Analyze the Risks, Threats, and the Ways to Mitigate

In order to be able to analyze the risks and threats for our Active Directory (AD), we need to first understand what we are actually protecting. Active Directory is not exactly a physical entity that we are protecting. We are protecting the content and its function or service. The following things are the main points of an AD, that need protection and safe-keeping:

A crucial step (the actual basis for proceeding forward), is to analyze the cost involved in an outage of a part of your AD backbone.

This is should be outlined in your Business Continuity Plan (BCP). The BCP describes the process how the business continues to operate in the event of a sustained outage of the asset, while the DRG describes the technical recovery of this asset. Included in Appendix A is a sample BCP that can be used as a foundation, and to get a good head start with our BCP.

Before we start analyzing risks, threats, and vulnerabilities, we need to understand what each of these terms really mean in conjunction with AD.

A threat is, in simple terms, the potential for something bad or unwanted to happen. For AD, this could be the potential of losing records by deletion. The threat would be accidentally deleting objects within AD.

To identify a threat, we need to analyze what is running on our DCs. For a small sales office, the number of services provided by a single server is much higher than in the corporate data centre. Each service poses a potential threat. The likelihood of a service becoming a threat by being exploited is a difficult question. In Table 1, there are examples of common services that run on a DC, and in Table 2, there is a sample list of things that can run on DCs offering more services. These tables also show the threat levels for each service. The values might differ across environments, but this is a good starting point.

Vulnerability is the characteristic of a system that can be exploited, and then pose a threat. For AD, this would be an unsecured AD, or ACLs that are not in place, which when used with the right tools can give someone full access to all or part of the AD or parts of it.

And lastly, A risk is the probability of an occurrence that would have a negative impact on an asset. In plain words, this means: what are the chances of a certain thing going wrong, and how likely is it for a specific thing to happen. For AD, an example could be- : what are the chances of the records getting deleted by an authorized or unauthorized person?

Identifying risks can be especially difficult when a monetary value has to be assigned to it. The value that a systems administrator assigns to his or her servers would be different to the value assigned by, say, a business controller or a marketing executive. Following the process of risk assessment, the risk values will be found to differ across people, especially since people outside the IT department would be unaware of the extent of dependence on Active Directory.

While planning for DR, analyzing the risks faced by the infrastructure is an extremely important step. Although going through this process is not as easy as it seems, we can loosely classify likely threats into the following categories, learning from the experiences of other organizations:

These are just a few examples of what could be classified as risks. Classifying any of the above as actual threats will however, be reduced by about half if the DC only hosts AD services.

Assessing the risk and assigning monetary values for a system being hacked, or a hardware failure occurring, may not be easy. Yet our calculations have to be accurate so that they can be presented to our peers. The formula for calculating the monetary value of risk, that is how much money it could cost us-according to Intel (see http://www.intel.com/technology/itj/2007/v11i2/5-restricted-countries/5-methodology.htm), MCI (see http://www.computerworld.com/printthis/2006/0,4814,107647,00.html), and others (see http://www.computerworld.com/printthis/2006/0,4814,107647,00.html) is:

RISK = THREAT x VULNERABILTY x VALUE

So, if we have a scale of classification that goes from 1 (very low) to 5(very high), and a threat probability of, for example, 1 in the event of a power supply failure (because we have it redundant), a vulnerability of 1 (because we do have everything redundant), and the cost of a new power supply of 400 USD, this formula gives us 1 x 1 x 4 = 400 USD. So the risk associated with losing the power supply is USD 400. This isn't so bad! However, doing the same equation for a slightly different scenario, say disks, increases the complexity levels and higher.

For example, say our server has a RAID 5 disk array where all our files are hosted, and also a tape drive. Two disks fail from the array and it breaks, and we lose all the files. The combined cost per hour that we would lose by losing these files is USD 20,000, because none of our developers and managers would be able to access important data. The USD 20,000 is an average because it's less in the beginning, but becomes more when the data is off for a longer period of time.

Now, the calculation looks like this:

Threat 4 (because disks do fail and our tape drive is slow and old; so it will take several hours to get the data back), vulnerability 1 (usually one disk fails at any given time), and a cost of 20,000. Or simply:

Risk = 4 x 1 x 20000, or 80000 USD.

So we risk losing 80,000 USD through just a simple disk failure. This should be justification enough to get a newer tape drive, which would mitigate (for example) our threat level to 1 or 2 and thereby reduce the risk by half.

However, reading the Microsoft Security Management Guide at http://www.microsoft.com/technet/security/guidance/complianceandpolicies/secrisk/default.mspx is highly recommended. Chapter 4 of this guide (http://www.microsoft.com/technet/security/guidance/complianceandpolicies/secrisk/srsgch04.mspx) is specifically on risk assessment.

It must be stated here that the easy way to mitigate threats and risks is to spend time securing the Domain Controllers. Though Windows 2003 provides very good default security templates that can be applied to a DC, it is definitely worth checking the high security settings, the Domain Controller Security template, and all the other templates that can be, and need to be, customized, but are already. A very strong and good baseline can be found in the Windows 2003 security guide (http://www.microsoft.com/downloads/details.aspx?FamilyID=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en). These settings lock down a DC quite heavily, and you can then open whatever you need at a smaller office. However, once we have an adequate setting, we should save the template, and then apply a GPO to all the other DCs in the same classification. The threat and risk levels for exploitation and brute force hacking or cracking diminish dramatically.

The risk of hardware failures can, of course, be lessened by having enough redundancy everywhere. A suggestion, for a small office DC, would be to spend a little more on those servers and get them to build in redundancy wherever possible. They generally will do fine with A RAID 5 setup, and a tape drive for tape backup in case of one or more disk failures, will generally be adequate.

While taking into account hardware failures, proper service contracts and SLAs from manufacturers can help a lot. Having a four hour or lower response time, 24x7, for a server does not cost much any more and is probably worth having, especially in smaller offices. Having a spare standby server per region,which can be quickly deployed as a DC and brought on location for fast recovery of the AD until the rest of the functions of the failed server(s) are restored, should also be considered.