Gästbloggaren Derek Melber, Active Directory MVP, berättar om hur den interna säkerheten kan stärkas genom bra rutiner vid skapande av nya konton i Active Directory.
It is 8am Monday morning. You, the Active Directory administrator, receive a stack of papers for the new employees of the week. You proceed to create the 12 new users. You proceed to ensure the first name, last name, and logon names are correct.
You also input the password for new users, which is NewHire01. After you create all 12 user accounts, you proceed to configure the details for each account, including group membership, home drive, telephone number, and department.
You complete the task by 8:20am and move on to the rest of your day. You have done this every week for the past 10 years and think nothing of the “setup” you just created for the disgruntled employee that is working in the engineering department.
I hope you see the glaring error in the setup of the 12 new user accounts. Do you?
If you don’t, let me fill you in on a couple of key facts regarding Active Directory to help guide you to the answer:
Every user account in Active Directory has read access to all of Active Directory. This includes group membership, organizational unit contents, and user properties.
Any user can attempt to logon as any other user.
There is a user account property that indicates if a user has logged in before or not.
Have a clue yet?
Every user in Active Directory can logon as a newly created user because they know the username and password! Once logged on, they will have access to every resource that their group membership allows them to access.
Ideally, a random password needs to be used for every newly created user account. This means that no one, except for the user account creator and the new employee knows the password. Once the random password is used to logon, the user is forced to input their own password. Therefore, the random password is only valid for a single use.