Direct Inward Dialing: +1 408 916 9892
Security groups in Active Directory (AD) bring together users, computers, and other groups so administrators can manage them simultaneously. Access permissions to various resources in the domain can be assigned through security groups. They are also used to assign user rights through Group Policy settings. This makes them susceptible to attacks from intruders seeking to compromise your business’ vital information. Here are five Active Directory security group best practices to help ensure a secure AD environment.
Making one AD group a member of another is called nesting. Microsoft's AGDLP and AGUDLP group nesting strategy designates global groups as account groups containing user accounts and domain local groups as resource groups for assigning permissions to resources. Universal groups can be used to grant permissions across domains in multi-domain environments. This strategy establishes role-based access control and simplifies access management as users and their permissions are handled separately.
AGDLP - Accounts, global groups, domain local groups, permissions AGUDLP - Accounts, global groups, universal groups, domain local groups, permissionsUsing standard naming conventions throughout a domain is vital for network administration. The names of your security groups should make each group’s purpose and associated permissions clear. For example, take the name DL-Marketing-R. This precise name describes the group’s scope (DL-Domain Local/G-Global/U-Universal), the role of its members, and the permissions assigned to the group (R-Read/C-Change).
In AD, it’s imperative for administrators to keep track of users and their privileges. Although security groups make it easier to assign permissions to many objects at once, these permissions must be kept to a bare minimum. Aside from administrators, users don’t usually require Full Control access to a resource. Exercise caution when assigning permissions to security groups to ensure that members are allowed just enough leeway to complete their assigned tasks.
When managing security groups, it’s important to ensure that a user is not part of too many groups. During logon, the user's session ticket is assembled, containing the user’s SID as well as the SIDs of all the security groups the user belongs to. When a user is a member of too many groups (more than 1,015), this can lead to token bloat, where their Kerberos token becomes too large for Windows to handle, causing authentication failure. In large IT environments, it’s recommended that you stick to a role-based access control and reduce the group membership of individual users.
Always look out for suspicious activities by constantly monitoring your AD security groups. Default security groups whose rights and privileges are extensive enough to effect domain or even forest-wide changes, such as the Domain Admin and Enterprise Admin groups, need closer examination. Any unauthorized membership changes to these privileged groups might mean that your network security is compromised.
Using native tools to keep track of changes to AD security groups can be a labor-intensive process. To accomplish this task in just a few clicks, check out ADAudit Plus—a UBA-driven auditor from ManageEngine. ADAudit Plus provides real-time updates on all changes made to AD groups, including type, scope, and membership changes, bringing much needed relief to administrators.
Download a free, 30-day trial
