Article

Active Directory users finding their way

Bill Brenner, Senior News Writer

A vast majority of IT shops manage employee network access and security policies using Microsoft Active Directory. Many express satisfaction with the system, but some say it's complex and too difficult

    Requires Free Membership to View

    Login

to use.

"One challenge is having the time and abilities to really lay out Active Directory so it's consistent and allows you to set up group policies that work for IT as well as the users," said Mark Cardono, an IT specialist for the Shore Educational Collaborative, a Chelsea, Mass.-based special needs school serving 10 districts in Massachusetts.

Of 358 IT professionals responding to an April SearchSecurity.com survey on identity and access management, 85% said they use Microsoft for directory services, group policy and provisioning. Nearly two-thirds said Microsoft is their primary vendor for this purpose. Asked which vendors they use for authentication and authorization, 72.6% said Microsoft.

Products from Sun Microsystems Inc., Symantec Corp., IBM, Novell Inc., Cisco Systems Inc. and RSA Security Inc. also ranked high, but nowhere near Microsoft's level.

One explanation for the figures may be the sheer number of enterprises that are Windows environments. Active Directory is Microsoft's trademarked directory service, and today is an integral part of the Windows architecture. Like other directory services, such as Novell Directory Services (NDS), Active Directory is a centralized and standardized system that automates network management of user data, security, and distributed resources, and enables interoperation with other directories.

For IT departments managing environments that are predominantly Windows-based, it makes sense from a financial and logistical standpoint to use a directory service that's already built into the operating system.

As Cardono pointed out, "Microsoft Active Directory is part of the package with no extra cost." He said budgets are tight in the education sector and that institutions "can't go out and get the latest and greatest [product] all the time."

In search of Group Policy
The Group Policy feature in Active Directory is a critical piece of Cardono's patch management plans.

To use Windows Server Update Services (WSUS), one of Microsoft's patch delivery tools, Cardono must configure Group Policy to tell WSUS which computers need which security updates.

He watched a webcast on how to set up WSUS one night and found that he's not the only one struggling with Group Policy management.

"Information wasn't in a place that was intuitive and the narrator made a point of this," Cardono said, adding that he wants Active Directory to make it easier to find the right policy for specific groups.

Cardono is not alone in wanting a better handle on the program. More than 44% of respondents said a top priority this year is to better leverage Active Directory and other directory services.

Hard to use
Jessica Lynne Verzi, information security manager for Rochester, N.Y.-based ESL Federal Credit Union, likes that Active Directory has a feature to set domain and group policy. But that doesn't mean she finds the program any easier to use than Cardono does.

"I'm not happy with it," she said. "It's hard to fully grasp everything you can do with Active Directory." She specifically referenced her difficulty in keeping track of who has logged on, when they logged on and what they're doing.

"You have to hit the books and research too much just to figure out how to do certain things," she said. "You have to be very intimate with that product to get it to do what you need it to."

Access (out of) control?

About this special report: You've heard about the need for companies to ensure that network users are who they say they are, and that employees can only access what their jobs require. In this special report, IT professionals surveyed by SearchSecurity.com share the pain points and solutions they've experienced on the way to better and more practical ID and access management.

Special report menu:
Day 1: When access management becomes rocket science
Security can be a hard sell beyond the IT realm, even for security pros at NASA. But nothing motivates people like regulatory pressure and a fear of being the next data breach headline.

Day 2: Looking ahead to life without passwords
Security pros know that passwords are nothing but trouble. For them, single-sign on, two-factor authentication and federated ID represent the path to stronger authentication.

Day 3: Active Directory users finding their way
Many IT shops use Microsoft Active Directory to manage network access. Some say it's difficult, but others use it to successfully handle directory services, group policy and provisioning.

Inside the numbers: Access (out of) control?
In April, SearchSecurity.com surveyed 358 IT professionals from a variety of industries regarding their identity and access management programs. Here is a look at some of the questions we asked and the answers they gave.
The survey results suggest IT shops are either working to make Microsoft Active Directory a better fit in their environments, or are looking to use the directory services of another vendor.

More than 85% said they're spending the same or more on directory services, while only about 14% said they're spending less or not at all. Though a vast majority said they use Microsoft Active Directory, 47% said they run multiple directories from separate vendors.

Others are satisfied
Microsoft's system may be a thorn in the side of some IT administrators, but the survey numbers seem to indicate that a majority of users are happy with it.

More than 68% of respondents said they are either satisfied or very satisfied with their directory services, compared to only 6.28% who are not very or not at all satisfied.

Much of that satisfaction is probably directed at Microsoft, given the number of respondents who identified the company as their primary directory services vendor. For those using more than one directory, it's possible their satisfaction was directed toward one of the other vendors they use.

Brian Clark, an IT professional based in Chicago, said he's gotten Active Directory to do his bidding for the most part. In particular, he likes that the program can be used to manage the host-based firewall in Windows XP.

"The Payment Card Industry (PCI) [standard] requires that laptops have a host-based firewall installed that can't be disabled by the user," he said. "You can accomplish that via Active Directory Group Policy."

Getting help
Clark's experience is with the Windows 2003 version of Active Directory. He said a lot of companies still use the Windows 2000 version, which some consider obsolete by today's standards. "I could see where they might have problems," he said.

It's well worth it.
IT pro Brian Clark, on hiring a consultant to set up Active Directory,
Clark acknowledged there's a steep learning curve when it comes to figuring out Group Policy and that can be a problem for organizations lacking the internal resources to study it. At the company he most recently worked for, specialists from outside the company were brought in to help.

"We used a consultancy specializing in all things Windows," he said. "We brought them in to help us build things the way we wanted to."

By having the outside help, the company was able to broaden its use of Active Directory and it cost less than $10,000. His advice to those having trouble with Active Directory: Get the outside help.

If a company has a few thousand dollars to spare, he said, "It's well worth it."

This article originally appeared on SearchSecurity.com


Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top