Request a personalised Demo

Get Quote

Thank You for the interest in our solution. We will be sending you the price quote shortly.

Support

Phone: +27 (0)11 051 8888
Email: support@refreshnetworks.co.za
CEO Desk: +27 (0)11 051 8871
Using Active Directory to meet Regulatory Compliances

Using Active Directory to meet Regulatory Compliances

When it comes to meeting compliance, many Administrators settle for simply auditing event logs. By default, Event Viewer records all events that are generated on a Windows Server. However, is simply storing logs an efficient way to meet compliance?

Most compliance mandates require a particular report to satisfy a particular section. These reports are easy to generate in Active Directory if you already have a pre-defined PowerShell Script or a free tool on Microsoft TechNet. However, relying on these free scripts or tools will not always give you the desired results. In this article, we will highlight some better methods for meeting some regulatory compliances.

Authentication

There should be a proper methodology to record and authenticate each logon request in the network. Even if some computers in the network run on non-Windows Operating Systems (such as Macintosh, Linux or Ubuntu), the administrator should have a proper mechanism to authenticate the logon requests coming from such computers. Third party tools can be installed on computers running non-Windows Operating Systems to implement Active Directory-based authentication.

Grouping the Computers                

There are certain computers in the organization that deal with payments or may store related information. You have to make sure that such computers are a member of a single group. Such a group will be useful when a policy has to be created. Please note that accesses to these computers should be limited to the authorized user accounts only.

Computer Access Restrictions              

An important part of meeting compliance is to restrict user access to sensitive information or devices that store critical data. If an organization stores client information in particular computers, access to such computers needs to be limited. “Active Directory Users and Computers” can be used to specify which users have access to which computers.

Dividing Users into Organizational Units

Users should be divided into different organizational units as per their departments. Suppose there are health, finance, sales, support, operations and IT helpdesk departments in an organization. The user accounts of each department can be divided into a separate, dedicated Organizational Unit. The Group Policy Management Console can then be used to specify the particular group policies on these Organizational Units. Not only does this improve account management and security, it also enables you to meet compliance mandates that specify a different set of access and security policies for different types of users.

User Account Age

We recommend that you specify the account age of users who are joining your organization either on contract or a short-term basis. Utilize the user account properties to specify that a particular account will expire after three months or six months. Doing this when creating the account will save you from the extra burden to close the account of a user who is going to leave after three months.

Do Not Prescribe Passwords

By default, a user account is created in “Active Directory Users and Computers” when you set a password. However, such passwords are not secure, as you must communicate them to the new user through any medium. Therefore, it is recommended that you select the “User must change the password at next logon” option.

Logon Duration

If your organization permits employees to have direct interaction with customers for a specific duration, it is useful to specify the logon duration of those user accounts. Once you have defined the logon hours, the account will be logged out and access to computers will be denied after the configured time.

Logon/Logoff Reports

The administrator can use PowerShell scripts to generate daily reports for user logon and logoff events. Such reports should highlight the logon time, session duration, logoff time, authentication type and any other useful information. These reports should be generated at least daily to keep track of which users are accessing certain computers.

Other Audit Reports

You can use pre-defined PowerShell Scripts available online to generate the following audit reports. We suggest you to use trustworthy sources to download any script such as TechNet:

  1. Group Membership Modified – It should show all changes made in the membership of all groups.
  2. User Created – It should show the list of all new user accounts created.
  3. User Deleted – It should show the list of all user accounts that are deleted by the Administrator.
  4. User Expiry Modified – It should show all changes made in expiry dates of user accounts.
  5. Users’ Logon Hours Attribute Modified – It should show all changes made in the user logon hour attribute.
  6. User Status Changed – It should show all changes made to the status of user accounts.
  7. Computer Created – It should show all computers created in Active Directory.

Anything else?

Active Directory, Group Policy Objects, Exchange Servers, SharePoint Servers, SQL Servers and File Servers should all be audited if you are to meet the requirements of IT regulatory compliances. Administrators have to be well versed with the native auditing methodologies of these server components. Native auditing, though, has its limitations; specifically due to the drawbacks of Event Viewer.

In such a situation, LepideAuditor for Active Directory is useful to audit the changes made to Active Directory Objects.This solution also audits Group Policy Objects, Exchange Server, SharePoint, SQL Server, and File Server.

Write to info@refreshnetworks.co.za to know more.

Share with:
  •  
  •  
  •  
  •  

8 thoughts on “Using Active Directory to meet Regulatory Compliances

  1. After reading your blog post, I browsed your website a bit and noticed you aren’t ranking nearly as well in Google as you could be. I possess a handful of blogs myself, and I think you should take a look at “seowebsitetrafficnettools”, just google it. You’ll find it’s a very lovely SEO tool that can bring you a lot more visitors and improve your ranking. They have more than 30+ tools only 20$. Very cheap right? Keep up the quality posts

  2. Hі tһere i ɑm kavin, its my fiгst occasion to commenting ɑnyplace, when i read this
    paraɡraph i thought i could also crеate comment due to this
    sensible piece of writing.

  3. Hello there, just became aware of your blog through Google,
    and found that it’s really informative. I’m going to watch out for brussels.
    I’ll be grateful if you continue this in future.
    Lots of people will be benefited from your writing.
    Cheers!

  4. Hello There. I found your blog using msn. This is an extremely
    well written article. I’ll make sure to bookmark it
    and return to read more of your useful information. Thanks for the post.
    I’ll definitely return.

  5. My brother suggested I would possibly like this website.

    He used to be entirely right. This submit truly made my day.
    You can not believe simply how a lot time I had spent for this information! Thanks!

  6. Excellent site. A lot of helpful information here. I’m sending it to a few pals
    ans also sharing in delicious. And naturally, thank you in your effort!

  7. I am curious to find out what blog system you are using?

    I’m experiencing some minor security issues with my latest site and I’d like to find something more secure.
    Do you have any suggestions?

Leave a Reply

Connect with:



Your email address will not be published.