Indentifying an Under Optimised Active Directory
A visual guide highlighting some symptoms of an under optimised Active Directory
In an ideal world an Active Directory would be:
- Thoroughly designed and documented
- Perfectly implemented according to plan
- Maintained in its integrity through minimised, controlled change
Unfortunately this is not always the case. Usually for one of the following reasons:
- Lack of funds
- Lack of time
- Pressure from the business to attend to more “visible” projects
- Uncertainty about the project goals
There are several things that you can look for in your own Active Directory that
let you know where might be room for improvement.
Introductory Note
Each of the following sections highlights good and bad Active Directory practice
in specific areas. The “Optimised Active Directory” images on the right of each
section were taken from a Genesis implementation. This core structure took 30 minutes
to implement and after a couple of days of customisation would effectively serve
any production environment of up to 5,000 users.
Back to the top
Genesis is an optimisation tool – find out how it can help you
Organisational Unit Structure
|
Normal
|
|
Optimised
|
|
Normal
The Structure based on the organisation (not helpful) rather than the technology
(best practice) leading to unnecessary complexity. There are lots of OUs hanging
off the ‘root’ of the domain making security by inheritance difficult. Naming standards
are variable. These structures would be difficult to learn and maintain.
Optimised
Clean, and consistent structures. All the OUs represent the company technology -
excellent design practice offering simplicity, versatility and strength. These structures
are intuitive and easy to maintain.
|
|
Back to the top
Genesis is an optimisation tool – find out how it can help you
Administrative Authority Groups
|
Normal
|
|
Optimised
|
|
Normal
The Authority Groups are spread around the structure, often in the same OUs as the
objects over which they grant control. This leads to Administrators having direct
control over peer administrator accounts and group memberships – invalidating the
system audit trails. “Distributed” Administrative groups make it very difficult
to hierarchically organise any role-based authority breakdown.
Optimised
Clean, and consistent Authority Groups. Each group is clearly named and its function
is obvious from a combination of naming and position within the OU structure. Authority
can be hierarchically organised.
|
|
Back to the top
Genesis is an optimisation tool – find out how it can help you
Group Policy Architecture
|
Normal
|
|
Optimised
|
|
|
|
|
Normal
We have either no policy definition (i.e. defaults only - offering only limited
functionality in a rigid form), or too many policies, poorly organised. Poor naming
and inconsistent OU association makes policy applications volatile, degrading the
user experience, lowering security and in worst cases actually increasing ROI by
wasting Administrators time with excess support and complex troubleshooting.
|
|
Optimised
Optimised, carefully layered, consistent Group Policy architecture ensures reliable,
secure and trouble free group policy application.
|
Back to the top
Genesis is an optimisation tool – find out how it can help you
Inappropriate Authority
|
Normal
|
Optimised
|
|
|
|
Normal
Every User account that is granted a higher level authority like “Domain Admins”
has the power to destroy, by accident or malice, anything anywhere in the ENTIRE
windows infrastructure.
It is common to find too many members of the high level security groups. Excess
members are often lower level Administrators who lack the proper training, but,
just as often, they are ordinary users who should NEVER have been granted any elevated
authority.
|
Optimised
Higher Level Authority should be strictly limited to the smallest possible number
of the most senior, most trusted, and most skilled Administrators.
This, of course can only be done when alternate, role-based lower level authorities
have been created (see below...)
|
Back to the top
Genesis is an optimisation tool – find out how it can help you
Role Based Authority
|
Normal
|
|
Optimised
|
Normal
System defaults. Everyone who requires
any sort of authority is “Higher Level Admin”.
|
|
|
|
Optimised
Clear and Hierarchically organised Role Based Authority. Administrators are granted
the powers they need to do their job and no more.
Lack of Role-based Authority is detrimental to the security of the whole Windows
Infrastructure. It is one of the most common audit failures.
|
Back to the top
Genesis is an optimisation tool – find out how it can help you
Role Based Authority - An Interface Example
|
Normal
|
Optimised
|
|
|
|
Normal
A “Higher Admin” can create anything, anywhere! It could be inappropriately used
to create a user in an OU that is not covered by Group Policy - allowing that user
to evade security controls.
|
Optimised
A role-based “Client Administrator” can only perform tasks defined for the job -
in this case creating a computer object in the proscribed location.
|
Back to the top
Genesis is an optimisation tool – find out how it can help you
Documentation (Thorn In The Side)
|
Normal
|
Optimised
|
|
|
|
Normal
Enough said.... Almost...
Remember that lack of appropriate documentation is one of the most common causes
of compliance audit failures.
|
Optimised
The way it should be - in line with best practice - administrators can recover from
disasters with the support of the instructions, new starters get up to speed quickly
and there is no ‘key man reliance’.
|
Back to the top
Genesis is an optimisation tool – find out how it can help you