Security essentials for Active Directory on Linux

Whether you've already started down the path of integration or have it on the docket for the near future, there are some Active Directory-centric security issues you need to be aware of. Like acquiring a new company and taking on its business processes and codebase, you're going to get the warts and all when you incorporate Active Directory into the Linux realm (or vice versa). You'll suddenly have all the security issues that come along with Active Directory – some of which will undoubtedly have some unintended consequences in your environment.

Active Directory on Linux Active Directory provides authentication solution for Linux ID management with Active Directory on Linux Samba and Active Directory integration options Linux pro turns to Active Directory identity management

First off, dependence on Active Directory as your sole directory service and security policy enforcer can create a single point of failure. When Active Directory goes down – or goes away – because of some unintended outage, design oversight, or mismanagement, your network services can come to a halt. This is the least likely of scenarios - but you still need to consider it.

Another common weakness with Active Directory is the lack of separation of duties. Simply put every admin has full access to the system and there's no real accountability. Be it via general security groups or admin access at the OU (or similar) level, there needs to be some sort of separation if multiple hands are allowed access.

You also have issues with password policies – or lack thereof. This is probably the most common weakness I see related to Active Directory security. Interestingly, admins will go out of their way creating well thought-out security controls such as one-way trusts, GPOs (group policies) for locking down workstations and so on but minimal – and reasonable – password requirements are often missing. They're either too strict (i.e. users are burdened with changes every 30-45 days) or they're non-existent (management doesn't understand their value). Make sure you balance password requirements with usability because not doing so will all too often get in the way of doing business. Think through your Active Directory password policies so you can strike that balance and prevent things from swinging too far in either direction.

Once Active Directory integration becomes a reality, what was once your seemingly secure Linux environment will now been opened up to many of the security issues only associated with Windows. These weaknesses extend to Linux-based Web sites and applications as well as any Linux-based network appliances you incorporate into the Active Directory domain.

My advice is to fully understand what you're getting in to with Active Directory before you jump in. Read up, plan things out accordingly, and use commercial solutions if necessary. The last thing you need is a whole new set of headaches. When you're spending all this time and effort it only makes sense to do Active Directory the right way (at least according to a consensus) so be sure to check out the U.S. Department of Defense's Active Directory Security Technical Implementation Guide and the Center for Internet Security's Windows Server 2003 Domain Controller Benchmark. You won't need, or necessarily be able to, implement every hardening recommendation. However, by reviewing these documents you can make sure you're doing what's right in the context of your systems.

ABOUT THE AUTHOR: Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver /at/ principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseLinux.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Enlightenment (E)  (SearchEnterpriseLinux.com) GNU GRUB  (SearchEnterpriseLinux.com) GRUB (GRand Unified Bootloader)  (SearchEnterpriseLinux.com) Linux Standard Base  (SearchEnterpriseLinux.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.