Strong Encryption can Help Prevent Data Loss

Organizational data stored in an unprotected state on laptop and desktop PCs potentially makes organizations vulnerable to unacceptable risks, and the cost of data loss goed beyond endangering critical data. With tough new privacy laws, compromised customer or employee data through a security breach can subject organizations to step fines and embarrassing public disclosures.

 

Strong encryption provides a sure way to protect your organization's data from falling into the wrong hands and provides a "safe harbor" from disclosure requirements in the event a machine containing legally protected data is lost or stolen. Strong encryption can help you safeguard your organizational IT assets from the risk of data loss and its consequences. All security conscious organizations should and must strive to protect their data by using strong endpoint encryption.

What is delegation of administration in Active Directory?

An IT infrastructure is typically comprised of many IT assets such as user accounts, computers, files and databases, applications and services all of which need to be administered. In such IT infrastructures, it is not possible for a handful of administrators to adequately administer all aspects of the IT infrastructure.

 

Thus, in most IT infrastructures, administrative responsibilities for managing the various IT assets that together comprise the IT infrastructure are distributed (or delegated) amongst an adequate and typically greater number of less-privileged administrators, who are then responsible for managing smaller specific portions of the IT infrastructure.

 

Delegation of administration is the act of distributing and delegating an administrative task for various aspects of IT management amongst an adequate number of administrators.

 

The act of delegating administration involves granting one or more users or Active Directory security groups the necessary Active Directory security permissions as appropriate so as to able to allow the delegated administrator to carry out these tasks.

 

In the interest of security, after delegating an administrative task, IT personnel should always also verify delegation in Active Directory, so as to be sure that the task was delegated accurately. The process of verifying a delegation in Active Directory is rather complicated but with the right Active Directory Reporting Tool, IT personnel can accomplish this task efficiently and reliably.

 

Done right, Active Directory's powerful administrative delegation capabilities let organizations securely, efficiently and cost-effectively delegate administrative authority for identity and access management in their IT infrastructures thereby reducing cost and enhancing security.

 

Source - Active Directory Security Technical Reference

A Guide to the Active Directory Security Model

Active Directory's security model secures and protects every object stored in Active Directory, including domain user accounts and domain computer accounts, domain security groups and group policies. The Active Directory Security model allows administrators to specify who has what access to which object to a high degree of control. It also allows administrators to specify access for an entire group of users so as to simply security management.

 

The following is an overview of how Active Directory's security model protects stored content –

1. Each object is protected by a component known as a Security Descriptor

2. Each security descriptor contains amongs other compronents, an Access Control List (ACL)

3. Each ACL contains one or more Access Control Entries (ACEs)

4. Each ACE allows or denies specific security permissions to some security principal

5. Security groups can be specified and be part of security groups

6. ACEs can be explicit or inherited; explicit ACEs override inherited ACEs

7. Access is specified in the form of low–level technical permissions

8. These low-level permissions can be standard permissions, or special permissions such as extended rights or validated writes

9. Active Directory's current object visibility mode impacts list access requests

10. The access check takes into account the object's ACL and the user's token and determines resultant access for user on the object

In this manner, Active Directory's security model secures and protects Active Directory content.

How to Generate True Last Logon Security Reports in Active Directory

As an IT administrator you may need to determine the last time a user used their Active Directory domain user account to logon. For instance, last logon values are required to generate and furnish a list of stale domain user accounts.

 

Active Directory stores the last logon time of a domain user account in a specific attribute on the user object called lastLogon, but this is not a replicated attribute, so IT administrators need to query each DC in the domain for the local lastLogon value on the user's account, then compare each of these values to determine the latest one, and report that as the user's true last logon time. The actual last user logon value is also commonly referred to as True Last Logon. There are two steps to determining the true last logon time of a domain user account. The first step involves obtaining the value from each DC in the domain, and the second step involves comparing these values (taking into account Integer8 syntax) to arrive at the true last logon value for the user.

In order to read the lastLogon attribute, you must have appropriate Active Directory security permissions as well, because without it you will not be able to read the value of this attribute. Fortunately, the security descriptor is replicated so you don't need to worry about the permissions being replicated.

 

There are many Active Directory Reporting Tools that can help IT administrators automatically generate True Last Logon reports. Some of these tools are also available in Free Editions, and can help IT admins instantly fulfill their Active Directory security reporting needs for audit and compliance.

 

True Last Logon reports are essential for security, and can help organizations identity and clean up stale/inactive domain user accounts in their Active Directory. Automated tools provide an advantage over many queries or over semi-automated PowerShell scripts.

How to generate security audit reports in Active Directory?

Microsoft's Active Directory technology is the foundation of identity and access management in Microsoft Windows Server based IT infrastructures as it stores and protects all vital components of security including user accounts, security groups, group policies and even computer accounts.

 

It thus plays a vital role in security and compliance auditing and thus organizations often have a need to generate and know how to generate security audit reports in Active Directory. These reports often form an integral component of an organization's overall security audit and regulatory compliance reporting apparatus. These reports often cover user account management, security group management, and even delegated administrative access management.

 

IT administrative personnel are often tasked with generating such reports and with the right Active Directory reporting tools, they can often generate these reports quickly, reliably and in a form that is required by IT managers and IT auditors. IT admins can also write PowerShell scripts for Active Directory or LDAP scripts to generate these reports but most often, writing such scripts can be time-consuming and error-prone and thus many IT admins often choose to use a 3rd party reporting solution to fulfill such needs.

 

On a related subejct, IT administrators also need to know how to audit and report security in Active Directory, and to do so, they often either rely on using custom inbuilt scripts or using 3rd party automated management tools as Microsoft unfortunately does not seem to provide appropriate tools to do so. Fortunately, there are some very helpful and useful 3rd party Active Directory reporting tools available that can assist IT admins in making this job easy and efficient for them to carry out.

 

How to Generate Reports in Active Directory?

Organizations often have a need to generate security and management reports in their Active Directory deployments. These reports typically capture important aspcts of user and computer account and even security group management.

There are various ways to generate reports in Active Directory –

1. IT administrators can compile a list of reports and then for each report write a set of custom LDAP queries to generate these reports. Note however that some reports can be difficult to put together using only LDAP queries (e.g. True Last Logon reports)


2. IT administrators can use the Powershell technology from Microsoft to enhance their scripting capabilities to generate reports. The problem with this too is that it is error-prone and may require substantial time to use depending on the number of reports. In addition, additional work is needed to format the reports to that they are in a presentable fashion.


3. IT administrators can use 3rd party tools to generate reports. Numerous ISVs offer many 3rd party tools and these tools automate report generation so IT administrators can save their valuable time and effort, and generate their reports in a quick, reliable and efficient manner.

Most organizations choose to use a combination of custom written scripts and 3rd party automated tools to generate reports in Active Directory.