generic AD accounts and security best practices.

Posted on 2016-08-08
Last Modified: 2016-08-27
We have an internal application only accessible via our private network that from time to time the local police authority require access to for safeguarding issues/investigations etc, which they are entitled to access. Due to the size of the police force, and number of officers who could request access - setting them up with an AD account each isn't really practical. As well the requests for access can be urgent and the SLA with our helpdesk requires 48 hours minimum for a new AD account, so that isn't always going to be practical either. The workaround was to create a generic AD account for them and disable it when not in use.

From a security/auditing perspective, our plan was to keep a separate audit log of when the generic AD account logged in, which police officer used it,  times of login/logout, records they requested access to. Can you think of anything else from an AD perspective we would need to do to ensure the login is restricted to only allow them to access this application? Or anything else you would add in the audit log's/process? Obviously the AD account would need to be very limited, anything in particular that you'd suggest around the account itself from a security best practice?
Question by:pma111
  • 2
LVL 63

Accepted Solution

btan earned 500 total points (awarded by participants)
ID: 41747289
In fact, the audit trail should be no different from the user account mgmt audit trails. Specifically for your use case, beside those audit trail suggested to be enabled (reference CIS benchmark for hardening Windows system), you can add granular audit under "Advanced Audit Policy Configuration" and others - see this reference on the list of setting #
Some salient ones for considerations include
...for Policy Change
Audit MPSSVC Rule-Level Policy Change: The Microsoft Protection Service setting determines whether the OS generates audit events when changes are applied to policy rules for this service (used by the Windows Firewall). Activities tracked include policies active when the Windows Firewall service starts, changes to Windows Firewall rules, exception list, and settings, rules ignored or not applied and changes to Windows Firewall Group Policy settings.

..for Privilege Use
Audit Sensitive Privilege Use: Determines whether the OS generates audit events when sensitive privileges are used. Some examples include: Act as part of the OS, Back up files and directories, Create a token object and Debug programs

..for System
Audit System Integrity: Determines whether the OS generates audit events when the integrity of the security subsystem may have been violated, including the following events: audited events lost owing to a failure of the auditing system; a process uses an invalid local procedure call to impersonate a client, reply to a client address space, or read from or write to a client address space, an RPC integrity violation is detected, a code violation with an invalid hash for an executable file is detected or when cryptographic tasks are performed.

...for Global object access
File System: Enables administrators to configure a global SACL on the file system for an entire computer. If both a file and folder SACL are defined, the effective SACL may be determined by combining the file or folder SACL and the global SACL, where an audit event is generated if an activity matches any of the file, folder or global SACL.
Registry: Enabled administrators to configure a global SACL on the registry for a computer, where selecting the Configure security checkbox lets admins add a user or a group to the global SACL. Must be used in tandem with the Registry security policy setting under object access.
You should also looked for any other remote access for the host machine authorised for the 3rd party entities - it should not differs. Some may even have "keylogger" installed in those host machine to access remotely.

For hoslistic oversigh of privileged account or 3rd party account access & right granted over time or during adhoc request period, it is suggested having a centralised oversight system such as "jumphost" to enforce such privileged identity management. For example, in this use case, the Policy entities will be given account and provision for on demand purposes to access to the application system. Specifically, there are already such PIMS, for e.g. Suite include On-Demand Privileges Manager that records detailed command level activity performed so that you can better track those session activity for security auditing and forensic purposes, if required. Check out the latest report by the research company  
Beyond multifactor
authentication (MFA) and security assertion markup language (SAML) compatibility, a PIM solution
needs be able to do four things: 1) provide its own, web-based channel for access; 2) provide its
own, tamperproof password safe (credential storage); 3) spawn, monitor, and intercept privileged
Windows and Linux sessions (privileged session monitoring, or PSM); and 4) control privilege
escalation on the endpoint (such as sudo replacement and revoking administrative rights on
Windows from end users)
LVL 63

Expert Comment

ID: 41772818
The proposed audit coverage is included as part of oversight and also importantly the use of privileged identity mgmt to centrally oversee 3rd party access administration is good security practice to deter and detect early sign of abuse by administrator.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to use Powershell data from SQL 151 64
SMB Signing issues 5 26
Import CSV with All modify groups 17 45
PowerShell: Adding ToGB to a script 4 25
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question