AD Delegation Model

The Delegation Model is the implementation of mainly Least Privileged Access, Segregation of Duties and “0 (zero) Admin”. By identifying the tasks that are executed against Active Directory, we can categorize and organize in a set of functional groups, or roles, which can be dynamically assigned to the Semi-Privileged accounts. This reduces the exposed rights by just having what it is needed, and does provides an easy but effective auditing of rights. The model does help reduce the running costs by increasing efficiency, but additionally increases the overall security of the directory, adhering to industry best practices.

Effectively determine the performance of computer management, and design a directory that supports an effective and simple organic functionality of the company.  Anyone can “transfer” the organigram of the company to Active Directory, but in many cases, will not provide any additional management benefit, even worse, may complicate its management; not to talk about security or segregation of duties and assets. Eguibar Information Technology S.L. are able to design the Active Directory based on the actual needs of the company computer management model. This benefits of the processes necessary for the daily management,  being more efficient, reducing maintenance costs and providing a high degree of security.

Based on the AD (Active Directory) Forest design, being the forest the security boundary, and a single domain model within the forest, the delegations (based on the Delegation Model) are done via groups within the domains, each to its corresponding container or Organizational Unit (OU), as shown in Figure 1 – Forest Security Boundary.

AD Security Boundary
Figure 1 – Forest Security Boundary

Either if the model is regional, functional or hybrid, the delegation technic behind scenes remains: smaller containers (ej. Sites or Servers grouped by types) which have the same standard configuration to be evenly administered, and all administrative objects (better known as privileged/semi-privileged accounts and/or groups) will be in a separated container which is kept secured and monitored.

Although we are referencing a single domain model, the concept applies as well to a multi-domain forest: Each domain will be configured evenly as described, with the split of administration objects. In other words, what is relative to administer smaller delegated units, will remain within the domain; all the rest (privileged user and accounts) will be managed from the so called “root domain”. Although is possible and recommended to have a delegation model in a multi-domain environment, we are going to focus on a single-domain, single-forest design; after the model is defined, architected and all requisites are committed, it can be extended as needed by the IT business.

Even if the delegation structures are created within the forest, it does not mean that all of them must be used. For example, if the organization has implemented a central user provisioning system, then the local administrator should not have the right to provision users, but the model is ready to provide such functionality in case of any further change. By having a uniform implementation, changes (having in mind organizational changes, which are more common) are more granular and support the company strategy. Going back to the previous example, the user provisioning system can manage AD users, but if by any chance, there is a specific exceptional requirement where the site should manage users manually, then the model does support it, without changing permissions or modifying existing setup.

Forest Breakedown of Rights
Figure 2 – Forest Breakdown of Rights

The model is intended to operate with the least privileged access, understanding the least privilege as a set of rights and permissions necessary to complete the given tasks, while remaining fully functional. To establish this model, a logical structure has to be implemented by using privileged access, but once this is complete, only semi-privileged access will be used according to the person’s role. On Figure 2 – Forest Breakdown of Rights we can appreciate the breakdown of the rights, starting from the user identity, passing through the corresponding OU, where the object resides, and the semi-privileged access are granted, and getting down to the most privileged access. The last three levels should remain empty due the security implications that might exist on a day-to-day usage of those privileges. The proposed model should grant all needed rights without jeopardizing the environment security. The “least privileged” technique is well appreciated within Active Directory, but is not exclusive to it; member servers, workstations, laptops, applications, data repositories, just to name some, should implement this kind of access. More on this topic can be found on Implementing Least-Privilege Administrative Models.

Microsoft does provides a so called “Tiering Model”, which is a very good approach. There is a little problem with it: is an “All or Nothing” model; in other words, this model has Domain Admins as tier 0 administrators. All the rest of the users are standard users.

The model we are suggesting it does considers a full range of “Semi-Privileged” users, with different roles defined on each of the “areas or tiers”.

SemiPrivileged_overview
SemiPrivileged users and roles distribution. Advanced alternative to Microsoft model.

There are several key factors that influence the way this model is built up. To start with is the simplicity; the simpler the model, the easier is to maintain and operate. On the introduction section of this document, I did reference the 10 Immutable Laws of Security Administration and its second law says “Security only works if the secure way also happens to be the easy way”, so having a complex, difficult to manage environment will not necessarily provides security, even worst, it might expose breaches instead. Following the same path, daily operations of a complex environment are more expensive and most time inefficient. All this talking is very nice, but we just hit an administration paradigm: How secure is the simplest? Or how simple is the high secure environment? Well, this is quite hard to answer in a simple sentence. There are many ways to measure and estimate the daily operation (unfortunately out of the scope of this document), but once we have this value, we can determine the efforts to maintain it secure and running.

Social network sharing
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •