Microsoft Active Directory Access Risk Heatmap Service

One of the market leaders of IT Services asked us to thoroughly review their Windows Active Directory environment before migrating to the cloud. The primary objective was to ascertain the potential risks related to Windows user access, with an aim to mitigate these risks to prevent possible data leakage and fraud incidents. An ancillary benefit of this effort was a reduction in costs.

Initial conditions observed at the client’s site included:

  • A significant number of Win AD users.
  • A mixture of folder and file access based on both AD group memberships and direct folder/file level access rights.
  • A high presence of external contractors with domain user rights due to various projects.
  • An existing IDM (identity management) process, albeit immature and susceptible to human error.
  • Regular, minor changes in internal processes which led to frequent updates in access rights.
  • The absence of a robust SoD (segregation of duties) matrix. When present, conflicting rights were infrequently defined.
  • This task appeared to demand significant manual effort, but they lacked the necessary manpower.

The task was to pinpoint the users presenting the highest risk, their group affiliations, and the most precarious AD groups, while minimizing interviews. Only a handful of IT administrators could be consulted.

To begin, a VA was integrated into the client’s on-premises environment, and within a day, the system was operational. Connection to the AD was made through a technical user to gather data related to user and access rights. All extracted data was presented for client verification before initiating analysis.

Post verification and addressing GDPR-related concerns, preparation for analysis commenced. The client’s unique Active Directory High Privilege rules also had to be formulated. Interviews were conducted with IT administrators to understand the privileges associated with their existing AD groups. This facilitated the enhancement of the basic AD risk scoring rule-set with client-specific risks.

Once the approved access data was analyzed, a comprehensive report was produced. This detailed visual representations, analyzed user lists, and suggested direct actions. From this, the most vulnerable users were pinpointed, aiding in the rectification of AD access issues.

The findings delivered showcased a minimal error rate attributable to the nature of AD data. The client received actionable tasks for their AD, enabling them to efficiently rectify issues even with limited resources, all before migrating to the cloud. The entire project spanned roughly two weeks, from data extraction to final result presentation.

Based on our report, the client got immediate, actionable to-dos in their AD. With their limited resources, they could effectively clean up before the cloud migration. We did not use many internal resources. The whole project took approx. 2 weeks from the data collection until the final presentation of the results.

Do you use Active Directory on premise or in Azure cloud at your company?  Are you interested how to manage access rights compliance for Active Directory?  Contact us here to get consultation, what are your alternatives and what are the pros and cons.

2 min read

Share this post:

Scroll to Top