Recommended Active Directory Guidelines for SOX audit Part 1
Part 1
Administrative Accounts
Administrative accounts include that includes (Domain Admins, Enterprise Admins, and Administrators)
Must have recognizable username for auditing purposes.
Active Directory build in Administrator account must be renamed and password is known only to company IT director or other executive personal.
On annual base Administrative accounts should be reviewed by IT director.
Generic Accounts
Generic accounts are general user accounts in active directory.
And are aplyed by Default Domain Policy GPO ( See password Policy )
Service Accounts
Service accounts are accounts used to run application services that requires domain credentials in order to function for example Backup applications .
It is recommended that Service accounts will named by service name and their password set to “Never Expire”
On annual base those Service Account passwords should be changed by IT team.
Happens that service accounts are members of “Domain Admin group ” And they should be approved by IT director.
Every service account should have detailed description, of their purpose.
Contractors
It is recommended to put Contractors user and computer accounts in dedicate OU and apply more comprehensive security policies
Every Contractor account should have detailed description, of their purpose (Department and Project)
Guests
Recommendation is to not use guest accounts at all
Active Directory Password Policy for example
“Password policy” is a set of password protection rules that apply to all company users
- Password must be at least 8 characters long
- Password must contain:
- At least 1 upper case letter
- At least 1 special character or digit. Example (*&^%$#@?.|\~`,012345678+-*/)
- The password can’t contain part of username.
- Maximum password age should be 90 days. (Or less )
- Password will automatically expire after 90 days since last change.
- Reminder is emailed to user 15, 7 and 1 day before password expiration.
- Minimum password age is 7 days.
- User cannot change password in less than 7 days after previous password change occurred.
- The system remembers 24 previous passwords. User may not use these passwords.
- User account is locked for 30 min after 5 sequential bad logon attempts.
- Service Accounts password are changed on yearly basis each 15/Jan notification is sent to IT group
Delegation of Control
Delegation of user management tasks to users with specific set of permissions.
This responsibility should be assigned to a small number of Administration staff.
User Opening Policy
you should have policy that documents each new user
User Maintenance Policy
you should have policy that documents each change at user account security
User Termination Policy
you should have policy that documents each retired user
Backup
You must have Active directory backup policy
Restoring Active Directory Object from backup
Due to the risk involved, The procedure must be done very carefully. It is good first to do some training on non operational domain .
To restore Active Directory DB from backup:
- Determine exactly the object name that needs to be restored (OU name).
- Reboot domain controller into authoritative restore mode.
- Restore the system state from last backup.
- Open a command window
- Run “ntdsutil”
- Type “authoritative restore”, press Enter
- To restore a subtree, type “restore subtree” and the entire object name of the subtree to be restored. For example, to restore the sub-OU “Test ou2″ located in the upper-level OU “Marketing”, use the following syntax, being careful to capitalize as necessary: Example “restore subtree OU= Test ou2,OU= Marketing,DC= your sub domain name ,DC=your domain name ,DC=com”
- Type “quit” to exit from authoritative restore mode
- Type “quit” to exit from ntdsutil
- Reboot into normal operating mode
Replicating Restored data to other Domain Controllers
So basically what we did , we loaded the appropriate subtree into the replication system.
and no we need to Replicate the AD as follows:
- Open the AD Sites & Services MMC
- Open a DC that is not the one that was just used to restore Active Directory Data
- Open NTDS Settings
- Right-click each of the other servers and click “Replicate Now”
Good luck
And remember if you have any way to avoid this procedure , please use the other way
Related Blogs
- Related Blogs on Active Directory
- History of Active Directory
- Whitepaper: VMware and VSS: Application Backup and Recovery
How to create new conference room (Meeting Room) resource
It is a common task in corporate environment
- You need to open a user with new meeting room name
- Open new user’s mailbox
- Go to tools> Options >Calendar options>Resource schedule
- Mark the sections bellow
That is .
NOTE: In Exchange 2007 there is ability to create resources (Not Users) You can also set the resource capacity now! Eg: in one of your meeting room, only be able to fit 10 people, you can type in resource information, under the property of the object.
Blackberry Calendar Sync Works One Direction only
BlackBerry Enterprise Server administration account must have the following permissions (Send As, Receive As, and Administer Information store) at the server level:
1. Go to Microsoft Exchange System Manager.
2. Expand Administrative Groups.
3. Right-click on the Exchange Server(s) that will be hosting the BlackBerry users’ mailboxes.
4. Click Properties.
5. Click the Security tab.
6. Click Add.
7. Select the BlackBerry Enterprise Server administration account.
8. In the Permissions window, mark with “v” Send As, Receive As, and Administer Information store permissions are granted.
Grant Send As, Receive As, and Administer Information store permissions at the mailbox tore level:
1. Select the mailbox store(s) for the Exchange Server(s) that will be hosting BlackBerry users’ mailboxes.
2. Click Properties.
3. Click the Security tab.
4. Select the Allow inheritable permissions from parent to propagate to the object option.
5. In the Permissions window, verify that Send As, Receive As, and Administer Information store permissions are granted.
Grant Send As, Receive As, and Administer Information store permissions at the public folder store level:
1. Open the Microsoft Exchange System Manager that is installed on the server(s) where the BlackBerry users’ public folder store resides.
2. Expand Administrative Groups.
3. Expand Servers and storage groups.
4. Right-click on the public folder store that will be hosting the BlackBerry users’ folders.
5. Click Properties.
6. Click the Security tab.
7. Click Add.
8. Select the BlackBerry Enterprise Server administration account.
9. In the Permissions window, verify that Send As, Receive As, and Administer Information store permissions are granted.
How to find and disable Active Directory unused accounts
List of tools to find and disable Active Directory unused accounts
Free tools:
Usage
Example 1 oldcmp -report -age 0 -format csv -delim tab
The current one will generate csv file (tab delimited) report of all cmpaccs
Also you can run oldcmp /? and get a full list of switches.
Scripts
lastlogon
Usage: cscript //nologo LastLogon.vbs > output.txt
lastlogon time stamp - for Windows 2003 domain (Includes user logon’s time stamp)
Usage: cscript //nologo LastLogonTimeStamp.vbs > output.txtomputer accounts not logged on within X number of days
Commercial tools
# Find expired and unused Active Directory accounts
# Locate inactive user or computer accounts and disable, delete, move or enable Active Directory accounts in seconds.
# Shows disabled accounts, last logon/logoff time, OS type, etc.
# Export report to CSV,XLS,HTML,PDF and CSVDE
Unused Account Ferret
Find, disable and delete old user and computer accounts in Active Directory.
It queries all the domain controllers to determine which accounts have not been used for a specified number of days.
