FINAL WORD
THE MOST COMPLEX CONCEPT WITH REPORTING ON GROUPS IS TO GET THE RECURSIVE GROUP MEMBERS, I. E., THE USERS WHO ARE LOCATED IN NESTED GROUPS OF THE MAIN GROUP AND WHO NEED TO BE REPORTED AS WELL. THERE ARE PLENTY OF REPORTING TOOLS THAT CAN GET GROUP MEMBERSHIP RECURSIVELY, THOUGH. POWERSHELL BY MICROSOFT AND ADMANAGER PLUS BY MANAGEENGINE ARE TWO OPTIONS
There are many ways to grant privileges in a Windows environment. Granting privileges is rather easy. Reporting and analysing the current privileged access, however, can be a bit harder as there is no centralised location that shows an administrator or auditor the current privileged access. Understanding the different technologies and features that grant privileged access is the first step. Then, for each area where privileges can be granted, there are five steps that should be taken to ensure ongoing privileged access security. Those steps include:
Reporting on the current settings;
Analysing the settings to understand who has privileged access;
Configuring the correct privileged access;
Monitoring for changes to privileged access;
Alerting, in real time, for key privileged access changes
The technologies and features in a Windows environment that grant privileged access include:
Group membership
User rights
Delegation
Access control lists or permissions
Group membership get the recursive group members, i. e., the users who are located in nested groups of the main group and who need to be reported as well.
There are plenty of reporting tools that can get group membership recursively, though. PowerShell by Microsoft and ADManager Plus by ManageEngine are two options.
User rights User rights control global access over different aspects of a domain controller, server, or workstation. User rights are configured using Group Policy, giving granular control of each computer individually. Therefore, each computer could have a unique set of user rights, making the reporting and configuration of these settings difficult and time consuming.
Every Windows computer comes with a built-in tool,” secpol. msc”, which can report the current user rights on each computer. The tool must be run locally, but it is extremely powerful and gives precise configurations. Since each user right provides some level of privilege over the computer, each and every user right should be evaluated and configured to meet the minimum requirements for server access.
Access control lists Controlling access to files and folders is essential for assuring the security of data within any organisation. You need to properly configure the access control lists for your key data and ensure that they only provide access to the appropriate people. The wrong privileges granted to a file or folder could severely hurt, or even destroy, a company.
DEREK MELBER
Technical Evangelist at ManageEngine
Depending on how the group is configured in the environment, it can have the highest level of privileges or just a few privileges. For example, the Domain Admins group has nearly the highest level of privileges in the entire Active Directory domain. Just adding a user to this group grants this level of privilege. However, the most complex concept with reporting on groups is to
Reporting on who has access to a file or folder is a monumental task, due to the volume of files and folders on a typical network. Therefore, selection of the most important data must occur, and then those selected files and folders can be the focus of the security hardening. There are many tools that can help report on data access control lists, but if you do not want to purchase a tool you
90 INTELLIGENTCIO www. intelligentcio. com