Beta Man

Lock Down AD

While SecurityManager won't actively fix your problems for you, it does make finding them fairly simple.

• By Don Jones
• 06/01/2005

Unfortunately, AD is a complex system, especially when it comes to security. It's easy for AD to grow increasingly less secure as minor changes pile up into major issues. More administrators get their fingers into the pie and consistency goes out the window. Everyone has different ideas about what's secure and what isn't, and the result is often a hodgepodge of configurations.

NetPro SecurityManager's goal is to simplify and solidify AD security through automation and analysis. It's built around Microsoft's own best practices, many of which have come out of Microsoft Consulting Services' (MCS) experience with AD deployment and management.

The tool performs a series of tests, analyzing several different AD configuration settings and security properties. It highlights known vulnerabilities like multi-forest trusts that aren't using security identifier (SID) filtering, unauthorized domain controllers on the network, unauthorized trusts or members and so on. It immediately notifies you of any problem areas. Those notifications include links to references, detailed descriptions, and other information to help you understand the problem, its security ramifications and possible solutions.

Standard Fare
With AD's numerous configuration settings, a tool that checks them all could end up being pretty hard to navigate. NetPro overcomes this with a set of security standards, which are essentially templates for configuring AD.

There are standards for legacy, enterprise and high security scenarios. You can use these out of the box or as a starting point to develop your own.

You can only have one security standard in effect at a time, but you can switch whenever you like. It wasn't clear to me from the documentation whether this is intentional or whether you should, in fact, be able to have multiple standards in effect.

Each security standard has multiple categories: Audit Policy, Event Log, General Settings, Network Settings, Security Policy, System Services and User Rights Assignment. Each category specifies multiple rules that define your AD security standards.

The security standards help you centralize configuration decisions. You simply have to correct errant configuration settings to bring them into compliance. This promotes consistency, which leads to a more secure and operationally stable environment.

Once you've put a standard into effect, SecurityManager can review your environment for compliance. A summary screen breaks down any variances by server, which helps you focus on the most problematic areas. Select an individual machine to see a detailed list of variances, including which rule was violated, what configuration the rule specifies and what configuration is actually in effect.

Security by Policy
The world of configuration management and auditing is moving toward a policy-based model, where you create a set of abstract policies and then manage around those policies. Auditing then becomes a task of ensuring that the right policies are in place. This type of policy-based management is the core concept behind Microsoft's Dynamic Systems Initiative (DSI) and a key enabler for frameworks like IBM's OnDemand.

SecurityManager gives you a functional peek into this policy-based world, because its security standards are essentially abstract policies that you determine independent of the underlying technology. You could, for example, ratchet up your security by creating a more secure standard and then reviewing your environment for compliance.

SecurityManager could be a lifesaver for organizations grappling with HIPAA, Sarbanes-Oxley or Gramm-Leach-Bliley Act compliance. Instead of training auditors to understand AD configuration, you could use a security standard to automate the auditing process. A single screen or report would tell an auditor if everything was compliant or not. In fact, I'd like to see NetPro distribute security standard templates configured for specific legislative compliance situations like HIPAA and Sarbanes-Oxley.

One "miss" here is that SecurityManager is a notification and monitoring tool. It doesn't provide remediation. In other words, if SecurityManager discovers an incorrectly set domain controller audit policy, it should be able to correct that setting. At the very least, it should integrate with NetPro's ChangeManager for Active Directory, which provides configuration and change control. This type of end-to-end package would make SecurityManager even more valuable.

Beta Issues
As expected in any beta product, not everything ran perfectly. For example, the installation routine didn't add my user account to the SMADOperators or SMADAdmins user groups. As a result, the client not only refused to run but crashed outright. Another issue is the lack of reporting. NetPro is aware of these issues (as noted in readme files) and plans to address them by the time the product is shipping.

For reporting, I'd like to see a summary compliance report suitable for executive-level conversations, as well as a detailed report suitable for auditing. It should also report on specific problems and resolutions; a list that junior administrators could use as action items. Apart from those issues, installation and basic operations were smooth and reliable.

I'm pleased to see companies like NetPro jumping on the nascent policy-based management bandwagon. Securing AD shouldn't be a complicated task. While SecurityManager won't actively fix your problems for you, it does make finding them fairly simple.

Because policies—or security standards—remain fixed unless you change them, you can continuously and easily review your environment for compliance. If a branch office administrator goes nuts and starts installing unauthorized services, creating trusts and so on, you'll know about it pretty quickly.

It would be nice to see SecurityManager take the next step and automatically correct certain problems, especially if you've taken the time to define a custom security standard and know that you want those rules enforced, not just monitored. In the meantime, SecurityManager is an excellent way to simplify AD security monitoring.