FINAL WORD
THE MOST COMPLEX CONCEPT WITH REPORTING ON GROUPS IS TO GET THE RECURSIVE GROUP MEMBERS , I . E ., THE USERS WHO ARE LOCATED IN NESTED GROUPS OF THE MAIN GROUP AND WHO NEED TO BE REPORTED AS WELL . THERE ARE PLENTY OF REPORTING TOOLS THAT CAN GET GROUP MEMBERSHIP RECURSIVELY , THOUGH . POWERSHELL BY MICROSOFT AND ADMANAGER PLUS BY MANAGEENGINE ARE TWO OPTIONS
There are many ways to grant privileges in a Windows environment . Granting privileges is rather easy . Reporting and analysing the current privileged access , however , can be a bit harder as there is no centralised location that shows an administrator or auditor the current privileged access . Understanding the different technologies and features that grant privileged access is the first step . Then , for each area where privileges can be granted , there are five steps that should be taken to ensure ongoing privileged access security . Those steps include :
Reporting on the current settings ;
Analysing the settings to understand who has privileged access ;
Configuring the correct privileged access ;
Monitoring for changes to privileged access ;
Alerting , in real time , for key privileged access changes
The technologies and features in a Windows environment that grant privileged access include :
Group membership
User rights
Delegation
Access control lists or permissions
Group membership get the recursive group members , i . e ., the users who are located in nested groups of the main group and who need to be reported as well .
There are plenty of reporting tools that can get group membership recursively , though . PowerShell by Microsoft and ADManager Plus by ManageEngine are two options .
User rights User rights control global access over different aspects of a domain controller , server , or workstation . User rights are configured using Group Policy , giving granular control of each computer individually . Therefore , each computer could have a unique set of user rights , making the reporting and configuration of these settings difficult and time consuming .
Every Windows computer comes with a built-in tool ,” secpol . msc ”, which can report the current user rights on each computer . The tool must be run locally , but it is extremely powerful and gives precise configurations . Since each user right provides some level of privilege over the computer , each and every user right should be evaluated and configured to meet the minimum requirements for server access .
Access control lists Controlling access to files and folders is essential for assuring the security of data within any organisation . You need to properly configure the access control lists for your key data and ensure that they only provide access to the appropriate people . The wrong privileges granted to a file or folder could severely hurt , or even destroy , a company .
DEREK MELBER
Technical Evangelist at ManageEngine
Depending on how the group is configured in the environment , it can have the highest level of privileges or just a few privileges . For example , the Domain Admins group has nearly the highest level of privileges in the entire Active Directory domain . Just adding a user to this group grants this level of privilege . However , the most complex concept with reporting on groups is to
Reporting on who has access to a file or folder is a monumental task , due to the volume of files and folders on a typical network . Therefore , selection of the most important data must occur , and then those selected files and folders can be the focus of the security hardening . There are many tools that can help report on data access control lists , but if you do not want to purchase a tool you
90 INTELLIGENTCIO www . intelligentcio . com