mycorp.com, and americas.mycorp.com. Each domain tree is tree trust one another implicitly with transitive trusts. In a transitive trust, if Domain A trusts Domain B and Domain B trusts Domain C, this implies that Domain A trusts Domain C as well.
Now that you understand what a domain tree is, we can move on to the next piece of the Active Directory structure, the forest. Where a domain tree was a collection of domains, a forest is a collection of one or more domain trees. These domain trees share a common Schema and Configuration container, and the trees as a whole are connected together through transitive trusts. As soon as you create a single domain, you have a forest. If you add any domains to the initial domain tree or add new domain trees, you still have one forest. A forest is named after the first domain that is created, also known as the forest root domain. The forest root domain is important because it has special properties.
Group Policy is a large topic that deserves a book in itself (and there are several of those) to be properly covered. We will discuss Group Policy as it applies specifically to the design and administration of an Active Directory installation in this book, but not as it applies to the actual settings and operations on a workstation. The goal of policy-based administration is for an administrator to define the environment for users and computers once by defining policies, and then to rely on the system to enforce those policies.
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6457-6462). O'Reilly Media. Kindle Edition.
The scope and functionality of Active Directory group policies encompass a number of key points: They can be targeted to individual computers and users, sites, domains, and organizational units. They can apply to users, computers, or groups of either. They can set values and automatically unset them in specified situations. They can run scripts at user logon and logoff and computer startup and shutdown. They can do far more than just a desktop lockdown. With Group Policy, administrators can control the behavior of workstations and servers as well as managing the end user experience across the organization. There are literally tens of thousands of settings that you can apply to control everything from screensaver timeouts to desktop backgrounds to workstation power management, and practically everything in between.
The remainder of this chapter takes an in-depth look at group policy objects, focusing on two areas: How GPOs work in Active Directory How to manage GPOs Group policies are very simple to understand, but their usage can be quite complex. Each GPO can consist of two parts: one that applies to a computer (such as a startup script or a change to the system portion of the registry) and one that applies to a user (such as a logoff script or a change to the user portion of the registry). You can use GPOs that contain only computer policies, only user policies, or a mixture of the two. GPOs and Active Directory Any GPO is initially created as a standalone
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6591-6598). O'Reilly Media. Kindle Edition.
object in Active Directory. Each object can then be linked one or more times to three different types of locations: sites, domains, and organizational units. GPOs for domains and organizational units are held in the domain relating to their application, but creating a GPO for a site stores that GPO in the forest root domain by default; administrators can change this if they wish. Warning You cannot link group policies to containers. Users and computers that are stored in a container will apply policies linked to the domain or their site, however. In the normal state of affairs, an administrator would customarily browse to a site, domain, or organizational unit in the GPMC, and then create a GPO and link it that object. At this point, it appears that you have created a GPO at that location in the tree rather than what really happened, which was that the system created the GPO as a standalone object in the Policies container and then immediately linked it to that container. To apply a GPO to a set of users or computers, you simply create a GPO and link it to a site, domain, or organizational unit. Then, by default, the user portion of the GPO will apply to all users in the tree, and the computer portion of the GPO will apply to all computers in the tree. Thus, if we were to create a policy and link it to a domain, all computers and users of that domain would process the policy. If we were to create a policy and link it to an OU, all users and computers in that OU, and all
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6605-6611). O'Reilly Media. Kindle Edition.
users and computers within OUs beneath that OU (and so on down the tree), would process the policy.
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6611-6612). O'Reilly Media. Kindle Edition.
GPOs can be linked only to sites, domains, and organizational units. A single GPO can be linked to multiple locations in the tree. GPOs by default affect all of the users and computers in the linked scope. This generates further questions. If multiple policies apply to different locations in a tree, can multiple GPOs apply to the same location, and if so, what takes precedence? Why would you want to apply one GPO to different parts of the tree? In addition, how can we stop the GPO from applying to the entire set of users and computers in the tree? Let’s consider each of these questions to understand policies better. Prioritizing the Application of Multiple Policies
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6617-6624). O'Reilly Media. Kindle Edition.
Let’s say that we create and link a GPO for all users in a site to run a logon script that loads an Intranet home page local to that site. Let’s also say that we create and link a domain GPO to set the My Documents folder location for each user in the domain. Finally, we have two user logon scripts that we need to run in a specific order for specific organizational units in that domain. GPOs are applied in a specific order, commonly called LSDOU. Local policies are applied first, and then site policies, then domain policies, and then finally OU policies are applied in the order of the OU hierarchy.
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6624-6629). O'Reilly Media. Kindle Edition.
If multiple GPOs are linked to a single site, domain, or organizational unit, the administrator can prioritize the order in which the GPOs from that level are processed.
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6631-6632). O'Reilly Media. Kindle Edition.
GPO links are inherited down an OU tree. So, while a child organizational unit can have its own GPOs linked to it, it also will inherit all of its parent’s GPO links. These organizational unit GPOs are applied in order according to the OU hierarchy once the site and domain GPOs have been processed.
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6636-6639). O'Reilly Media. Kindle Edition.
For example, Paul Burke’s user account has the following distinguished name (see Figure 11-4): cn = PaulBurke, ou = Databases, ou = Gurus, ou = Financial Sector, dc = mycorp, dc = com When Paul logs onto his machine, the site GPOs are applied first, and then the mycorp.com domain GPOs. Next come the GPOs on the Financial Sector organizational unit, then the GPOs on the Gurus organizational unit, and finally the GPOs on the Databases organizational unit. From this, it’s fairly easy to see how organizational unit hierarchy design has a significant effect on GPO precedence.
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6641-6647). O'Reilly Media. Kindle Edition.
Standard GPO Inheritance Rules in Organizational Units Any unconfigured settings anywhere in a GPO are ignored, and only configured settings are inherited. There are three possible scenarios: A higher-level GPO has a value for a setting, and a lower-level GPO does not. A GPO linked to a parent OU has a value for a setting, and a GPO linked to a child OU has a non-conflicting value for the same setting. A GPO linked to a parent OU has a value
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6661-6666). O'Reilly Media. Kindle Edition.
Blocking Inheritance and Overriding the Block in Organizational Unit GPOs It is possible to force the settings of a GPO linked to an OU in the tree to be applied as the final settings for a child.
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6677-6679). O'Reilly Media. Kindle Edition.
We’ve already said that the computer portion of a GPO applies during boot up and the user portion of a GPO applies during logon. However, that isn’t the only time that a policy can apply. The policies also can be set to refresh periodically after a certain time interval. How often this occurs and what conditions are attached to this refresh operation are specified under the System\ Group Policy key under the Administrative Templates section of the Computer section of a GPO.
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6729-6732). O'Reilly Media. Kindle Edition.
Group Policy Refresh Frequency By default, Windows workstations and member servers refresh their policies every 90 minutes, and domain controllers refresh their policies every 5 minutes. In order to avoid having all machines retrieving their policies at once from the domain controllers, there is a random offset interval added to the refresh period on every machine.
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6743-6746). O'Reilly Media. Kindle Edition.
Combating Slowdown Due to Group Policy Introducing Group Policy into your environment will affect computer startup and user logon times to a degree. Exactly what degree varies from environment to environment, and you will need to test in yours to come up with a representative figure. We do not recommend foregoing Group Policy in an effort to speed up your startup and logon times, but we do recommend being frugal when planning the number of policies that will apply to a given user or computer.
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6788-6792). O'Reilly Media. Kindle Edition.
That’s a lot of information on GPOs. Let’s summarize what we’ve covered about the workings of GPOs so far: GPOs exist in a split state. The configuration data for the GPO, known in shorthand form as GPC data, is held in the AD object itself. The template files and settings that tell the GPO what its capabilities are, known in shorthand form as GPT data, are stored in the SYSVOL. Individual GPOs can be linked to multiple sites, domains, and organizational units in Active Directory, as required. GPOs can contain policies that apply to both computers and users in an OU. The default operation of a GPO on a container is to apply the computer portion of the GPO to every computer in that container
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6981-6987). O'Reilly Media. Kindle Edition.
during boot up and to apply the user portion of the GPO to every user in that container during logon. GPOs can also be set to refresh periodically. Multiple GPOs linked to a particular container in Active Directory will be applied in a strict order according to a series of priorities. The default prioritized order corresponds to the exact order in which the GPOs were linked to the container. Administrators can adjust the priorities as required. While GPOs exist only in a domain environment due to their dependence on Active Directory, individual domain or workgroup computers can have local policies defined for them. GPOs are inherited down the organizational unit hierarchy by default.
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6987-6993). O'Reilly Media. Kindle Edition.
This inheritance can be blocked using the properties of an OU, domain, or site. Administrators can also set a policy to be enforced. This allows a policy to override all lower settings and bypass any blocks. Loopback mode allows the administrator to specify that user settings can be overridden on a per-machine basis. Effectively, this means that the user parts of policies that normally apply only to computers are applied to the users as well as (merge mode) or instead of (replace mode) the existing user policies. WMI filtering allows you to configure a WMI query that can be used as an additional criterion to determine whether a GPO should be applied. If the filter evaluates to true, the GPO will continue to be processed; if it evaluates to
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6993-6998). O'Reilly Media. Kindle Edition.
false, the GPO will not be processed. This is a powerful feature because you have a vast amount of WMI data available to determine whether GPOs should be applied. A number of things can slow down processing on a client, including attempting to process many policies one after the other. Use of loopback mode, especially in merge mode, can significantly impact performance. Attempting to apply GPOs across domains can also lead to slowdowns, depending on the network speed between the domains. Finally, complex queries in WMI filters can have a negative impact on GPO processing. Policies are applied in a strict order known as LSDOU. This notation indicates
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6998-7003). O'Reilly Media. Kindle Edition.
that local policies are applied first, followed by site GPOs, domain GPOs, and finally any organizational unit GPOs hierarchically down the tree. At each point, the policies are applied in prioritized order if multiple policies exist at a location. When policies are to be applied to a client, the system identifies the entire list of policies to be applied before actually applying them in order. This is to determine whether any blocking, overriding, or loopback settings have been put in place that could alter the order or application of the policies. ACLs can be used to limit the application of GPOs to certain individual users or computers or groups of users or computers. Specifically setting up the
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 7003-7008). O'Reilly Media. Kindle Edition.
that local policies are applied first, followed by site GPOs, domain GPOs, and finally any organizational unit GPOs hierarchically down the tree. At each point, the policies are applied in prioritized order if multiple policies exist at a location. When policies are to be applied to a client, the system identifies the entire list of policies to be applied before actually applying them in order. This is to determine whether any blocking, overriding, or loopback settings have been put in place that could alter the order or application of the policies. ACLs can be used to limit the application of GPOs to certain individual users or computers or groups of users or computers. Specifically setting up the
Global groups and domain local groups are the direct descendants of Windows NT groups; the membership of these groups is only available from domain controllers of the domains in which they are created. Universal group membership is available both from the domain controllers of the domains in which they are created in and from all Global Catalogs in the forest. Universal and global groups can be used in access control lists (ACLs) on any resource in the forest or in trusting domains. Domain local groups can only be used in ACLs in the domain in which they are created.
While legitimate reasons exist to create multitree forests, we recommend that you endeavor to simplify your Active Directory design as much as possible and limit yourself to one domain tree and as few domains as possible. Best practice for new forest designs is almost always a single-domain forest.
You would like to be able to give this group limited autonomy over user objects by allowing one of the senior administrators to manage its own section of the tree. Complete segregation of security is not needed, and the manufacturing tree isn’t large enough to justify creating another domain to manage along with the associated domain controllers. You can instead create an organizational unit in your hierarchy called Manufacturing. You then give the senior engineer authority over that organizational unit to create and delete accounts, change passwords, and create other organizational units within the
So, throughout this book, whenever we advocate creating hierarchies within domains, we always recommend that you use organizational units. After all, an organizational unit is just a superset of a container. There is nothing a container can do that an organizational unit cannot.
The emphasis of this chapter is on planning the structure of your Active Directory installation. Specifically, we will look at the forest and domain tree layout as well as the organizational unit (OU) structure. While it was extremely common (and often necessary) to design a forest with numerous domains when Windows 2000 came about, that need has largely dissipated. We’ll explore how you can reduce the number of domains that you require for Active Directory while gaining administrative control over sections of the Active Directory domain namespace using organizational
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 7893-7897). O'Reilly Media. Kindle Edition.
When designing a forest, remember that there are often multiple good answers to forest design for any given company. There is no “best” design for all situations. Microsoft has provided great flexibility in what can be done, which can turn around and bite you with indecision about how you should implement AD. It isn’t unusual for two engineers to have two very different designs for the same company that are both good for completely different reasons. Simply document all recommended designs
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 7900-7903). O'Reilly Media. Kindle Edition.
and let the decision makers decide together which one will be the best for long-term operations. Overall, the best solutions are usually the simplest solutions. In most cases, you will want to choose single-forest designs over multiforest designs, single-tree designs over multitree designs, and single-domain designs over multidomain designs. The design example shown here is simply that: an example. The company in question could have designed its Active Directory infrastructure in a number of ways, and this is one of them. There are a number of restrictions that you have to be aware of when beginning your Active Directory design. We will introduce you to them in context as we go along, but here are some important ones: The forest, not the domain, is the security
Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 7903-7909). O'Reilly Media. Kindle Edition.
boundary for Active Directory. Anyone with high-level access rights on any writable domain controller in any domain can negatively impact or take control of any other DC or domain in the forest. You can never remove the forest root domain without destroying the whole forest in the process. The forest root domain is the cornerstone of your forest. Multiple domains cannot be hosted on a single DC. Imagine three child domains under a root domain located in the United States, each of which corresponds to one of three business units. Now imagine that you have a small office of 15 people in Eastern Europe or Latin America with a slow link to the US offices. These 15 users are made up of
Time Synchronization in Active Directory Active Directory is highly dependent on all of the domain controllers and domain members having synchronized clocks. Kerberos (which is the underlying authentication protocol for Active Directory clients) uses system clocks to verify the authenticity of Kerberos packets. By default, Active Directory supports a tolerance of plus or minus five minutes for clocks. If the time variance exceeds this setting, clients may be unable to authenticate and, in the case of domain controllers, replication will not occur.
One of the fundamental underpinnings of any network that runs on Active Directory is the Kerberos security protocol. Kerberos provides the authentication mechanism that powers user logon, application access, and communication between domain controllers (among other things). Implementing Kerberos on its own is a challenging task that Microsoft has almost completely abstracted with Active Directory. Out of the box, there’s virtually zero configuration required to start using Kerberos. In fact, if you never ran across an application that required special Kerberos-specific configuration, you would never even need to know that Kerberos was being used under the covers. The key benefit of the Kerberos security
Domain and Forest Functional Levels For the Windows Server 2003 release of Active Directory, Microsoft expanded on the domain mode concept by introducing functional levels. Whereas the domain modes applied only to domains, functional levels apply to both forests and domains. Like the domain mode, functional levels dictate what types of operating systems can assume the role of a domain controller in a domain or forest. Each functional level also has an associated list of features that become available when the domain or forest reaches that particular functional level.
3.4. Best Practices Analyzer Keeping Active Directory healthy is a concern of any administrator, and the definition of a healthy domain controller or forest is a topic of much debate on the Internet. Historically, Microsoft has included a tool called dcdiag with Windows: the multitude of tests dcdiag supports can help an administrator proactively check the health of a domain controller, domain, or forest as well as troubleshoot problems when they arise. The downfall of dcdiag is that the output is difficult to read, the list of switches required to test the intended targets is long, and there is typically no actionable guidance when a problem is identified. Starting with Windows Server 2008 R2, Microsoft set out to solve these problems by creating a Best
Practices Analyzer (BPA) for Active Directory that is included as part of the operating system. Windows Server 2012 includes 41 tests that analyze many of the most common issues and misconfigurations that administrators typically run into. To access the BPA, find Server Manager under the AD DS node on the left and scroll down to Best Practices Analyzer. To run a BPA scan, click Tasks → Start BPA Scan on the right. You can select one or more domain controllers to run the BPA scan on, as shown in Figure 3-23
The Active Directory PowerShell module first appeared in Windows Server 2008 R2 and was enhanced in Windows Server 2012. While the module is currently in its second iteration, there are still some tasks that you cannot accomplish with it. ADAC uses the AD PowerShell module for all of its tasks, so, if you can do something in ADAC, that task can also be accomplished with the AD PowerShell module.
The Active Directory PowerShell module first appeared in Windows Server 2008 R2 and was enhanced in Windows Server 2012. While the module is currently in its second iteration, there are still some tasks that you cannot accomplish with it. ADAC uses the AD PowerShell module for all of its tasks, so, if you can do something in ADAC, that task can also be accomplished with the AD PowerShell module.