3 Active Directory Mistakes to Avoid
(Last updated on September 26, 2019)
A few months ago, we asked our IT peers on Spiceworks to help us identify some common mistakes new administrators make. With more than a 100 replies, there were some definite patterns, or perhaps I should say mistakes. Here’s what they had to say:
Not terminating stale accounts
Stale accounts earn the top spot because they are common, and a major threat to security. Dormant accounts are an attractive target for attackers as they can be used to access resources without being noticed. You can quickly identify stale accounts using our FREE tool Specops Password Auditor. The tool identifies stale admin accounts by reading the lastLogonTimestamp; and stale user accounts by reading the pwdLastSet attribute, identifying accounts with passwords that have been expired for an extended period.
Too many administrators
If you frequent IT forums, you are already familiar with our next mistake – too many admins. The number of admins you need really depends on the size of your organization. Generally, admin privileges should only be granted to users performing tasks that span across Active Directory domains, or activities that require elevated permissions. Consider a delegated Active Directory security model, especially for common administrative tasks, such as unlocking accounts, and resetting passwords.
Poor password policies
Before you pin the vulnerability of passwords on the bad habits of users, you may want to examine your policies compared to compliance and industry best practices. With password security best practices constantly changing, the best way to keep up with best practices is using our FREE tool. Specops Password Auditor compares the password settings in your organization with the latest guidance from NIST, PCI, Microsoft, and SANS. The results are presented as an interactive report with recommendations to help you be compliant. Of course, the authentication scenario is not just about security, but also the end user experience. Our recommendations simplify passwords for users and places the burden on authentication system via dictionary, and passphrase enforcement.
Mistakes are inevitable, but some are too costly to ignore. Keeping Active Directory free of stale accounts, tightening access by applying the principle of least privilege, and aligning password policies with best practices can help you avoid major security pitfalls.
If your organization is currently using a self-service password reset solution, it is critical that the helpdesk staff who manage the system, and assist users, consistently follow best practices. This post will provide tips for reducing password-related calls to the helpdesk, and outline some security measures for safeguarding user accounts. Educate and direct to self-service…Read More
This article dives deep into the math that is hidden behind the Relative Password Policy Strength in Specops Password Auditor. Bring your combinatorics book and strap in for a math lesson. Relative Password Policy Strength The password policy strength is in essence a measurement of: How many possible combinations are there of a password using…Read More
This may come as a surprise to some, but you don’t need to grant domain admin rights for common administrative tasks, like unlocking accounts and resetting passwords. There’s a better way, and it is so easy, you’ll wonder why you haven’t done it all along. Open Active Directory Users and Computers. Right-click on the user…Read More