Configuring Active Directory to Meet Compliance Requirements

When it comes to regulatory compliance not everyone is equally enthusiastic, and why not? It does take a lot of effort right from the top level to the end users to come clean on regulatory compliance. Often it’s too confusing and people, especially in small organizations, have no idea where to start from. Regulatory compliance is as much of a headache as it might appear and can also be an avenue for security and thus sustainable growth and also long term “peace of mind”. Let’s see how:

  • Staying compliant means your systems are secure with minimal security risk and ensure business continuity.

  • When the organization is compliant, customers feel secure in doing business with you since the trust factor is greatly enhanced.

  • Compliance enhances your reputation and thus contributes towards the brand value of an organization, increasing its total market value.

  • Organization is more efficient since business processes are improved and streamlined. Clear matrixes are there to measure and improve the efficacy of the security policy.

But the question is where to start from if you have no such experience in regulatory compliance. If you go through the compliance manuals of regulatory standards such as HIPAA, SOX, PCI and so on, they leave much to guess as there is no step-by-step guidance for them. However, as far as overall approach towards compliance is concerned, it’d be the same for most of the organizations of varying shape and size.

Organizations using Microsoft technology can safely rely on Active Directory to configure settings to meet various kinds of regulatory compliance. The entire initiative can be broadly divided into these major steps:

  1. At first configure a mechanism of authentication for all kind of accesses to all resources in the network. No User should be able to access any system without proper validation.

  2. Devise and enforce comprehensive security policy and change management policy specifying system behavior in all possible scenarios.

  3. Develop auditing policy to monitor and track every change traversing the network. You should be able to report on all changes and present who, what, when and where inform for each change in audit-ready format.

  4. Apply the insights gained from auditing and change tracking to make necessary changes in authentication policy, security policy, change management policy and auditing policy.

Windows Active Directory takes care of all authentications related stuff with the help of Kerberos. Every time a user accesses a domain computer or requests shared resources such as file shares and application in the network, the user exchanges with Domain Controller and gets the access only successful authentication.

As far as enforcing a security policy is concerned, Active Directory GPO provides a centralized mechanism to enforce security policy in the entire network. In the latest Windows version, Windows Server 2012 and Windows 8, there are over 3500 manageable security policy settings that provide you enough scope to configure your network security settings.

To implement your auditing policy using Group Policy, open the Group Policy Object Editor snap-in in the Microsoft Management Console and define audit policies for the objects as per requirements. Once you enable the auditing as per policy, you can analyze the logs using the Event Log viewer. For the entire auditing part, you can also use the Active Directory auditing utility to audit all the Active Directory and GPO changes as per the policy devised by you.