Active Directory should be the single source of truth for user and account management. With Windows Server system penetration, it is surprising to note that a significant majority of Microsoft customers do not extend their user management processes into the Active Directory. This talk aims to highlight a lot of gaps that exist with our user management today, and how to make Active Directory your BFF – Best Friend Forever.This is a world where your employees are granted accounts on partners or service providers systems. However, a clear process and monitoring model that ensures external account deactivation upon employee departure (or contractor Statement-of-Work expiration) is lacking.Most companies pass through audits where main Active Directory account termination processes get tested and reviewed. Jane Doe ([email protected]) cannot login to your VPN or web-based email a week after departure. Usually, HR receives a resignation letter that says, Jane’s last day would be January 31st 2016. The VPN logon certificate gets revoked and the Active Directory samAccountName jdoe in the GAL (Global Address List) gets the logon credentials deactivated on February 1st 2016. This would mean, your webmail access on her iPhone should stop working around that time.However, Jane could still logon to a lot of external third-party systems with her old credentials – [email protected]. It would be great if we could establish a tool, a process that ties all external accesses for an employee or contractor to her log-on capability on your Active Directory. There are many companies today like Okta, that tie everything into your Active Directory and work for your own web applications (where they logon with their AD credentials and password). But what about the use-case where the partner or service provider has a website that is not Okta-enabled or refuse to invest money or effort in this direction?Coming up with a local database and a website that offers a window into this database would be a good solution. Tie in all accounts for Jane that you’ve granted her anywhere as a result of her employment with you. So you would have janedoe78 (the github account name for her email address [email protected] that she uses to access https://github.com/yourcompanyproject), her employee access to Safari Books Online, the AT&T Teleconferencing account, and possibly her whitehatsec.com Sentinel account (assuming she wears a hacker hat) all tied to her AD handle.My talk brings you a lot of user management stories and a demo on AD management. Join me early; 9:30 am – BSides Seattle at Microsoft Commons, Redmond WA.
About the Author: Sundar Krishnamurthy is a Senior Software Security Engineer at Concur Technologies, Bellevue WA. He is on Twitter, and a SANS instructor; mentoring students for the GSEC and GCED certifications. With a long prior career as a software engineer, Sundar now tries to find some sleep in Seattle. Training developers to embrace security and think like the bad guys is what keeps the excitement high and adrenaline flowing.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.Title image courtesy of ShutterStock