Whew! Thank goodness 2014 is over! Well, at least if you are considering the year’s security issues, attacks, leaks, and password issues. As a security and Windows Active Directory professional, I feel like I have earned the right and it is the appropriate time to say, “I told you so.”
Let me put this into perspective, to prove my point:
- 2014 financial services firms – $20.8 million lost to breaches
- 2014 tech companies – $14.5 million lost to breaches
- 2014 communication providers – $12.7 million lost to breaches
- Ebay – 150 million user accounts compromised due to phishing attacks, users asked to change password immediately
- Home Depot – 56 million credit cards compromised
- US Post Office – 800,000 employees’ confidential data breached
Unfortunately, there are many, many more that could be listed. Looking at these numbers hopefully makes you wonder how much we are really putting effort into security of our corporate networks. We might be spending money, time, and resources trying to secure our environments at a very technical level, but it seems to be failing.
What I have found is that some of the most basic security controls and configurations are not being done properly, so it is no surprise to me that all of these attacks are succeeding. As we move into 2015, I am going to give you some basic security concepts to consider with regard to your Active Directory environment. These concepts are basic and easy to address.
-
Allow your help desk to do more productive work and solve deeper issues by implementing a self-service password solution into Active Directory. This will also remove the help desk from the password reset process, which will eliminate one more person from knowing other users’ passwords.
-
Ensure the core of Active Directory access is secured. I find that over 50% (a recent survey I conducted indicated this) of administrators find delegations in Active Directory that they did not know existed. Removing Active Directory delegation in lieu of a tool that provides the delegation via a “proxy” is a much more secure.
-
Start to track, in real-time, the changes that occur to key security controls in Active Directory. I find that most organizations don’t track when groups like Domain Admins, Enterprise Admins, and Administrators change membership. In the end, issues arise or the audit finds the misconfiguration. Instead, have an email show up in your inbox every time a key security control changes, so you can take immediate action.
-
Ensure your domain users password policy is correct. This is a simple, easy, and necessary task. Knowing that your users’ passwords meet desired criteria is key to ensuring that all users are using some level of secure password controls. Investigating and verifying password policies can help you ensure that network resources are protected.
ManageEngine provides solutions around all of these concepts. We even provide a fully functional trial, so you can see firsthand how our tools can help solve these issues. Just visit http://www.manageengine.com/windows-active-directory-tools.html to download the tools to tackle these issue in your Active Directory environment.
No one knows what 2015 has in store; however, taking action to help you secure your environment will potentially keep your company out of the news headlines. Security is performed in layers. You need to ensure your Active Directory environment is correctly layered with many security features and options.