Solved

Change Control in an AD setup

Posted on 2009-07-01
2
407 Views
Last Modified: 2013-11-05
Can anybody offer me some advice on ultra secure change control for changes made to Active Directory settings? I am really after an opinion on what works for you (in your setup, and essentially so we can use some of the advice to form some ultra secure change control processes that satisfy our auditors.

We have a 3rd party IT FM, and recently an independent security review raised concerns the process of change control in the our network should be improved. I take there advice on board, and I really want to go to town ensuring change control procedures are super efficient and secure here, so I wondered if there are any good advice you can give us, i.e. the level of review and authorisation before a change goes live into our domains, the level of testing before a change goes live, the documented procedures we need to have in place from our side, and what the IT FM need on there side etc etc.

Any best practice will be helpful, or even any lessons learnt you found at your setup which perhaps failed audits / security reviews, and how you plugged the gaps to get your change control procedures ultra secure and satisfying these security reviews / external audits?
0
Comment
Question by:pma111
2 Comments
 
LVL 10

Assisted Solution

by:Kieran_Burns
Kieran_Burns earned 100 total points
ID: 24753048
What your auditors are after is accountability at all stages of the Change process, and the process itself ( :-) )
Really, an ideal start would be to look at the ITIL change management process (used wher I work...oddly a 3rd party IT FM firm) http://en.wikipedia.org/wiki/Change_Management_(ITSM) will get you started.
Auditing requires documentation and process control - what you need to do is define what the SLA requirements are and from that define the OLA levels of responsibility - all this will be in the change process
Read through the ITIL guide and that will get you going in the right direction - it's not a bible, just a guidance
0
 

Accepted Solution

by:
graystoke earned 150 total points
ID: 24762066
1. AUDIT
enable Active Directory Auditing.  (for Win2k3, see http://support.microsoft.com/kb/814595)

you probably have multiple DCs.  If you want to collect all AD oject access in one place, you'll need either:

a. scripting ability
b. a third party log collection tool
c. upgrade to Windows 2008 which has Event Subscription capability (viz. one DC can serve as the collection point for event logs from multiple DC's)


2. TOPOLOGY
The way you implement Change Control is affected by solid topology design

I consulted in a well designed web-dev & hosting environment recently, where each stage in the deployment process was matched by a separate forest.  DEV, STAGING, UAP, PRODUCTION, BUSINESS (where all active admin accounts were stored).  Security boundaries were traversed using ADFS.  A well managed deployment process was directed by Sharepoint-based templates.  The environment, although apparently complex, maintained a set of uniform management protocols, which meant that each forest (and sub-domain) was managed in exactly the same way. The orderly & well documented design encouraged technical staff to maintain the change control process throughout.

You probably don't want to redesign your network topology to add loads of forests (sic!) but the above example illustrates, that a clear design with well thought out security boundaries, lends itself to keeping hold of the change-control reins.   Maybe you could accomplish a similar thing as my client by using separate domains.

3. KISS Principle
Change Control is also affected by the number & complexity of documents, forms, screens that must be completed to achieve change approval.  Simplify, simplify, simplify.  

Give your tech staff clear directions on which changes CAN be short-cutted and which require stricter change control.  eg. You only need manager approval via email to add a user to a AD group, but you may need full change control approval to add a new group to AD or to apply a new GPO to an OU.

4. COMMUNICATE
Make sure your change-control directions come from an approved source.

eg. While consulting at a local government institution in the UK recently, I was gob-smacked to see a blind eye turned when 10 applications were rolled onto a live production Citrix farm of around 70 servers, sans change control!!   The "argument" was made (2 weeks later!) that the project had not been "fully commissioned" yet, even though over 2500 users were connecting to it every day!  

On the other hand, one week later, the ill-informed Helpdesk Manager sent a sternly worded message to Support staff insisting that no-one was to use Active Directory anymore, as some change control 3rd party software would now handle all AD changes.  All 3rd-liners cocked their heads, raised their eyebrows, wagged their fingers and sent the message to Deleted Items.

5. ITIL
ITIL outlines change management process ideals, interalia.   I have worked within a number of organisations at various stages of ITIL-compliance, with vastly differing take-up.  One so-called ITIL organisation allowed infrastructure engineers to log on to all domain servers as the domain administrator!  Imagine what an encouragement that was to fill out change control forms & spreadsheets which were overly complex & tedious to fill out.


At the end of the day, if you make it hard (read complicated & long-winded) for staff to adhere to good change control procedures, and if you make it easy for them to thwart the same, your ITIL change-control procedures may be largely ignored.
0

Join & Write a Comment

The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now