Modernizing the Active Directory Environment
For the first time, Microsoft Active Directory (AD) was released along with Windows 2000. At that time, its main task was to provide centralized authorization and authentication of PC users and Windows servers, as well as expanding directory services for organizations using directory-enabled applications (for example, Microsoft Exchange).
Nowadays, much has changed in the use and management of AD, including the recommendations from Microsoft to improve the organization of work, as well as the style of corporate management of the system. Many regulatory requirements were created that influenced the development of AD. To keep up with the times, organizations should rethink their approach to Active Directory and upgrade it. This will facilitate management and increase system efficiency.
Let's look at the value of improving AD, as well as the areas that should be focused on to create a state-of-the-art infrastructure.
')
AD changes
Both technology and the business world have changed since the first release of Active Directory. Almost every organization has made such changes in the service:
Each of these changes plays a separate role in the need to upgrade Active Directory.
Changing Microsoft recommendations and new system features
Like AD itself, Microsoft’s recommendations for managing the system have changed significantly. Let's look at two principles that are no longer used, but were characteristic of earlier versions of the system.
Empty forest root domains
Initially, Microsoft recommended that organizations create empty root AD domains (Figure 1), since it was thought that the first domain of the forest was of particular importance and should always remain empty. Microsoft has long since dropped this advice and now recommends creating only the necessary domains in order not to complicate the system and not overload it with additional security requirements. However, many still create AD forests with two or more domains and an unused root directory.
Fig. 1. Using the empty root domain
Domain as a security boundary
Previously, Microsoft recommended avoiding an increase in the number of forests, since in terms of integrating them into each other there were difficulties from the point of view of security and administration. In addition, an Active Directory domain was considered a security boundary. This made it possible in the forest of two domains to easily separate users and resources of domains A and B.
Then a series of articles appeared, demonstrating how easy it is for an administrator of one domain to control resources of another domain within one forest, after which Microsoft changed its recommendations and called for the forest to be considered a security boundary, not a domain. If you need to isolate users or resources in a specific domain, you should build a separate forest. Thus, organizations now typically have a multitude of forests, for example, sharing a forest of development from a production forest, or even from a special Internet-oriented forest. As a result of this separation, companies faced difficulties in administering multiple forests.
Other recommendations have changed due to the development of AD itself. Improvements to the system affected the delegation of access rights, reporting, extensibility (in Windows 2000, there was a limit on 5,000 group members), recoverability (snapshot function and recycle bin) and automation (AD administration on Microsoft PowerShell). The new approach has significantly improved the protection, management and restoration of Active Directory.
Administration Model Changes
Another area where changes have occurred is the administration method. Previously, a small group of administrators was responsible for all aspects related to the system, from infrastructure to content, which eventually ends up in the directory. With the growing importance of AD for the IT infrastructure, its administration model has become more complex. Now in organizations, many people are involved in working with AD: one person is responsible for managing users, groups of users and their properties, another - for data related to applications, the third - for security, etc. This has led to the need to improve the protection and sharing of data in AD by applying a role-based approach to managing directories, revising the structure, namely distribution and protection of organizational units. The original AD designs may now be irrelevant and require cleaning and restructuring.
AD role change
Previously, the role of Active Directory in most organizations was quite modest. Ee was used to provide centralized login and security for Windows PC users, or as an alternative or replacement for Windows NT 4 Security Account Manager (SAM) or Novell NetWare systems. Over time, AD has become the focus of most of the events taking place in IT organizations (Figure 2), providing the following functions:
Fig. 2. Active Directory in the center of many IT resources
In many organizations, AD has become the primary element of infrastructure, and its security and management receive as much attention as most critical business platforms. In particular, organizations are developing a hybrid approach to the provision of IT services, in which one part of the applications is located in the company's data centers, and the other is stored “on the clouds” of external provider companies. Most often, these two environments are brought together by authenticating and providing access through integration with AD. Without a well-protected and well-managed AD, a hybrid approach makes it more difficult for a business than it helps.
Unfortunately, sometimes AD is not given enough attention from the IT staff. This has many manifestations, from insufficient attention to managing changes in AD, to the assumptions that once “everything works anyway, you can not strain yourself”. This approach does not benefit the IT departments, since the integration, both in general and with cloud solutions, plays a very important role.
Changes in the legal framework
Since the time of the first Active Directory releases, the difficulties associated with ensuring the compliance of IT work with actual legislation have increased. Now organizations deal with many complex regulatory acts, and it is often AD that is the main tool for working with them.
The need for monitoring and reporting on the use of Active Directory has increased significantly. Compliance with regulatory acts and maintaining it at the proper level requires the use of more complex processes for managing AD and verifying its associated activities. Now it’s simply unacceptable not to know who and why made each of the changes to the directory system. Ignoring the activities related to AD, you can compromise the integrity of corporate data. You should not allow uncontrolled changes, given the importance of this system in terms of authentication and authorization, as well as to ensure proper protection of the most sensitive data. A competent modern approach to the management of AD is necessary to ensure compliance with regulatory acts and security.
Key steps in modernizing the use of AD
Many organizations have used Active Directory for many years without changes, so now the structure and practice of working with it require updating. Here are the main areas of application of the upgrade:
Restructuring AD
Restructuring AD is becoming more common; it is a great way to remake a directory to fit your organization’s current and future needs. Simply changing organizational units can greatly affect the management and protection of AD. It so happened that the structure of organizational units focused on the structure of the business, for example, on the company's departments or their geographical location. This approach did not always match the rest of the directory needs. For example, in the interests of group policy, you can split a user's PC into organizational units by the type of OS version used, as shown in Figure 2. 3, but if all PCs belong to the same IT group, such a decision will complicate the delegation of rights and administration of the group.
Fig. 3. Structure of organizational units optimized for group policy instead of delegation
The design of the modern directory system is committed to the golden mean. To create such an AD structure, it is extremely important to take into account the various needs of the organization.
The restructuring of AD itself can take several forms. Sometimes you need to reduce the number of domains and forests to improve data management and protection. In other situations, for security purposes, it may be necessary to split some resources into separate forests (we are talking about resources available to customers). Sometimes you just want to start all over again and build a beautiful structure of AD, removing all unnecessary elements. This approach can be extremely inefficient, as it will require additional time for transferring users and resources from the old to the new AD environment.
For any reconstruction of AD, it will be useful to pay attention to the tools of various developers that will help make the move “painless”. This is especially important when transferring data from a poorly documented system to a more structured one, since it is not always possible to predict the course of the transfer.
Management and Administration Optimization
Another area of ​​AD improvement is directory management and administration. Usually the first thing to do is reduce the number of administrators with unlimited tolerance in all AD The point is to create a less privileged management model in which administrators have access rights to allow changes only to those parts of the system for which they are responsible. These sites can be:
These areas have different models for delegating rights. And if it is not very critical who controls the infrastructure elements of the system, then the data security model within it is clearly of paramount importance. Therefore, it is necessary to control the management of the AD servers and their associated infrastructure, as well as the performance of creating, reading, updating, and deleting data in the AD itself.
Membership in AD groups can open access to anything from server administrator rights to financial data. Therefore, you need to carefully monitor the access to these groups and regularly carry out certification of access rights.
Protect Active Directory and the data in it
In terms of modernization, it is worth considering delegation - control over who can change AD objects and their properties. This topic is closely related to the control that objects in it are changed only by authorized users. Too often, organizations provide access to immediate tasks, and do not cancel it when it is no longer necessary.
To manage delegation in Active Directory, you need to create a role-based framework to provide access to its objects and their attributes. Currently, AD creates role-based templates for each (or at least for each critical) task that administrators must complete, for example, to change membership in privileged groups or to change user attributes.
Achievement of compliance, its maintenance and confirmation
When control over data arriving in Active Directory is achieved, it is necessary to constantly check the actions performed on this data. Such checks must meet both internal (for the IT department) and external (for the inspection organizations) requirements. Although Microsoft Windows Server and Active Directory initially have the ability to audit events that have occurred, it can be almost meaningless, since in loaded environments it contains too much data and quickly overflows.
You need to have a clear audit aggregator and the ability to analyze to identify unwanted changes, unauthorized use of AD and corporate resources, as well as tracking user activity across all IT systems. Audit of the system provides a history of changes associated with it and made within it, for example, the time of entry into the network of users and the most frequently launched applications.
After establishing control over changes in the entire IT environment, it is important to pay close attention to the critical tasks associated with AD, including changes in its infrastructure and data that may affect the integrity of the directory.
Using change control and auditing as feedback tools to track authorized and unauthorized changes, you can get a complete picture of the changes taking place in AD. The latest version implements the possibility of such a review, thanks to which it is always clear who has access to what.
Ensuring availability and recoverability of AD
High availability is another aspect of today's use of Active Directory. Fortunately, AD can become a reliable and flexible part of the IT infrastructure if the work of all its other components is well established, namely:
Most, if not all, of these tools can be monitored using standard or AD-specific monitoring tools. With the increasing role of AD in organizations, regular monitoring of its work is becoming increasingly important. It may involve creating synthetic transactions for typical AD operations, such as authentication and search, which can confirm that both AD servers respond to ping and processes running on them successfully.
In addition to monitoring accessibility, it is also important to have good backups and a disaster recovery plan. Now there are many tools for backup and recovery, including at the object level, allowing you to restore everything from minor changes in the directory system to significant failures. There are three types of recovery associated with AD.
Table 1. Types of AD Recovery
As more and more organizations began to use virtualization technology to run AD infrastructure, its recovery from failures is becoming increasingly popular, and the collapse of a whole forest or server is now less common. Nevertheless, it is important to have an action plan in the most undesirable situation and suitable tools for restoring forests in the shortest possible time.
Implementation of AD management
After upgrading your AD infrastructure, it is important to provide reliable management for smooth operation. It is necessary to make clear rules for the use, expansion and management of the system. You should also create a description of all the key components of AD that affect its operation.
The guide should include the following elements:
This list of recommendations is just the tip of the iceberg. Active Directory infrastructure management should have well-documented standards of behavior in various situations.
Conclusion
Over time, the role of Active Directory has grown dramatically; it has become critical for many organizations. For correct operation of the system, regardless of whether it is used for authentication and authorization of PCs on Windows, Linux servers or Java applications, it is necessary to maintain high level management, availability and efficiency, protection and auditing.
With AD, you can achieve all of the listed criteria using the latest versions of Windows Server, as well as other software developers. In any case, good management and protection are important for the smooth operation of Active Directory.
Nowadays, much has changed in the use and management of AD, including the recommendations from Microsoft to improve the organization of work, as well as the style of corporate management of the system. Many regulatory requirements were created that influenced the development of AD. To keep up with the times, organizations should rethink their approach to Active Directory and upgrade it. This will facilitate management and increase system efficiency.
Let's look at the value of improving AD, as well as the areas that should be focused on to create a state-of-the-art infrastructure.
')
AD changes
Both technology and the business world have changed since the first release of Active Directory. Almost every organization has made such changes in the service:
- Microsoft recommendations regarding the organization of AD;
- each user's own standards;
- increasing the role of AD in organizations;
- enforcing regulatory security requirements and controlling access to sensitive data.
Each of these changes plays a separate role in the need to upgrade Active Directory.
Changing Microsoft recommendations and new system features
Like AD itself, Microsoft’s recommendations for managing the system have changed significantly. Let's look at two principles that are no longer used, but were characteristic of earlier versions of the system.
Empty forest root domains
Initially, Microsoft recommended that organizations create empty root AD domains (Figure 1), since it was thought that the first domain of the forest was of particular importance and should always remain empty. Microsoft has long since dropped this advice and now recommends creating only the necessary domains in order not to complicate the system and not overload it with additional security requirements. However, many still create AD forests with two or more domains and an unused root directory.
Fig. 1. Using the empty root domain
Domain as a security boundary
Previously, Microsoft recommended avoiding an increase in the number of forests, since in terms of integrating them into each other there were difficulties from the point of view of security and administration. In addition, an Active Directory domain was considered a security boundary. This made it possible in the forest of two domains to easily separate users and resources of domains A and B.
Then a series of articles appeared, demonstrating how easy it is for an administrator of one domain to control resources of another domain within one forest, after which Microsoft changed its recommendations and called for the forest to be considered a security boundary, not a domain. If you need to isolate users or resources in a specific domain, you should build a separate forest. Thus, organizations now typically have a multitude of forests, for example, sharing a forest of development from a production forest, or even from a special Internet-oriented forest. As a result of this separation, companies faced difficulties in administering multiple forests.
Other recommendations have changed due to the development of AD itself. Improvements to the system affected the delegation of access rights, reporting, extensibility (in Windows 2000, there was a limit on 5,000 group members), recoverability (snapshot function and recycle bin) and automation (AD administration on Microsoft PowerShell). The new approach has significantly improved the protection, management and restoration of Active Directory.
Administration Model Changes
Another area where changes have occurred is the administration method. Previously, a small group of administrators was responsible for all aspects related to the system, from infrastructure to content, which eventually ends up in the directory. With the growing importance of AD for the IT infrastructure, its administration model has become more complex. Now in organizations, many people are involved in working with AD: one person is responsible for managing users, groups of users and their properties, another - for data related to applications, the third - for security, etc. This has led to the need to improve the protection and sharing of data in AD by applying a role-based approach to managing directories, revising the structure, namely distribution and protection of organizational units. The original AD designs may now be irrelevant and require cleaning and restructuring.
AD role change
Previously, the role of Active Directory in most organizations was quite modest. Ee was used to provide centralized login and security for Windows PC users, or as an alternative or replacement for Windows NT 4 Security Account Manager (SAM) or Novell NetWare systems. Over time, AD has become the focus of most of the events taking place in IT organizations (Figure 2), providing the following functions:
- authentication and authorization for non-Windows systems (for example, Linux servers, desktops, and Mac laptops);
- authentication and authorization for multiple platforms, such as Microsoft SharePoint websites, Java application servers, network storage devices (NAS), and administrative tools like HP Integrated Lights-Out (iLO) or Integrated Dell Remote Access Controller (iDRAC) );
- authorizing access to large amounts of corporate data (including sensitive data) through AD security groups;
- White pages for corporate directories and organization charts;
- authentication for applications located in the “cloud”, using the “software as a service” (SaaS) model. This relatively new direction in the use of AD has led to a decrease in security and requires much more attention to infrastructure than the “set up and forget” approach used in many IT departments when working with AD.
Fig. 2. Active Directory in the center of many IT resources
In many organizations, AD has become the primary element of infrastructure, and its security and management receive as much attention as most critical business platforms. In particular, organizations are developing a hybrid approach to the provision of IT services, in which one part of the applications is located in the company's data centers, and the other is stored “on the clouds” of external provider companies. Most often, these two environments are brought together by authenticating and providing access through integration with AD. Without a well-protected and well-managed AD, a hybrid approach makes it more difficult for a business than it helps.
Unfortunately, sometimes AD is not given enough attention from the IT staff. This has many manifestations, from insufficient attention to managing changes in AD, to the assumptions that once “everything works anyway, you can not strain yourself”. This approach does not benefit the IT departments, since the integration, both in general and with cloud solutions, plays a very important role.
Changes in the legal framework
Since the time of the first Active Directory releases, the difficulties associated with ensuring the compliance of IT work with actual legislation have increased. Now organizations deal with many complex regulatory acts, and it is often AD that is the main tool for working with them.
The need for monitoring and reporting on the use of Active Directory has increased significantly. Compliance with regulatory acts and maintaining it at the proper level requires the use of more complex processes for managing AD and verifying its associated activities. Now it’s simply unacceptable not to know who and why made each of the changes to the directory system. Ignoring the activities related to AD, you can compromise the integrity of corporate data. You should not allow uncontrolled changes, given the importance of this system in terms of authentication and authorization, as well as to ensure proper protection of the most sensitive data. A competent modern approach to the management of AD is necessary to ensure compliance with regulatory acts and security.
Key steps in modernizing the use of AD
Many organizations have used Active Directory for many years without changes, so now the structure and practice of working with it require updating. Here are the main areas of application of the upgrade:
- restructuring AD;
- management and administration optimization;
- protecting AD and its data;
- ensuring and maintaining system flexibility;
- ensuring the availability and recoverability of AD;
- management of AD.
Restructuring AD
Restructuring AD is becoming more common; it is a great way to remake a directory to fit your organization’s current and future needs. Simply changing organizational units can greatly affect the management and protection of AD. It so happened that the structure of organizational units focused on the structure of the business, for example, on the company's departments or their geographical location. This approach did not always match the rest of the directory needs. For example, in the interests of group policy, you can split a user's PC into organizational units by the type of OS version used, as shown in Figure 2. 3, but if all PCs belong to the same IT group, such a decision will complicate the delegation of rights and administration of the group.
Fig. 3. Structure of organizational units optimized for group policy instead of delegation
The design of the modern directory system is committed to the golden mean. To create such an AD structure, it is extremely important to take into account the various needs of the organization.
The restructuring of AD itself can take several forms. Sometimes you need to reduce the number of domains and forests to improve data management and protection. In other situations, for security purposes, it may be necessary to split some resources into separate forests (we are talking about resources available to customers). Sometimes you just want to start all over again and build a beautiful structure of AD, removing all unnecessary elements. This approach can be extremely inefficient, as it will require additional time for transferring users and resources from the old to the new AD environment.
For any reconstruction of AD, it will be useful to pay attention to the tools of various developers that will help make the move “painless”. This is especially important when transferring data from a poorly documented system to a more structured one, since it is not always possible to predict the course of the transfer.
Management and Administration Optimization
Another area of ​​AD improvement is directory management and administration. Usually the first thing to do is reduce the number of administrators with unlimited tolerance in all AD The point is to create a less privileged management model in which administrators have access rights to allow changes only to those parts of the system for which they are responsible. These sites can be:
- Infrastructure outside AD: servers and services that support it, for example, domain controllers, domain name system (DNS) and directory system layout;
- data inside AD: any data, from user account properties to key groups to which users belong.
These areas have different models for delegating rights. And if it is not very critical who controls the infrastructure elements of the system, then the data security model within it is clearly of paramount importance. Therefore, it is necessary to control the management of the AD servers and their associated infrastructure, as well as the performance of creating, reading, updating, and deleting data in the AD itself.
Membership in AD groups can open access to anything from server administrator rights to financial data. Therefore, you need to carefully monitor the access to these groups and regularly carry out certification of access rights.
Protect Active Directory and the data in it
In terms of modernization, it is worth considering delegation - control over who can change AD objects and their properties. This topic is closely related to the control that objects in it are changed only by authorized users. Too often, organizations provide access to immediate tasks, and do not cancel it when it is no longer necessary.
To manage delegation in Active Directory, you need to create a role-based framework to provide access to its objects and their attributes. Currently, AD creates role-based templates for each (or at least for each critical) task that administrators must complete, for example, to change membership in privileged groups or to change user attributes.
Achievement of compliance, its maintenance and confirmation
When control over data arriving in Active Directory is achieved, it is necessary to constantly check the actions performed on this data. Such checks must meet both internal (for the IT department) and external (for the inspection organizations) requirements. Although Microsoft Windows Server and Active Directory initially have the ability to audit events that have occurred, it can be almost meaningless, since in loaded environments it contains too much data and quickly overflows.
You need to have a clear audit aggregator and the ability to analyze to identify unwanted changes, unauthorized use of AD and corporate resources, as well as tracking user activity across all IT systems. Audit of the system provides a history of changes associated with it and made within it, for example, the time of entry into the network of users and the most frequently launched applications.
After establishing control over changes in the entire IT environment, it is important to pay close attention to the critical tasks associated with AD, including changes in its infrastructure and data that may affect the integrity of the directory.
Using change control and auditing as feedback tools to track authorized and unauthorized changes, you can get a complete picture of the changes taking place in AD. The latest version implements the possibility of such a review, thanks to which it is always clear who has access to what.
Ensuring availability and recoverability of AD
High availability is another aspect of today's use of Active Directory. Fortunately, AD can become a reliable and flexible part of the IT infrastructure if the work of all its other components is well established, namely:
- AD server replication and replication topology;
- Domain Name System (DNS);
- Microsoft File Replication Service;
- virtual machine and hardware resources.
Most, if not all, of these tools can be monitored using standard or AD-specific monitoring tools. With the increasing role of AD in organizations, regular monitoring of its work is becoming increasingly important. It may involve creating synthetic transactions for typical AD operations, such as authentication and search, which can confirm that both AD servers respond to ping and processes running on them successfully.
In addition to monitoring accessibility, it is also important to have good backups and a disaster recovery plan. Now there are many tools for backup and recovery, including at the object level, allowing you to restore everything from minor changes in the directory system to significant failures. There are three types of recovery associated with AD.
Table 1. Types of AD Recovery
As more and more organizations began to use virtualization technology to run AD infrastructure, its recovery from failures is becoming increasingly popular, and the collapse of a whole forest or server is now less common. Nevertheless, it is important to have an action plan in the most undesirable situation and suitable tools for restoring forests in the shortest possible time.
Implementation of AD management
After upgrading your AD infrastructure, it is important to provide reliable management for smooth operation. It is necessary to make clear rules for the use, expansion and management of the system. You should also create a description of all the key components of AD that affect its operation.
The guide should include the following elements:
- instructions for all types of data located in the system;
- recommendations for extending the AD schema: when and how it should be extended, as well as when existing attributes can and should be used to store application-related data;
- recommendations on the delegation of rights in AD;
- recommendations for using security groups;
- standard tools, application programming interfaces (APIs) and ports used in AD;
- instructions for drafting AD queries.
This list of recommendations is just the tip of the iceberg. Active Directory infrastructure management should have well-documented standards of behavior in various situations.
Conclusion
Over time, the role of Active Directory has grown dramatically; it has become critical for many organizations. For correct operation of the system, regardless of whether it is used for authentication and authorization of PCs on Windows, Linux servers or Java applications, it is necessary to maintain high level management, availability and efficiency, protection and auditing.
With AD, you can achieve all of the listed criteria using the latest versions of Windows Server, as well as other software developers. In any case, good management and protection are important for the smooth operation of Active Directory.
Source: https://habr.com/ru/post/244891/
All Articles