Over the past few weeks, we’ve covered a broad range of security-focused basics that you can implement to strengthen your security posture. Today, we’ll dive deeper into strengthening your security posture via the Microsoft’s Identity Management platform.
As the Microsoft toolset used to manage Identity has evolved over the past few years, the ease of management has increased. That being said, having a strong overall framework for deploying these tools is a necessity. As is with most environments, ongoing maintenance often goes to the wayside as more pressing items come up. Thus, without intentionality and tight processes to continually maintain them, our once simple ecosystem grows into a complex web of controls and policies that can become an intentangled, management headache.
As clients approach us to discuss the topic of Identity Management within Microsoft, we start with three main areas of Active Directory (AD), GPO, and Core Email/O365 Design. Below we walk through some of the starting points to ensure you’re properly architecting your Microsoft’s Identity Management platform to maximize your security posture.
Active Directory: The Core of Your Identity Management Platform
Structuring AD properly is a clear starting point for this conversation. As the core resource responsible for authenticating and authorizing all users and computers within your environment, AD is vital in properly controlling your network and system policies.
These layers have become increasingly important as they commonly federate with things like Network Access Control, Single Sign-On, Multi-factor Authentication, and the like. With a tight AD architecture, you’ll provide a stable environment to efficiently deliver additional services throughout your technology experience.
Some basic checkboxes we walk through include the following:
As time moves on, maintenance and upkeep of your user access controls can become outdated. Having strong procedures detailed to ensure the proper levels of access and controls are distributed to the correct individuals seems basic.
Unfortunately, changes can often happen quickly. Organizational communication gaps can prevent permission changes from mirroring personnel changes. Reviewing the following alignment is a perfect starting point for tightening your identity management deployment.
For obvious reasons, complete account control should be limited to key personnel only. Administrator Accounts have the ability to make changes that affect your user base, change security settings, install software and hardware, as well as, manage file and access policies. A quick review of administrative access ensures the keys to the kingdom are in trusted and secure hands.
Microsoft defines a service account as “a user account that is created explicitly to provide a security context for services running on Windows Server operating systems.” Understanding your service accounts is vital to ensuring data services within you network have the proper access to local and network resources.
Monitoring Active Users
Similarly to our point on Administrator Accounts above, ensuring you have an understanding of your active users and their alignment to file and network access is an important review.
Have you ever had a user move from one department to another? Do they need really access to the financial tools today that they once leveraged in a previous role? Did you deploy a user account for a contractor that’s still active? There are several scenarios that play themselves out within this review.
Good password policies are vital in maintaining a strong security posture. Understanding your password controls, when and where passwords are needed, and the types of passwords required are all important base steps we encourage you to review.
Strong passwords also help contain successful attacks. Reviewing reset links, password expiration policies, and integration with multi-factor authentication are also important layers to this conversation.
Sites and Services
As your organization grows, AD should grow with it. It should mirror multiple locations. This representation could be both a physical or logical topology. This topology becomes an important layer in authenticating users and ensuring they can connect to the proper applications and services regardless of office environment.
Understanding your replication topology is an important step in understanding how changes are replicated and synchronized throughout your environment. By validating this step, you gain an understanding and affirmation of your replication strategy and the data flow across your network.
In most cases, the services listed above are pretty straight forward in their deployment structure. They can become increasingly complex when you have multiple locations, a dispersed workforce, or if you haven’t provided the consistent care and maintenance required to stay current with the latest Microsoft-based updates.
Group Policy Objects: Deploying Policy at Scale
A natural next step is to understand and evaluate the use of Group Policy within your environment. At its core, Microsoft’s GPO is designed to provide a centralized location for the management of client computers and servers joined to the domain. A quick review of the following areas are a great place to start when wanting to ensure GPO is properly designed and maintained for your use.
Stale Objects and Outdated GPO’s
A quick review of your GPO’s will highlight user accounts and their use. Review this list for things like accounts that have never been used, computer accounts that have been disjoined from the domain, groups with no ACL permissions and nobody inside them. Basically, do your GPO’s still serve a functional use, or are they stale?
A container is a group of policy settings within AD. Reviewing these policies periodically is important. When doing so, make sure policies are in alignment with your current business needs and organizational structures. By leveraging containers, you’re able to effectively manage the policy distribution throughout your ecosystem.
A part of your container review also should involve a review of the account management policies you have deployed across your organization.
Email: Securing the End User
The final layer we often initially review is the design and functionality of the client email environment. This part of the ecosystem is important as it is usually a core business service that represents a vital layer of communication and use by your organization while also remaining the core attack vector for nefarious parties. Here are some of the basics we recommend you take the time to review:
Core Email Architecture
Be it on-prem or in the cloud, email is often at the core of most organizational workflow. File distribution, proper backing up of the email architecture, advanced threat protection, and any industry-specific policy alignment are steps to this process.
One important note here is around the backing up of this data. Don’t assume that just because your data resides within a cloud service that you’re automatically protected. Make sure the service levels are in alignment with the expectations of your business. Our post on cloud-based backup may make sense to explore in more depth.
We tie this layer of the conversation here as it is a direct interface with the end user. These deployments can grow increasingly complex with custom application deployments, mutli-cloud environments, or distributed workforces.
We listed the link above, but we are recommending the read again here. We walk through 6 things to consider when deploying multi-factor authentication here.
As we explored in our previous post, our end users have become accustomed to the security layer in the consumer world. As corporate keepers of the organizational IP, we should build off this momentum to strengthen our internal processes.
Spam Filter Review
Microsoft has developed multiple layers of spam filtering within their O365 or Exchange Online Protection service. These services can be managed to make sure you are properly managing email from specific senders or domains. Within this review, we’d also recommend you check your settings for file size limitations, pictures and links. All these settings are customizable, so aligning them appropriately is an important step.
Email Security Setup
Microsoft leverages Domain-based Message Authentication, Reporting, and Conformance (DMARC) with both Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). These tools help authenticate mail senders while ensuring that destination email systems trust messages sent from your domain.
Most of the DMARC settings are standard out of the box, but reviewing their impact is important. If all of this sounds excruciating to review, you can lean on our expertise to ease the pain.
When taken on individually, each of these tasks can be rather simple. When deployed across an enterprise ecosystem, the complexity can quickly build.
Surrounding yourself with trusted resources that have a good familiarity with Microsoft’s latest identity management platform can be a vital step in ensuring your environment is in alignment with your needs. When taken on as a comprehensive review, we can usually move through the ecosystem pretty quickly to provide you with some quick fixes or recommended changes.
As always…be intentional and be excellent. If we can support the journey, just raise and we’ll gladly come alongside you!