Active Directory should be the single source of truth for user and account management. With Windows Server system penetration, it is surprising to note that a significant majority of Microsoft customers do not extend their user management processes into the Active Directory.
This is a world where your employees are granted accounts on partners or service providers systems. However, a clear process and monitoring model that ensures external account deactivation upon employee departure (or contractor Statement-of-Work expiration) are lacking.
Most companies pass through audits where main Active Directory account termination processes get tested and reviewed. Jane Doe (firstname.lastname@example.org) cannot login to your VPN or web-based email a week after departure.
Usually, HR receives a resignation letter that says, Jane’s last day would be January 31, 2016. The VPN logon certificate gets revoked and the Active Directory samAccountName jdoe in the GAL (Global Address List) gets the logon credentials deactivated on February 1, 2016. This would mean your webmail access on her iPhone should stop working around that time.
However, Jane could still log on to a lot of external third-party systems with her old credentials – email@example.com. It would be great if we could establish a tool and a process that ties all external accesses for an employee or contractor to her log-on capability on a company’s Active Directory.
There are many companies today, like Okta, that tie everything into their Active Directory and work for their own web applications (where they logon with their AD credentials and password).
But what about the use-case where the partner or service provider has a website that is not Okta-enabled or refuses to invest money or effort in this direction?
Coming up with a local database and a website that offers a window into this database would be a good solution. Tie in all accounts for Jane that have granted her anywhere as a result of her employment.
Hence, you would have janedoe78 (the github account name for her email address firstname.lastname@example.org that she uses to access https://github.com/yourcompanyproject), her employee access to Safari Books Online, the AT&T Teleconferencing account, and possibly her whitehatsec.com Sentinel account (assuming she wears a hacker hat) all tied to her AD handle.
My talk at BSides Seattle brings you a lot of user management stories and a demo on AD management. Join me early; 9:30 AM at Microsoft Commons, Redmond, WA.
About the Author: Sundar Krishnamurthy is a Senior Software Security Engineer at Concur Technologies, Bellevue WA. He is on Twitter, and a SANS instructor; mentoring students for the GSEC and GCED certifications. With a long prior career as a software engineer, Sundar now tries to find some sleep in Seattle. Training developers to embrace security and think like the bad guys is what keeps the excitement high and adrenaline flowing.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock