Lock Down AD
While SecurityManager won't actively fix your problems for you, it does make finding them fairly simple.
Active Directory has become a core part of many
networks over the past five years, even in organizations that don't use Windows exclusively. Among its many functions, AD is the central directory for Exchange and the central security controller for Windows file and print servers in a domain environment.
Unfortunately, AD is a complex system, especially when it comes to security. It's easy for AD to grow increasingly less secure as minor changes pile up into major issues. More administrators get their fingers into the pie and consistency goes out the window. Everyone has
different ideas about what's secure and what isn't, and the result is often a hodgepodge of configurations.
NetPro SecurityManager's goal is to simplify and solidify AD security through automation and analysis. It's built around Microsoft's own best practices, many of which have come out of Microsoft
Consulting Services' (MCS) experience with AD deployment and management.
The tool performs a series of tests,
analyzing several different AD
configuration settings and security
properties. It highlights known
vulnerabilities like multi-forest trusts that aren't using security identifier (SID) filtering, unauthorized domain
controllers on the network, unauthorized trusts or members and so on. It
immediately notifies you of any problem areas. Those notifications include links to references, detailed descriptions, and other information to help you
understand the problem, its security ramifications and possible solutions.
NetPro Security Manager
Version reviewed: Beta2
Current status: Final Beta/Released
Second half of 05
With AD's numerous configuration settings, a tool that checks them all could end up being pretty hard to navigate. NetPro overcomes this with a set of security standards, which are essentially templates for configuring AD.
There are standards for legacy,
enterprise and high security scenarios. You can use these out of the box or as a starting point to develop your own.
You can only have one security
standard in effect at a time, but you
can switch whenever you like. It wasn't clear to me from the documentation whether this is intentional or whether you should, in fact, be able to have
multiple standards in effect.
Each security standard has multiple categories: Audit Policy, Event Log, General Settings, Network Settings, Security Policy, System Services and User Rights Assignment. Each category specifies multiple rules that define your AD security standards.
The security standards help you
centralize configuration decisions.
You simply have to correct errant
configuration settings to bring them into compliance. This promotes consistency, which leads to a more secure and operationally stable environment.
The software described here is incomplete and still under development; expect it to change before its final release—and hope it changes for the better.
Once you've put a standard into effect, SecurityManager can review your environment for compliance. A summary screen breaks down any
variances by server, which helps you focus on the most problematic areas. Select an individual machine to see a detailed list of variances, including which rule was violated, what
configuration the rule specifies and what configuration is actually in effect.
Security by Policy
The world of configuration management and auditing is moving toward a policy-based model, where you create a set of abstract policies and then manage around those policies. Auditing then becomes a task of ensuring that the right policies are in place. This type of policy-based management is the core concept behind Microsoft's Dynamic Systems Initiative (DSI) and a key enabler for frameworks like IBM's OnDemand.
SecurityManager gives you a functional peek into this policy-based world, because its security standards are
essentially abstract policies that you determine independent of the underlying technology. You could, for example, ratchet up your security by creating a more secure standard and then reviewing your environment for compliance.
SecurityManager could be a lifesaver for organizations grappling with HIPAA, Sarbanes-Oxley or Gramm-Leach-Bliley Act compliance. Instead of training auditors to understand AD configuration, you could use a security standard to automate the auditing process. A single screen or report would tell an auditor if everything was
compliant or not. In fact, I'd like to see NetPro distribute security standard templates configured for specific
legislative compliance situations like HIPAA and Sarbanes-Oxley.
One "miss" here is that SecurityManager is a notification and monitoring tool. It doesn't provide remediation. In other words, if SecurityManager discovers an incorrectly set domain controller audit policy, it should be able to correct that setting. At the very least, it should integrate with NetPro's ChangeManager for Active Directory, which provides configuration and change control. This type of end-to-end package would make SecurityManager even more valuable.
Wanted: Betas for Review
Beta Man is always on the lookout for quality products to review. If you know of a software product that is currently or soon to be in beta, contact Beta Man at [email protected]. Vendors are welcome, but please act early—the meticulous Beta Man needs plenty of lead time.
As expected in any beta product, not everything ran perfectly. For example, the installation routine didn't add my user account to the SMADOperators or SMADAdmins user groups. As a result, the client not only refused to run but crashed outright. Another issue is the lack of reporting. NetPro is aware of these issues (as noted in readme files) and plans to address them by the time the product is shipping.
For reporting, I'd like to see a
summary compliance report suitable for executive-level conversations, as well as a detailed report suitable for auditing. It should also report on specific problems and resolutions; a list that junior administrators could use as action items. Apart from
those issues, installation and basic operations were smooth and reliable.
I'm pleased to see companies like
NetPro jumping on the nascent policy-based management bandwagon.
Securing AD shouldn't be a complicated task. While SecurityManager won't actively fix your problems for you, it does make finding them fairly simple.
Because policies—or security
standards—remain fixed unless you change them, you can continuously and easily review your environment for compliance. If a branch office administrator goes nuts and starts installing unauthorized services,
creating trusts and so on, you'll know about it pretty quickly.
It would be nice to see SecurityManager take the next step and automatically
correct certain problems, especially if you've taken the time to define a custom security standard and know that you want those rules enforced, not just
monitored. In the meantime, SecurityManager is an excellent way to simplify AD security monitoring.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.