Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Change Control in an AD setup

Posted on 2009-07-01
Medium Priority
Last Modified: 2013-11-05
Can anybody offer me some advice on ultra secure change control for changes made to Active Directory settings? I am really after an opinion on what works for you (in your setup, and essentially so we can use some of the advice to form some ultra secure change control processes that satisfy our auditors.

We have a 3rd party IT FM, and recently an independent security review raised concerns the process of change control in the our network should be improved. I take there advice on board, and I really want to go to town ensuring change control procedures are super efficient and secure here, so I wondered if there are any good advice you can give us, i.e. the level of review and authorisation before a change goes live into our domains, the level of testing before a change goes live, the documented procedures we need to have in place from our side, and what the IT FM need on there side etc etc.

Any best practice will be helpful, or even any lessons learnt you found at your setup which perhaps failed audits / security reviews, and how you plugged the gaps to get your change control procedures ultra secure and satisfying these security reviews / external audits?
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 10

Assisted Solution

Kieran_Burns earned 400 total points
ID: 24753048
What your auditors are after is accountability at all stages of the Change process, and the process itself ( :-) )
Really, an ideal start would be to look at the ITIL change management process (used wher I work...oddly a 3rd party IT FM firm) http://en.wikipedia.org/wiki/Change_Management_(ITSM) will get you started.
Auditing requires documentation and process control - what you need to do is define what the SLA requirements are and from that define the OLA levels of responsibility - all this will be in the change process
Read through the ITIL guide and that will get you going in the right direction - it's not a bible, just a guidance

Accepted Solution

graystoke earned 600 total points
ID: 24762066
enable Active Directory Auditing.  (for Win2k3, see http://support.microsoft.com/kb/814595)

you probably have multiple DCs.  If you want to collect all AD oject access in one place, you'll need either:

a. scripting ability
b. a third party log collection tool
c. upgrade to Windows 2008 which has Event Subscription capability (viz. one DC can serve as the collection point for event logs from multiple DC's)

The way you implement Change Control is affected by solid topology design

I consulted in a well designed web-dev & hosting environment recently, where each stage in the deployment process was matched by a separate forest.  DEV, STAGING, UAP, PRODUCTION, BUSINESS (where all active admin accounts were stored).  Security boundaries were traversed using ADFS.  A well managed deployment process was directed by Sharepoint-based templates.  The environment, although apparently complex, maintained a set of uniform management protocols, which meant that each forest (and sub-domain) was managed in exactly the same way. The orderly & well documented design encouraged technical staff to maintain the change control process throughout.

You probably don't want to redesign your network topology to add loads of forests (sic!) but the above example illustrates, that a clear design with well thought out security boundaries, lends itself to keeping hold of the change-control reins.   Maybe you could accomplish a similar thing as my client by using separate domains.

3. KISS Principle
Change Control is also affected by the number & complexity of documents, forms, screens that must be completed to achieve change approval.  Simplify, simplify, simplify.  

Give your tech staff clear directions on which changes CAN be short-cutted and which require stricter change control.  eg. You only need manager approval via email to add a user to a AD group, but you may need full change control approval to add a new group to AD or to apply a new GPO to an OU.

Make sure your change-control directions come from an approved source.

eg. While consulting at a local government institution in the UK recently, I was gob-smacked to see a blind eye turned when 10 applications were rolled onto a live production Citrix farm of around 70 servers, sans change control!!   The "argument" was made (2 weeks later!) that the project had not been "fully commissioned" yet, even though over 2500 users were connecting to it every day!  

On the other hand, one week later, the ill-informed Helpdesk Manager sent a sternly worded message to Support staff insisting that no-one was to use Active Directory anymore, as some change control 3rd party software would now handle all AD changes.  All 3rd-liners cocked their heads, raised their eyebrows, wagged their fingers and sent the message to Deleted Items.

ITIL outlines change management process ideals, interalia.   I have worked within a number of organisations at various stages of ITIL-compliance, with vastly differing take-up.  One so-called ITIL organisation allowed infrastructure engineers to log on to all domain servers as the domain administrator!  Imagine what an encouragement that was to fill out change control forms & spreadsheets which were overly complex & tedious to fill out.

At the end of the day, if you make it hard (read complicated & long-winded) for staff to adhere to good change control procedures, and if you make it easy for them to thwart the same, your ITIL change-control procedures may be largely ignored.

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question