Group Expiration on Active Directory (2016)

Active Directory is the base technology used to provide authentication and authorization services to Microsoft and third-party applications. Microsoft has been focusing more on the development of Active Directory and has been introducing new features in every new version of Windows Server. We saw enhancements in Active Directory running on Windows Server 2012 such as applying virtual snapshots to a domain controller, domain controller cloning feature, Active Directory recycle bin, fine-grained password policies (referred to as just FGPP), dynamic access control, and many other features. Windows Server 2016 brings some new and exciting features for Active Directory. The main feature that was introduced in Windows Server 2016 is the Group membership expiration, which is the focus of this article.

Group membership expiration

One of the notable features added to Windows Server 2016 Active Directory is “group membership expiration.” In earlier versions of Active Directory, if you added users to a security group temporarily, you had to keep track of users to be removed from the security group to avoid any potential harm and to ensure users are removed from the security groups for compliance purposes. For example, if you add someone to the domain admins security group to perform some admin tasks in Active Directory for a certain period of time and if you forgot to remove the user from the group, the user may have unauthorized access to the Active Directory and other systems in the production environment. If you needed to perform removal of several users from the security group, you had to design a script that would process the users stored in a CSV file and then remove the users from the security group. But group membership expiration can help you remove users from the security group automatically. It allows you to add a user to a security group for a certain period of time. This feature is quite handy if you need someone to be part of a security group for a limited time, for example installing an application and to perform some maintenance tasks on the systems.

Requirements for using group membership expiration

There are a few requirements that you need to meet before group membership expiration feature can be used as listed below:

First, make sure to raise the functional level to Windows Server 2016. It may be difficult for many organizations to raise functional levels to Windows Server 2016 due to the fact most of the production environments are still running Windows Server 2012 R2 and earlier versions of domain controllers. Note that raising the function level to Windows Server 2016 will disable the ability to install earlier versions of domain controllers. You can verify the current functional level by executing the PowerShell command below:

Get-Domain | Select DomainMode
Get-ADForest | Select ForestMode

The group membership expiration feature was introduced as part of the PAM (privileged access management) feature. To ensure PAM is enabled, run this PowerShell command:

Get-ADOptionalFeature “Privileged Access Management Feature”

Once privileged access management is enabled, you can use simple PowerShell commands to add an expiration date for a user account as shown below:

$TTL = New-TimeSpan –Minutes 30
Add-ADGroupMember -Identity “Domain Admins” -Members TestUser -MemberTimeToLive $TTL

As you can see in the above commands, the first command creates a time entry, the second command uses Add-ADGroupMember PowerShell cmdlet to add “TestUser” to domain admins security group, and then also specify the time when the user needs to be removed from the security group. The second command uses “-MemberTimeToLive” property to set the expiration time for the user. When the time expires, the user “TestUser” is automatically removed from the domain admins security group.

The group membership expiration feature is quite useful when dealing with contractors, vendors, temporary employees, and anyone else who needs temporary access to Active Directory and systems connected to the production environment. The group membership expiration feature will surely avoid any security risks in the production environment.

Time synchronization enhancements

Time synchronization throughout the Active Directory forest is necessary considering the fact Kerberos authentication protocol requires systems in sync before an identity can be authenticated. Windows Server 2016 adds new enhancements to the time synchronization algorithm such as making sure frequent time adjustments are processed, eliminating any rounding errors that generally occur when synchronizing time with a PDC or a domain controller. Accuracy has been improved from 100s of milliseconds to the 10s of microseconds.

Re Thinking Security or defining malevolent activity without collusion

“separate the duties of individuals to reduce the risk of malevolent activity without collusion”. In layman's terms, organizations must segregate the duties and tasks that employees complete in order to minimize the chance that they could purposely plan and execute malicious activities

Digital transformation has caused a revolution, and workforce mobility has replaced the traditional on-premises approach. As a result, the focus of technology spend is increasingly shifting to users, devices and data.

The traditional ‘hub and spoke’ model, where everything including applications, data and users lived inside the corporate network, is no longer viable given the sheer numbers of cloud applications that are consumed.

Businesses today are looking for dynamic access to both internal applications and external cloud applications.

This requires a major review of how organizations view their perimeters as a more agile, distributed set of access and control points. Ultimately, today’s modern security should be about advancing strategies in a fast, safe way, all while understanding the language of the cloud.

Security and network teams need to change their approach to keep pace with the needs of modern organizations. The first few years of enterprise cloud adoption focused on a core set of commonly used SaaS applications. More recently, there’s been an accelerated use of a wider set of industry-specific and niche applications and, of course, internal apps moving to the cloud.

With this transition comes a need for total security and compliance for any application or device.

Key components of network security architecture for the cloud era should be built from the ground up, as opposed to being bolted on to legacy solutions built for organizations functioning only on-premises or from only managed devices.
 

The people perimeter

The problem is that legacy security technology is not designed to secure data as it moves beyond the traditional idea of the ‘perimeter’ and into a variety of cloud apps and devices.

Organizations need to re-evaluate the limits of their security platform to ensure that it holds firm against every eventuality, including the perennial weak links within the enterprise.

For example, more than ever before, employees are using their personal devices to perform their work duties. Bring your own device (BYOD) enhances productivity and flexibility, but it can also lead to security concerns if the right security solutions are not put in place. Before COVID-19, BYOD was a significant trend, but just one of many items on IT security to-do lists.

The impact of the lock-down has shifted the goalposts, and new work-from-home arrangements have opened multiple attack vectors for cyber attacks.  More people are likely to be signing up for apps using their own Gmail email account, for example, quickly circumventing established security processes.

Similarly, when it comes to threats to enterprise cyber security, it is easier to focus on external third parties as being the main source of risk. However, a considerable volume of data leakage comes as a result of insider threats - people within an enterprise, whether they divulge proprietary information with malevolent intentions, or are just careless employees who unwittingly share sensitive data.

Crucially, in building a security strategy for the cloud era, enterprises must also be cautious of disjointed solutions, as a disconnected approach may harm their ability to adapt swiftly in a highly remote and dynamic business environment.

For instance, the time and money associated with managing disjointed, disparate security tools can be effectively used elsewhere. In contrast, consolidating tools into a single platform can be highly effective, both operationally and in cost-effectiveness.

Unfortunately, organizations often overlook architecture when considering practical security solutions. In doing so, they can saddle themselves with additional maintenance costs (such as employee time, upgrade requirements and overhead expenses) associated with legacy and appliance-based solutions.

Architectures also claim to be cloud native when, in fact, they are merely hosted in private data centres. In practice, this means they still adhere to what is essentially an on-premises network model, and security vendors who build their solutions like this must continue to maintain data centres, stock them with hardware appliances for their customers and factor this into their pricing and service models.

Security threats and vulnerabilities change every day - that’s a given, and these issues require IT teams to remain vigilant and agile in the face of new challenges. In dealing with the here and now, however, what can’t be overlooked is the fundamental shift in infrastructure and network security brought about by the growth of cloud.

Only by viewing security strategies in the context of these macro trends can organizations update their rule book to more effectively meet challenges head on, both now and in the future.

Subscribe to: Posts (Atom)