The world's most trusted forum on Active Directory Security
I would like to know what are the risks associated with delegating group management in Active Directory. We were considering delegating the creation and modification of our groups to certain non-IT teams in our company.
In particular, because we get lot of requests for group creation and group membership changes, it takes up a lot of our time to respond to these requests, so we're considering delegating creation and membership change rights to project managers in our company
Before we did so, we thought we'd consider if there might be any major risks associated with delegating group management in Active Directory.
Thank you for your inputs.
My little blog on Active Directory Delegation Tools
Delegation of administration in Active Directory is a very powerful and valuable capability that helps everyone substantially reduce risk, by enabling organizations to delegate all but the most sensitive of operations, thereby letting them roll out and maintain a least privilege access (LPA) based management model.
Like it is the case with any technology / security-control, security risks only arise when some aspect of the technology has a shortcoming or is not properly configured by administrators. So is the case with security risks associated with delegation of administration in Active Directory.
If implement properly by a proficient expert, the risks are minimized, and the only risk one is left with is that it in general is very difficult to accurately determine who is delegated what access.
Other than that, the rest of the risks arise if delegations are not properly done or monitored. In such cases, the risks could be that more individuals that intended may end up having delegated administrative powers, and/or that someone could identify excessive unauthorized delegations and attempt to elevate their security privilege in Active Directory.
As for the specific risks associated with delegating group management, well, if someone could control the membership of a group, they could grant/deny access to all IT resources that are protected by the group.
If someone could dleet a group, they could certainly end up denying access to all its members to all IT resources to which access is currently granted by virtue of membership in that group.
You need to consider that a security group exists to enable access to IT resources in the infrastructure. It provides a way to make management of access practical, in that you can easily collect 1000s of people in a group and then use that group to grant access to say a File Server or a Database.
So, in this light, anyone who has access to control the membership of that group has the power to allow or deny anyone he wishes access to all IT resources in the infrastructure that are being protected by the group.
This is why it is very important to make sure that you always know who not only who is delegated the ability to manage group memberships but also who can change the membership of your Active Directory security groups.
Thank you for your inputs. I really appreciate you taking the time to share your thoughts.
Indeed, we now understand the risks associated with insecure delegations rather well and in fact have since been able to delegate certain aspects of group management securely based on principle of least access.
We also audit our delegations once every 2 weeks just to make sure that our delegations have no changed, and if there are any changes that may have been accidentally made, we are able to take measures to correct any mistakes made.
Thank you both for your inputs though - at the time, theuy were very helpful.