Microsoft introduced Active Directory (AD) as part of Windows Server 2000 to provide a secure way for organizations to store, protect, and control access to sensitive information. A couple of years later, in response to some shady practices during the dot-com boom, the U.S. government enacted the Sarbanes-Oxley Act (SOX) to improve corporate financial disclosures and protect investors from fraudulent accounting activities by corporations. Because Active Directory is the largest and most deployed directory service in the world, used by 90% of Fortune 1000 companies and an estimated 95% or more of all corporate networks, it might seem as though Active Directory is the ideal solution for ensuring SOX compliance (or compliance with any number of other regulatory authorities, for that matter), but is that really the case?
It could be … if used appropriately. But with more than 3,500 manageable security policy settings in the Windows Server 2012 and Windows 8 versions of Active Directory, how do you know which controls make sense for your organization?
Management Assessment of Internal Controls
SOX section 404 requires companies to establish an infrastructure to protect and preserve records and data from destruction, loss, unauthorized alteration, or other misuse. Unfortunately, SOX doesn’t offer any definitive rules or checklists regarding the types of controls companies should have in place to achieve this level of protection, which can make complying with SOX challenging.
What happens when you lock a wild hyena in a room with an internal auditor? The hyena stops laughing.
Did you hear the joke about the interesting internal auditor? No, me neither.
Okay, enough auditor jokes. We have all worked with these treasure troves of laughter and lived to see another audit.
Fundamentally, whether an organization is in compliance with Sarbanes-Oxley comes down to one auditor’s assessment of an organization’s ability to restrict or monitor who has access to resources that manage financial data and changes in the IT environment. Although companies should define and implement most controls well before an audit, they cannot predict exactly what the auditor will look at. Thus, most of a company’s insight comes after an audit by reviewing the auditor’s SOX report.
Still, a company can glean some general guidelines from the common types of data that many SOX reports say companies should control.
What Controls Are Available in Active Directory?
The following types of data are those that various SOX reports have mandated companies to control:
- Domain structure
- Domain accounts policy
- Domain controller policy setting
- Group policy objects
- Registry key values
- User accounts defined in domain
- Domain local groups and their members
- Domain global groups and their members
- Domain universal groups and their members
- Passwords “n” days and older
- Invalid login attempts greater than “n”
- Accounts with expired dates
- Disabled accounts
- Locked-out accounts
- Rights and privileges
- Trusted and trusting domains
- Servers and workstations
- Domain controllers in the domain
- Services and drivers on the machine
- Logical drives
- Network shares
That’s a lot of data. Of these, how do you know which of these your company should focus on to ensure your company’s data is adequately protected and will survive a SOX audit?
Which Active Directory Controls Apply to Your Company?
Use the following criteria and related questions to determine which controls make the most sense for your company:
- Confidentiality: Do you leverage encryption technologies? Deploy certificate services? Ensure a complex password policy? Maintain legacy authentication mechanisms for applications, such as NTLM? Do you trust foreign entities that you have not evaluated in, say, three months?
- Integrity: Is your data online, and is it replicating well? Who is writing to it? Who can steal it? Is Active Directory healthy? How do you do a health check on Active Directory? Who can delete audit logs? How many elevated provider accounts do you have?
- Availability: SOX requires that authorized individuals have access to financial data. How quickly can you recover such data? Do you have a proven forest or domain recovery process? If so, is it documented, and do you test it quarterly?
- Access Control: Administrators can control user access to shared resources for security purposes. In Active Directory, access control is administered at the object level by setting different levels of access (permissions) (i.e., Full Control, Write, Read, No Access) to objects. These levels apply to different users, determining how they can interact with Active Directory objects. By default, permissions on objects in Active Direcotry are set to the most secure setting. If your company has used Active Directory for much of the 15+ years it’s been available, it no doubt has undergone significant changes in personnel, responsibilities and so on. When is the last time you reviewed your access controls?
- Auditing and Logging:Two critical features of IT controls are the auditing and logging of events in systems that process sensitive data. It is important to make sure that your system logs relevant activities, such as shutdowns, restarts, or unusual events. What do you do with your logs: Overwrite them? Centralize them? And how long do you keep them?
- Change Management:Change management is a critical part of Sarbanes-Oxley because the act specifically requires companies to notify the SEC of any material changes to the process that governs the flow of financial data. (How strictly that requirement is enforced is unclear.) If you don’t have a definitive change management process, how can you ensure your compliance with this aspect of SOX? How can you ensure ongoing Active Direcotry availability, confidentiality, integrity, and auditing?
The Bottom Line in Compliance
You—not regulators, not auditors—control your company’s exposure. By implementing proper controls in Active Directory, you reduce your exposure both now and into the future.
Although SOX doesn’t come with a compliance checklist, you can refer to other sources for assistance. For example, pull out your previous audits, especially the noncompliance reports. Auditors don’t provide remediation lists, but they do provide insight into what they are looking for. Their feedback and reports will prove helpful as you devise a strategy for your next audit.
As you implement strategic and tactical controls, consider how you can ensure that these controls and related processes become permanent fixtures in your organization. There is little value in implementing new controls without also building in processes and procedures to ensure that your organization maintains and adapts those controls over time. You want to pass your audit, of course, but you also need to implement a system that meets or exceeds your organization’s future protection needs.