Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 419
  • Last Modified:

Change Control in an AD setup

Can anybody offer me some advice on ultra secure change control for changes made to Active Directory settings? I am really after an opinion on what works for you (in your setup, and essentially so we can use some of the advice to form some ultra secure change control processes that satisfy our auditors.

We have a 3rd party IT FM, and recently an independent security review raised concerns the process of change control in the our network should be improved. I take there advice on board, and I really want to go to town ensuring change control procedures are super efficient and secure here, so I wondered if there are any good advice you can give us, i.e. the level of review and authorisation before a change goes live into our domains, the level of testing before a change goes live, the documented procedures we need to have in place from our side, and what the IT FM need on there side etc etc.

Any best practice will be helpful, or even any lessons learnt you found at your setup which perhaps failed audits / security reviews, and how you plugged the gaps to get your change control procedures ultra secure and satisfying these security reviews / external audits?
0
pma111
Asked:
pma111
2 Solutions
 
Kieran_BurnsCommented:
What your auditors are after is accountability at all stages of the Change process, and the process itself ( :-) )
Really, an ideal start would be to look at the ITIL change management process (used wher I work...oddly a 3rd party IT FM firm) http://en.wikipedia.org/wiki/Change_Management_(ITSM) will get you started.
Auditing requires documentation and process control - what you need to do is define what the SLA requirements are and from that define the OLA levels of responsibility - all this will be in the change process
Read through the ITIL guide and that will get you going in the right direction - it's not a bible, just a guidance
0
 
graystokeCommented:
1. AUDIT
enable Active Directory Auditing.  (for Win2k3, see http://support.microsoft.com/kb/814595)

you probably have multiple DCs.  If you want to collect all AD oject access in one place, you'll need either:

a. scripting ability
b. a third party log collection tool
c. upgrade to Windows 2008 which has Event Subscription capability (viz. one DC can serve as the collection point for event logs from multiple DC's)


2. TOPOLOGY
The way you implement Change Control is affected by solid topology design

I consulted in a well designed web-dev & hosting environment recently, where each stage in the deployment process was matched by a separate forest.  DEV, STAGING, UAP, PRODUCTION, BUSINESS (where all active admin accounts were stored).  Security boundaries were traversed using ADFS.  A well managed deployment process was directed by Sharepoint-based templates.  The environment, although apparently complex, maintained a set of uniform management protocols, which meant that each forest (and sub-domain) was managed in exactly the same way. The orderly & well documented design encouraged technical staff to maintain the change control process throughout.

You probably don't want to redesign your network topology to add loads of forests (sic!) but the above example illustrates, that a clear design with well thought out security boundaries, lends itself to keeping hold of the change-control reins.   Maybe you could accomplish a similar thing as my client by using separate domains.

3. KISS Principle
Change Control is also affected by the number & complexity of documents, forms, screens that must be completed to achieve change approval.  Simplify, simplify, simplify.  

Give your tech staff clear directions on which changes CAN be short-cutted and which require stricter change control.  eg. You only need manager approval via email to add a user to a AD group, but you may need full change control approval to add a new group to AD or to apply a new GPO to an OU.

4. COMMUNICATE
Make sure your change-control directions come from an approved source.

eg. While consulting at a local government institution in the UK recently, I was gob-smacked to see a blind eye turned when 10 applications were rolled onto a live production Citrix farm of around 70 servers, sans change control!!   The "argument" was made (2 weeks later!) that the project had not been "fully commissioned" yet, even though over 2500 users were connecting to it every day!  

On the other hand, one week later, the ill-informed Helpdesk Manager sent a sternly worded message to Support staff insisting that no-one was to use Active Directory anymore, as some change control 3rd party software would now handle all AD changes.  All 3rd-liners cocked their heads, raised their eyebrows, wagged their fingers and sent the message to Deleted Items.

5. ITIL
ITIL outlines change management process ideals, interalia.   I have worked within a number of organisations at various stages of ITIL-compliance, with vastly differing take-up.  One so-called ITIL organisation allowed infrastructure engineers to log on to all domain servers as the domain administrator!  Imagine what an encouragement that was to fill out change control forms & spreadsheets which were overly complex & tedious to fill out.


At the end of the day, if you make it hard (read complicated & long-winded) for staff to adhere to good change control procedures, and if you make it easy for them to thwart the same, your ITIL change-control procedures may be largely ignored.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now