I've been managing the infrastructure, including Active Directory (AD), at my new job for about five months now. Recently, we conducted our first penetration test, which revealed some serious permission issues in AD that could lead to domain administrator access. This problem seems to have existed for years, and I found out about it just yesterday. Given the holiday weekend, I haven't made any changes yet, but I'm gearing up to take action on Monday. Some permissions are set on the 'Everyone' group at the domain root, and there are also some odd grants in place. My main question is: what's the best way to reset these permissions effectively? We don't have specific requirements outside of standard default permissions, and it seems like these were mishandled by a previous admin. I've been considering launching a fresh domain to understand the default settings better, but I'm worried about breaking something or potentially locking us out. I'm already planning for fresh backups and new Directory Services Restore Mode (DSRM) passwords before I start making any changes. I regret not checking this sooner, especially since some of these issues seem glaringly obvious now. I really want to approach this methodically and won't rush things without a plan.
4 Answers
First and foremost, make sure you back up Active Directory. Domain controllers are essential, and having a backup is crucial. Develop a clear plan before implementing any changes. Focus on cleaning up the default admin groups like Enterprise Admin and Schema Admin. Also, remember to allow time for replication after each change, and keep checking on AD health and replication as you proceed.
I'd recommend waiting until after the holidays to make any big changes. Did the penetration test deliver a report with remediation steps? That could guide you in addressing the findings without diving in too quickly.
Have you tried using Pingcastle? It can give you detailed insights and suggest fixes. It sounds like the pentester provided some valuable findings. If you combine their notes with what you gather from your own runs, that could help you reset to default effectively and ensure you're not missing anything.
It would be quite drastic, but have you considered the effort versus benefits of setting up a new domain entirely? That could simplify things, but make sure it's truly necessary given your user load.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures