3 Active Directory Mistakes to Avoid
(Last updated on February 15, 2017)
A few months ago, we asked our IT peers on Spiceworks to help us identify some common mistakes new administrators make. With more than a 100 replies, there were some definite patterns, or perhaps I should say mistakes. Feeling inspired, we created a visual memorandum to help others avoid these errors. And, since you cannot have too much of a good thing, we decided to refer back to that discussion and create a new list purely dedicated to Active Directory mistakes.
Not terminating stale accounts
Stale accounts earn the top spot because they are common, and a major threat to security. Dormant accounts are an attractive target for attackers as they can be used to access resources without being noticed. You can quickly identify stale accounts using our FREE tool Specops Password Auditor. The tool identifies stale admin accounts by reading the lastLogonTimestamp; and stale user accounts by reading the pwdLastSet attribute, identifying accounts with passwords that have been expired for an extended period.
Too many administrators
If you frequent IT forums, you are already familiar with our next mistake – too many admins. The number of admins you need really depends on the size of your organization. Generally, admin privileges should only be granted to users performing tasks that span across Active Directory domains, or activities that require elevated permissions. Consider a delegated Active Directory security model, especially for common administrative tasks, such as unlocking accounts, and resetting passwords.
Poor password policies
Before you pin the vulnerability of passwords on the bad habits of users, you may want to examine your policies compared to compliance and industry best practices. With password security best practices constantly changing, the best way to keep up with best practices is using our FREE tool. Specops Password Auditor compares the password settings in your organization with the latest guidance from NIST, PCI, Microsoft, and SANS. The results are presented as an interactive report with recommendations to help you be compliant. Of course, the authentication scenario is not just about security, but also the end user experience. Our recommendations simplify passwords for users and places the burden on authentication system via dictionary, and passphrase enforcement.
Mistakes are inevitable, but some are too costly to ignore. Keeping Active Directory free of stale accounts, tightening access by applying the principle of least privilege, and aligning password policies with best practices can help you avoid major security pitfalls.
This article dives deep into the math that is hidden behind the Relative Password Policy Strength in Specops Password Auditor….Read More
This may come as a surprise to some, but you don’t need to grant domain admin rights for common administrative…Read More