AD
By Charles Parker, II

In this day, there are vulnerabilities throughout the environment. These are blatant with malicious websites and more camouflaged as with phishing and ransomware. With another unique view, these vulnerabilities may be external. There are attackers across the globe all with one singular mission to attack you and compromise your system. These persons are actively completing their reconnaissance and gauging the potential data to steal or analyzing the possibility of a success ransomware attack.

The data having value maybe the client list, employee listing, banking information, healthcare records, and many other sources of data. The internal version of this is from the business employees. The employees may click inadvertently or negligently on malicious websites or links. This may create the opportunity for ransomware or scareware to infect the system. From this door being opened by the unsuspecting employee, the attackers could abscond with trade secrets, CAD schematics, or new technology.

To alleviate these issues to some extent, there are ample well-utilized remediation techniques, including scanning for vulnerabilities and malware, log management, third parties conducting pentests and vulnerability assessments, SIEM apps, log acquisition and analysis tools (e.g. Splunk), and many other options.

There is however one area that is also pertinent, however, has not garnered the attention the other aspects and defensive measures have. This act of simply working with this is another tool to secure the enterprise.

Active Directory (AD)
AD is in use in one form or another is most medium- and large-sized businesses. This application is exceptionally useful and functional.

This may be used with employees, in a combination of employees and hardware, for tracing and a number of other uses. If this is not fully used, the administrators are not actively using all of the capabilities.

With AD, the normal usage includes setting up the new employee or making adjustments to the employee’s record as needed. Each person’s role in the organization is different. This directly impacts the person’s responsibilities, as part of their job. As each person has a unique role in their group, the same set of rules should not be applied to everyone.

Granted applying a boilerplate set of rules to everyone, or all employees except the C-level, is quicker and easier, however, this would be mostly ill-advised.

As much as reasonably possible, these rules should be narrowed per group in this instance. When this general rule is not applied, the administrator is allowing for the staff member to complete unauthorized tasks, escalation or privileges and a greater level of risk, by their own actions. There is not a need to make this more difficult than it already is.

People occasionally leave their position, either voluntarily or are provided the opportunity to seek other employment immediately. There are a number of high profile actions that tend to be effected directly thereafter, especially when the person is leaving the business’ choice. This may include securing the ID card, access card, the corporate credit card, corporate-issued phone, and corporate email.

These may contain sensitive and confidential information that needs to be maintained as such. In a much more mundane scenario, the person may also just change their position. In this alternative use case, the employee may not need the same access. Adjusting these assists to the appropriate level assists with limiting data loss.

Often, regardless of the person’s underlying rationale for the position change, the person’s AD may not be thought of as a point to check and modify. There may not be a checklist or other template to remind the management and support staff to review all affected areas.
Leaving the prior employee’s set of access per AD also has other issues. The prior employee may have rights to services they should not have. The future staff members may review the AD file entry and believe through no fault of their own, this person is still an active employee. The business may also be examined or audited.

This provides an issue when the current employee list from Human Resources is compared to the AD list, which shows the person’s last login was two years in the past when they were actually an employee. The auditor may view this being indicative of a systemic issue, requiring further reviews.

The IT world is amply busy and complex on its own rights without adding more issues requiring time and resources to remediate. Not adjusting AD as employee changes are effected is not a great choice to make. This is a quick area to be mitigated and also can save a significant amount of time when implemented as needed.

About The Author
Charles Parker, II began coding in the 1980s. Presently CP is an Information Security Architect at a Tier One supplier to the automobile industry. CP is presently completing the PhD (Information Assurance and Security) in the dissertation stage at Capella University. CP also is an adjunct faculty at Thomas Edison State University. CP’s interests include cryptography, SCADA, and NFC.
He has presented at regional InfoSec conferences. Charles Parker, II may be reached at charlesparkerii@protonmail.com and InfoSecPirate (Twitter).