Active Directory Delegation FAQ - The Why

Active Directory is the foundation of identity and access management and the focal point of administrative delegation in a Microsoft Windows Server based IT infrastructure.

It stores and protects all organizational user accounts (and their passwords), all security groups (and their memberships) used to provision access across the organization, and all security policies that protect all organizational computers etc.

A security compromise of an organization's Active Directory deployment could thus undermine the security of the entire Microsoft Windows Server based IT infrastructure, making all organizational user accounts, groups, computers and assets completely vulnerable to instant compromise.

In light of the above, Active Directory security must be a top IT security priority, and in particular, knowing who is delegated what access in Active Directory must be amongst the top business and IT security priorities.

Domain Admins (and Enterprise Admins) have complete administrative control over your Active Directory, and thus effectively have complete and authoritative control over your entire Microsoft Windows Server based IT infrastructure.

Such broad administrative powers should only be held by a few highly trusted and proficient individuals, because it takes only ONE security incident involving the accidental, inadvertent, intentional, coerced or acquired misuse of administrative authority to instantly jeopardize the security afforded to your entire IT infrastructure.

Organizations are thus advised to immediately review and minimize the number of Domain Admins in their IT infrastructures. The failure to do so greatly increases risk to the entire IT infrastructure and thus to business itself.

As a security best practice, organziations should develop and implement a simple yet effective administrative delegation strategy, wherein responsibilities for most of the common administrative tasks are delegated out, and responsibilities for only the most vital of directory service management functions are assigned to the Domain Admins. In this manner, organizations can effectively yet signficantly reduce the number of Domain Admins.

The need to verify delegated administrative grants every time a delegation is made in Active Directory is essential to maintaining security because without reliable verification there is no assurance of the fact that delegated authority was in fact delegated securely.

A secure delegation is one in which there is reliable assurance that administrative authority was only delegated to intended IT personnel and that these delegated personnel can only perform the administrative tasks that were meant to be delegated to them, and none other, and only in the intended scope of the delegation.

It is important to periodically audit delegations in Active Directory because it is in Active Directory that vastly powerful security grants for identity and access management are delegated to large numbers of IT personnel, all to varying levels, in different parts of Active Directory, and by different individuals.

As business needs change dynamically, so do administrative delegations, and as a result, given frequent changes, the lack of a single point of control, inadequate assessment capabilities and the sheer size of Active Directory deployments, organizations have no idea as to who really has what access in their Active Directory.

Consequently, even in short periods of time, there can come to exist large numbers of unauthorized (from a business policy perspective) administrative grants, which left as is, would pose a serious security risk to organizational security.

Periodic Active Directory security audits can help organizations identify and eliminate any unauthorized delegation grants in their Active Directory in a timely fashion and prevent them from becoming a risk to organizational security.