How IT Works: The Least Privilege Principle in Active Directory

 

April 10, 2017

An organization’s Active Directory is the behind-the-scenes arbiter of everything that happens on your corporate network. From the CEO to the temporary intern, it dictates the privileges, rights, and access a particular employee has within the network.

The challenge for the network administer is how to dole out access to network features and assign privileges in the most productive way. If IT is too restrictive, they’ll have employees on all levels of the hierarchy asking for access to files they need to do their job. If IT is instead too open handed with access, it paves the way for abuse, cyber threats, and even corporate espionage.

As a rule of thumb for granting access, many IT administrators follow the Least Privilege Principle.

 

The Least Privilege Principle and Why it Matters

 

In theory, the principle is simple. It states that an administrator, endpoint, or general user should only have access to the network locations that they need to complete a task—no more, no less.

For example, a domain administrator should only have access to the domains they actively work with on a daily basis. Furthermore, this domain administrator should not be given access to another cluster of domains, even if there is trust and a working relationship between teams.

This comes into play in the event of a security breach. If a particular account in active directory were to become compromised, the virus would have the ability to spread anywhere on the network that this account has access. If the administer has unilateral authority to access and change anything on the network, suddenly a breach cannot be contained. By limiting access, it limits the potential threat.

Many security monitoring and analysis solutions look to the privileges of different accounts for clues as to whether an attack is underway. If a particular account is rapidly increasing its privileges within the network, this is a dead giveaway that a virus is expanding its reach and corrupting the network.

New call-to-action

 

The Path of Least Resistance

 

Despite the importance of implementing this principle in an environment’s Active Directory, it isn’t always followed. In both small environments and sprawling enterprises, the path of least resistance in network administration is to allow more access than necessary.

In small organizations, there is an element of trust among the team and the misconception that the company is too small to be the target of an attack that convinces IT administrators to give more leeway than necessary. By contrast, IT departments in large enterprises can quickly become inundated with hundreds of requests for access.

 

Reducing Privilege

 

In the aforementioned small environments, reducing privileges in Active Directory across the board may not be that difficult of a task. With only a few dozen or a couple hundred accounts, privilege reduction can be completed in a day or two with a concerted effort. The large organizations present a much more daunting responsibility.

It could take an absurd amount of time to go through each and every account or group in Active Directory to reduce privileges, so instead, we recommend beginning with those that pose the greatest risk to your environment. Start with the built-in privileged accounts and groups in Active Directory with the most access and work your way toward local accounts and member servers.

Reference this support document from Microsoft for a more detailed guide to reducing privileges in these groups.

 

Data Security as a Strategy

 

The Least Privilege Principle is the perfect example of how data security is a strategy and not a product. A firewall can only do so much, and once it is breached, malicious agents can take advantage of lax policies on the interior of the network. Sometimes, security isn’t a product at all. It is the willful act of taking steps to prevent or contain attacks before they strike, and that includes the Least Privilege Principle.

Like what you read? 

SUBSCRIBE

About Mindsight

Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our highly-certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for an emerging business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.

Contact us at GoMindsight.com.

For Further Reading

Two Scenarios for Security as a Service Success





Related Articles

View All Blog Posts