As we get close to the end of the 2015 calendar year, I feel it’s important for all Active Directory administrators to take a step back and do a few key checks and balances on your enterprise. So, here’s a simple list of a few items you should be checking, so you start 2016 with a clean, fresh Active Directory environment!
Back up Group Policy
You can do this in the Group Policy Management Console (GPMC). I suggest that you not only back up the GPOs, but also print out the settings for each by clicking on the GPO and selecting Save Report.
Back up Active Directory
Most organizations have a tool to perform this action, but you can also use the built-in backup utility. The goal here is to have a complete Active Directory backup for the end of the year. A partial or incremental backup won’t do the trick, but complete backup certainly will. Make sure you back up the system state, which will include all key aspects of your Active Directory environment.
Clean up user accounts
We all know that there are user accounts that should not be in Active Directory. These accounts, unfortunately, are a great way for attackers to gain access to your network and key resources. Be sure to find and delete any user accounts that were created and not used, separated employees, and accounts not currently in use. Here’s a video to help you accomplish this task. https://blogs.manageengine.com/active-directory/2015/06/25/simple-and-efficient-active-directory-cleanup-using-admanager-plus.html
Clean up privileged groups
Most attacks today prey on user accounts that have privileged access. The easiest way to grant privileged access is to add a user to a group. So, be sure to report and correctly configure all groups that have privileged access. This will include all built-in groups (Domain Admins, Enterprise Admins, etc.), application groups (Exchange, SharePoint, SQL, etc.), and custom groups. Below’s a blog that can help you with this. https://blogs.manageengine.com/active-directory/2015/04/03/securing-active-directory-analyzing-group-membership.html
Document and secure service accounts
Like privileged groups, service accounts have elevated privileges to help those users complete their tasks. Ideally, you need to know where all service accounts are used and how they are configured. We have a free tool that can help you find and document all of your Windows service accounts. Once you have the list of service accounts, be sure to securely configure them and, ideally, set up an alert so you know when any property of the service accounts changes. Here are a few blogs to help you:
Keeping ahead of your Active Directory security concerns, exposures, and other misconfigurations is pivotal for the success of your organization. We all know that being an administrator is a ton of work, so taking a few days each year to stay ahead of issues can go a long way. If you can think of any configurations beyond what I have here, please add them to your list. If you want to help spread the word, please add them to the comments section below and email them to me at Derek@manageengine.com.