For over 1.5 years we have been bringing you Active Directory tips and tricks on a daily basis via Twitter. Based on that experience and using your feedback we have gathered a list of top-10 useful advices that will help you improve your AD management experience.
1. Add Detailed Descriptions to AD Groups
This is a critical part of keeping your Active Directory environment consistent, however this rule is broken quite often. If you don’t have descriptions, you will get lost in your groups very fast and turn your AD into a pile of garbage.
Many admins think that they can remember what did they create the groups for, so they treat descriptions as something that’s just a waste of time. But after a couple of weeks and tens or even hundreds of new groups created the chance of exactly remembering the purposes of all groups is actually quite low. You also need to remember that other people have access to AD groups as well. So even if the creator of the group knows what’s it for, nobody else does.
2. Avoid Groups with Similar Names
This is also a common mistake made with managing AD groups. Having similar names can easily lead to confusion and misunderstandings. Especially if those names are not super user-friendly, something like "NY-SAL-001-b".
Even if you have sufficient automation implemented in your environment that handles most of the group management for you and takes the human factor out of the equation, it’s easy to make a mistake when setting it up. And then things get even worse because the biggest mistake of automation is automation of error.
3. Educate Your Users
One of the best security tips is educating your users. Security is only as strong as its weakest link. And most often that weakest link appears to be not firewalls or brute force protection systems, but your users. They can do all sorts of stupid things like sharing passwords or writing them down on a piece of paper. If you want to have a really secure system, you should be educating your users. If you make sure that they know at least some basic security, then your systems have a much higher chance of being safe.
4. Disable Guest Accounts And Rename Default Administrator
This is a security best practice recommended by Microsoft. Of course, it’s just a very basic measure that doesn’t cover you from all potential problems. E.g. you can easily find the Administrator by just searching for the SID that ends with 500. However, renaming the default admin and disabling guest account can prevent you from simple and very basic attacks. And it doesn’t mean that you shouldn’t do that.
5. Delegate Tasks Whenever You Can
It is really a simple rule. If you see that you can delegate a task, you must do that. Everybody should be focused on things that are directly related to their responsibility. E.g. often IT staff are in charge of group membership management. In most of the cases that is quite inefficient because group membership lies in the direct responsibility of group owners. They know who should be present in each group and when. This means that management should be delegated.
Don’t be afraid to pass on tasks. If you don't want to lose any control, there are things like approval-based workflow that can help you with that. Free up your time and focus on your job, not somebody else's.
6. Take Care of Your Servers’ Physical Security
When we are talking about the IT security, most often we think of virtual security. But controlling actual physical security is equally important. No firewall can help if someone gets their hands on your server. This means that you must take the physical access to your DCs and other servers very seriously. If there are places where you can't do anything about it (like branch offices) you can consider turning your DCs that have to be there into Read-Only Domain Controllers. Note that it's still a compromise but sometimes it's worth taking.
7. Plan and Test Recovery Systems
Disasters happen suddenly. That means that you always have to be prepared. Not only do you need to have a decent recovery plan for anything that can happen, but it’s also a good idea to test it on a regular basis. What will you do if, say, 10,000 users disappear from your AD today? How fast can you recover?
8. Don’t Let One Scripter Do All the Work
When you set up all the scripts that help you with automation of routine tasks, never let one scripter do all the job. First of all, it’s always better to have more minds working on a solution to a problem. Secondly, imagine what will happen if the scripter, who has done everything, suddenly becomes unavailable? For these reasons you need to have at least two people aware of all your scripts, how they are built and what they do.
9. No Shared Accounts
Never allow anybody to share accounts. Especially if it’s an admin account. That is a common issue that is present in many IT environments. The main reason for that is the following. If something bad is performed through a shared account by one of the users, you won’t have a way of determining who it was. You also will never be sure who and when gains access to the account, which makes it a great target for attackers.
10. No Changes on Fridays
Read-only Friday is a general best practice that a majority of admins follow. If you don’t want to risk your weekend, do not introduce any major changes to your environment at the end of the week.
Even More AD Tips and Tricks
If you want to get even more useful AD tips and tricks on a daily basis, you can follow our Twitter account @ADTipsTricks. Also let us know if you have any Active Directory tips of your own in the comment section below.