S 4.315 Maintenance of the operational reliability of an Active Directory
Initiation responsibility: Head of IT, IT Security Officer, Specialists Responsible
Implementation responsibility: Administrator
The Administrators must maintain the previous level of security on the domain controllers used in the production environment and they also need to adapt the security accordingly when the requirements are higher. Written guidelines for changes to the systems resulting from regular maintenance work, amongst other reasons, must be developed in advance.
For secure operation of the domain controllers it is essential to scan them regularly for viruses and the scans should be executed according to the corresponding special conditions (see S 2.414 Computer virus protection for domain controllers, section Critical files on domain controllers).
Continuously updating with service packs and hotfixes
The domain controllers should be protected against new threats at regular intervals by taking corresponding action, e.g. using Windows Update, installing service packs, and installing hotfixes. Even if the updates close critical security gaps and need to be installed promptly in the existing structure, the updates must be checked in advance in a test environment so that it is possible to detect any negative side-effects in the production environment promptly.
Security of the service administrator accounts
The responsibility for controlling the configuration and method of operation of the directory service must only be assigned to reliable and trustworthy persons. This group of people must be familiar with the currently valid security policies of the organisation and must demonstrate their willingness to strictly enforce them.
The access rights of the service administrators should be limited to the absolute minimum required to perform their tasks and should only be used when performing tasks requiring more rights than a normal user. In order to ensure the corresponding users actually require service administrator rights, the need for such rights should be examined at regular intervals and adapted accordingly when necessary. The number of administrator accounts in each group of administrators also needs to be kept at the minimum necessary. It is absolutely necessary to use sufficiently strong passwords for the accounts in each of the groups of administrators. Consideration should be given to using procedures for strong authentication such as the use of smart cards to log in to the operating system.
Guaranteeing the currency of basic information
The term "basic information" collectively refers to the most important configuration parameters of the Active Directory. The basic information should contain the following information at a minimum:
- audit policies
- group policy objects and their assignments
- existing trust relationships
- organisational unit of the domain controllers and service administrators
- person assuming the role of operations master
- replication topology
- database properties
- service packs and hotfixes installed on the domain controllers and administrator workstations and their current system status
- backup media currently available
- examination of the backup media
- examination of the service administrator authorisations currently needed
The documentation of the basic information makes it possible to track down and examine the changes made to the Active Directory. The basic information of all domain controllers should be stored together in a database. This database additionally offers an overview of the components currently used. The responsibilities for maintaining the basic information must be clarified.
Review questions:
- Are hotfixes and service packs installed regularly on the domain controller?
- Are the effects of the hotfixes and service packs on the domain controller tested in advance in a test environment?
- Do the service administrators on the domain controller only possess the required rights?
- Are the rights of the service administrators verified at regular intervals?
- Are all necessary parameters of the Active Directory kept up to date and documented comprehensibly as basic information?