What is DSEnforce?

DSEnforce offers a unique approach to the maintenance of the Active Directory architecture and, by extension, the security and stability of the Windows infrastructure.

Implementation of DSEvolve has already cleansed, optimised and secured the Active Directory. The new core architecture protects itself from uncontrolled change attempts by all administrators below the Domain Admin level.

Sadly, it is inevitable that a Domain Admin will at some point fail to follow the design rules of the architecture, causing a significant breach. The three most common scenarios are:

  • Action by a new Domain Admin who does not yet know the design rules
  • An emergency (or Disaster Recovery) change that is never reversed
  • Action by a disgruntled (perhaps “soon to be ex-”) Domain Admin.

The DSEnforce service is pre-configured to understand the DSEvolve architecture and does not require commissioning or intervention by administrators. This maintenance ensures that:

  • IT management has peace of mind, knowing that the core security is being preserved
  • Any breaches of the design rules that introduce vulnerability are recognised so that they can be quickly repaired
  • The core architecture is updated to make additional capabilities available to IT and the business as new versions of the Active Directory are released by Microsoft
  • Vulnerabilities in the Active Directory or core architecture are quickly identified, and mitigation is made possible.

DSEnforce ensures that the business becomes immediately aware of uncontrolled changes that threaten the security and integrity of its optimised Active Directory – whether the source of the change is accidental or malicious – and that it periodically receives fully up-to-date directory documentation.

The main benefits of DSEnforce are as follows:

  • Clearly understands the DSEvolve architecture out of the box
  • Does not require configuration for use in the organisation; it simply needs to be activated!
  • Keeps a change history for critical architecture components
  • Reports on configuration change – the modification or deletion of relevant objects, as well as the creation of new ones
  • Reports on the adherence of the implementation to the design rules of the DSEvolve architecture to ensure that security loopholes do not develop
  • Maintains validating information for each object relevant to the security or architecture that clearly defines its purpose
  • Automatically rebuilds and publishes up-to-the-moment documentation at regular intervals
  • Third party support for architectural change control ensures that identified issues do not get buried under the weight of user-facing service maintenance requirements
  • Optional off-site backup to heavily encrypted storage enhances the reliability of logs, as they are no longer subject to internal manipulation.

Why hasn’t this problem been identified before?

It has always been clearly understood that uncontrolled change is detrimental to any system. But only recently has the industry begun to realise how serious an effect uncontrolled change in the Active Directory itself has on the entire Windows infrastructure – disastrously degrading its security and stability.

This effect is cumulative and expansive: as the security within the directory weakens, it becomes easier to enact more uncontrolled changes, deepening the degradation and spreading its effects further and further out into the infrastructure.

Architecture maintenance is required because inappropriate changes will eventually occur. Here are some of the most common scenarios:

  • No documentation exists, or a new administrator does not have access to it
  • An administrator takes over and makes a change that is not in line with the architecture design rules, even though it has been passed through change control procedure
  • New applications are not correctly integrated into the authority architecture; they are given inappropriately elevated powers that breach the hierarchy or break the audit trails instead “just to get it working”
  • Loopholes develop in original security design due to subtle changes in objects when the directory software is upgraded
  • Uncontrolled changes are made by a disgruntled administrator attempting to gain inappropriate access to information (such as the payroll spreadsheet) or damage the company infrastructure as an act of malice (perhaps by planting a worm or Trojan in the belief that they are about to be fired). Internal acts of this nature have been regularly reported over the last 15 years by Gartner as the most common threat to an organisation’s infrastructure and information
  • Emergency changes (even controlled ones) are made to prevent a project failure but are never retrospectively checked for security loopholes
  • Disaster Recovery changes are made to keep the business functioning and are subsequently not removed
  • Uncontrolled changes are occasionally made by administrators in haste or without due process or consideration

It is impossible to prevent all of these problems. The issue is whether such changes are noticed and corrected. To this end, monitoring the Active Directory is equivalent to penetration-testing your firewall. If you are not checking regularly, then you cannot really know if you are fully secure.

Most reporting systems have to be tailored to the in-house implementation. However, it is rare for the directory administrators to have the time or exposure to the reporting software in order to achieve this – especially once the administrator in charge at the time of implementation is replaced. As a result, most reporting systems lie fallow or are actively disengaged as a result of too many false positive warnings.

How does DSEnforce work?

DSEnforce uses the information gathered by the DSEvolve implementation as the baseline configuration and reports on deviations from that baseline. It requires no configuration: it already knows exactly what to do and simply needs to be activated. Once operational, DSEnforce:

  • Reports critical changes immediately
  • Reports non-critical changes daily or weekly, depending on the nature of the change
  • Distributes updated site documentation monthly

DSEnforce technical requirements

In order to activate DSEnforce, the following should be arranged in advance:

  • A current installation of DSEvolve in the optimised directory
  • HTTPS access to specified internet locations for the DSEvolution service running on the root domain controller
  • Use of a domain admin account. This access can be supervised if required, but this greatly increases the amount of internal administrator time required
  • Jointly signed non-disclosure agreements
  • Signed acceptable usage policy.

DSEnforce client time requirements

Object validations:

Approximately 2 to 3 hours per month of Domain Administrator time to resolve reported issues and update object validations