Top-10 Active Directory Administrative Delegation Questions

Delegation of administration is the act of distributing and delegating administrative responsibilities for various aspects of IT management amongst an adequate number of administrators.

An IT infrastructure of a typical medium and large organization is comprised of thousands of IT assets such as user accounts, computers, files and databases, applications and vital services (name resolution, service location, email and instant messaging, remote access, etc.), each of which needs to be adequately administered. In such IT infrastructures, it is not possible for a handful of administrators to adequately administer all aspects of the IT infrastructure.

Thus, in most IT infrastructures, administrative responsibilities for managing the various IT assets that together comprise the IT infrastructure are distributed (or delegated) amongst an adequate (and typically larger) number of (usually less-privileged) administrators, who are then individually or collectively responsible for managing smaller specific portions of the IT infrastructure.

The act of provisioning sufficient access so as to grant a delegated administrator the ability to carry out designated responsibilities is commonly referred to as administrative delegation.

Active Directory is the foundation of identity and access management in a Windows Server based IT infrastructure, because all vital IT components are stored, protected and managed in Active Directory –

1. User Accounts - used to identify and authenticate users and allow authorized and auditable access.

2. Computer Accounts - used by users to create, store and collaborate in computing activities.

3. Security Groups - used to provision and facilitate authorized access to information assets.

4. Group Policies - used to specify, control and protect organizational computers.

5. Domain Policies - used to protect vital user accounts and passwords.

These components are all stored and protected by Active Directory's security model, and responsibilities for all aspects of IT management related to managing user accounts, security groups, organizational computers and their security policies, helpdesk operations, etc. are all delegated in Active Directory.

Delegation of administration involves the transfer of administrative authority, usually to a large number of (lesser privileged) administrators. While organizations can gain significantly from it by making IT management more efficient and economical, it is essential to ensure that in doing so, organizations do not weaken their security posture.

To ensure that organizational security posture is not weakened in the process, organizations must ensure that their approach to delegation involves the fulfillment of three essential requirements –

1. Precise delegation and undelegation - Organizations must be able to delegate and undelegate administrative authority precisely, ensuring that authority is only granted to or revoked from intended administrative personnel.

2. Accurate assessment and verification - Organizations must be able to assess and verify delegated grants in a precise fashion, on demand, and with zero tolerance for error, because a single unintended (and thus unauthorized) delegation grant could seriously endanger enterprise security.

3. Avoidance of single point of failure - Organizations must ensure that the mechanisms or solutions used to delegate and undelegate administrative authority do not have single points of failure, and that they are at least as highly secure, reliable and available as is their Active Directory, so as not to introduce any weaker link.

Active Directory is an enterprise-grade, highly securable and available directory service and offers fine-grained capabilities for delegating administration in Windows. Built with security, fault-tolerance and administrative delegation in mind, it allows organizations to easily delegate and undelegate administrative authority to a high degree of precision.

Organizations worldwide use Active Directory today to delegate administrative authority in their IT infrastructures.

One of the only challenges involved in delegating administration in Active Directory is that it does not provide the means to accurately assess and verify delegation grants, which is essential to security, because organizations have to be able to verify the accuracy of their delegation grants.

Because organizations are unable to accurately assess delegation grants, they are unable to ensure that administrative authority is delegated only to intended recipients. They are also unable to accurately undelegate administrative grants that may no longer needed, thus leaving exploitable security gaps in their IT management.

Today, organizations have to resort to investing significant amounts of time and effort to manually attempt to accurately determine who is delegated what administrative access in their Active Directory deployments.

Native delegation refers to the use of Active Directory's (thus native) security and delegation capabilities for administrative delegation, wherein administrative delegations are done directly on IT assets in Active Directory.

Proxy-based delegation refers to the use of 3rd party based delegation solutions that implement and proxy delegation management internally, and wherein the application make the necessary changes on corresponding IT assets stored in Active Directory on behalf of delegated administrative personnel, in effect proxying delegation as a middle-man.

A vast majority of organizations worldwide resort to native delegation for distributing IT management today.

Native delegation offers numerous advantages as follows –

1. Fine-grained delegation – Organizations can easily delegate and undelegate administrative responsibilities to a high degree of precision across an entire Active Directory domain, by modifying only a few security ACLs.

2. Dependable stability and security – Organizations have the assurance that with Active Directory at the foundation of their delegation infrastructure, they can confidently rely upon its stability, security and availability.

3. Well documented and supported capability – Organizations can take comfort in the fact that there exists a wealth of knowledge, prescriptive guidance, experienced talent and professional support on native delegation.

4. Choice of implementing roles-based delegation – With a little in-house effort, most organizations can quickly and successfully architect and implement a highly customizable roles-based administrative delegation model.

5. No additional cost of ownership or maintenance – Because native delegations are done in Active Directory, there is virtually no additional time, cost or effort incurred to securely manage administrative delegation.

6. Automatic availability to audit delegation grants – Organizations can leverage the inbuilt auditing capabilities of Active Directory to easily audit and archive the grant and revocation of administrative responsibilities.

7. No single point of failure – Most importantly, because native delegation relies on Active Directory, any DC in the domain can be used to manage delegations at any time, thus ensuring that there is no single point of failure

Relative to its advantages, native delegation has rather few disadvantages –

1. Inability to assess and verify delegation grants – Active Directory does not offer the ability to accurately assess and verify delegated grants so organizations are unable to securely delegate or undelegate administrative authority.

2. Unavailability of sophisticated workflows – Active Directory does not offer sophisticated workflows that may be needed by some organizations to simplify the delegation and undelegation of administrative grants.

The availability of accurate delegation assessment and verification capabilities minimizes the disadvantages of native delegation and allows organizations to securely, reliably and economically delegate IT management tasks today.

The recent availability of proxy based delegation solutions from the ISV community now offers organizations that may require enhanced workflows around administrative delegation the option of procuring and deploying these capabilities.

Proxy based delegation solutions offer the following advantages –

1. Enhanced Workflows – Organizations can gain from the availability of enhanced workflows that allow a greater semblance of process control management in regards to the delegation of administrative responsibilities.

2. Fine-grained Delegation – Organizations can delegate and undelegate administrative responsibilities in a highly granular fashion, although the enactment of delegated administrative tasks requires access to, and the availability of, the proxy solution, at all times.

3. Roles-based delegation – Organizations can avail of roles based administrative delegation abilities, with the caveat that they would be restricted to the set of tasks delegated via the proxy solution and that the enactment of these tasks would require the proxy to be accessible and available at all times.

4. Basic assessment and verification capabilities – Organizations will be able to assess and verify delegation grants made via the proxy solution but only those made via the proxy solution, not those made natively in Active Directory.

Relative to their advantages, proxy based delegation solutions have the following disadvantages –

1. Single Point of Failure – The single biggest disadvantage of a proxy based solution is that it constitutes a single point of failure, in that, should the application incur downtime or be compromised, all delegation and management capabilities could be adversely affected.

2. Additional Security Risk – The introduction of and dependence upon an external solution for delegating IT management introduces an additional security risk to the organization since it involves the introduction of a 3rd party solution whose security worthiness may be inadequate and reliance upon which for a vital function (IT management) may expose the organization to higher security risk.

   Worthy of additional mention (and caution) are solutions that requirement the deployment of agents on DCs because they significantly increase security risk given that they essentially involve the deployment of 3rd party software on the most critical of an organization's machines i.e. its DCs.

3. Lack of Native Active Directory Security Support – Proxy solutions by their very nature are designed such that they internally manage all aspects of delegation. Consequently, while they are able to proxy delegation management, they are unable to extend their capabilities to the direct management of native Active Directory security ACLs, requiring organizations to acquire and use other native Active Directory ACL management tools.

4. Additional Cost, Infrastructure and Overhead – Unlike Active Directory based native delegation which depends only on Active Directory, proxy based solutions are usually expensive, require the introduction of additional servers and infrastructure, necessitate dedicated 24-7 availability, and need to be managed as well, thus significantly increasing the total cost of ownership and deployment, and thus of IT management.

In general, the availability of accurate delegation assessment and verification capabilities makes native delegation a desirable choice since it allows organizations to securely, reliably and economically delegate IT management tasks.

The act of delegating an administrative task in Active Directory involves granting a specific permission or set of permissions to a specific user or set of users on a specific object or set of objects.

Each of the three components involved, i.e. permissions, security principals and scope can be easily specified in a single access grant and represented by a single access control entry (ACE) in an object's access control list (ACL.)

The act of accurately assessing who is delegated what access however, involves assessing the resultant set of multiple permissions, granted to multiple users on multiple objects, in a manner consistent with how the system performs a real Windows access check.

The determination of resultant access in Active Directory is a highly complicated process involving multiple security rules that govern numerous aspects including but not limited visibility modes, precedence orders, conflicting permissions, nested security group memberships etc.

In essence, the act of accurately assessing who is delegated what access involves, amongst other things, the determination of resultant access in Active Directory, which is significantly more complicated than is the act of delegating administrative authority.

That is why it is easy to delegate access but very hard to accurately assess who is delegated what access.