Latest posts by Sander Berkouwer (see all)
- Turn the tables on your organization with Adaxes 2018.1's Web Interface and reporting capabilities - Thu, Sep 20 2018
- Review: Softerra Adaxes - Automating Active Directory management - Thu, Jun 4 2015
- Azure Multi-Factor Authentication - Part 8: Delegating Administration - Tue, Apr 28 2015
AD management in typical organizations ^
Even though Active Directory has been on the market for two decades, many organizations have had major worries with their AD Domain Services implementations from the start. Of course, as an AD admin, you're immediately thinking about the many hacks and advanced persistent threats (APTs). These include the golden ticket and skeleton key attacks on the outdated NT LAN Manager (NTLM) and Kerberos protocols. But these aren't the real day-to-day problems for AD admins.
Although AD is at the heart of most of organizations' networking infrastructures, it has a reputation for being dull, hard to manage remotely, hard to delegate, and hard to align to modern business goals like digital transformation.
Let's look at these characteristics one by one, together with a possible solution.
Hard to manage remotely ^
The bane of the AD admin's existence is the way we typically manage AD in enterprise organizations. An AD admin needs to be at the office from 9 to 5, using a specific privileged Windows-based workstation and account and also typically a smartcard for logon.
Microsoft didn't really help AD admins either. Even the relatively new AD Administrative Center is a Windows-only tool. AD still hasn't shown its face in PowerShell Core, so it's no surprise Mac-addicted admins still feel left out.
For Windows-based admins, it's not much better though. The version of the remote management tools greatly determines the functionality you can use. You'll need the latest Windows release to download, install, and use the latest Remote Server Administration Tools (RSAT). Even then, remote management is still not 100% over all AD solutions, because Active Directory Federation Services (AD FS) still doesn't offer this functionality.
While salespeople go places with their Macs, AD admins feel confined, left out, and probably, depressed.
What if… AD admins could break free?
For that, we'll need an interface that is device-agnostic, uses HTTPS, TLS 1.2, and Internet Information Services (IIS). It should also offer extensive logging and auditing, use a highly available deployment, and work together with the current multi-factor authentication processes.
Adaxes 2018.1's Web Interface ^
Recently Softerra released an updated to Adaxes, its Active Directory management and automation solution. We’ve discussed Adaxes before. The 2018.1 update introduces big changes to the Web Interface and added a new reporting platform on top of what already was provided by the product.
The completely overhauled AD web interface caught my immediate attention. From this version onwards, Adaxes might just meet the above requirements. Let's work through those requirements.
Adaxes 2018.1's Web Interface component offers a newly written interface with a responsive design. This means the web pages where you manage AD render well on a variety of devices and screen sizes. This allows AD admins to get work done on their iPhones on the beach if they need or want to.
Not so fast though—to meet the information security-related requirements, we need to create some infrastructure. I installed the Adaxes Service and the Adaxes Web Interface on a Windows Server 2016 box. The Adaxes installation wizard installed and configured IIS. Of course, then I added a free TLS certificate from Let's Encrypt, configured the binding, and hardened the HTTP response headers, including the one for HSTS. Using IISCrypto, I disabled weak ciphers, like DES, RC2, and RC4, and all protocols except TLS 1.2. Configuring IIS logging was the last item on my to‑do list to meet my typical security requirements.
I've only implemented a single server and installed both the Adaxes Service and Adaxes Web interface on it. However, Adaxes does offer high availability through configuration sets behind a load balancer. When setting up multiple Adaxes Service instances as part of a configuration set, all Service installations share a common configuration, like the set of managed AD domains, security roles, business rules, scheduled tasks, and the Web Interface configuration. Like AD itself, Adaxes uses the concept of multi-master replication to replicate changes among all of its Service instances.
You can also place web servers running the Adaxes Web Service component behind load balancers, in perimeter networks, and so on. In this way, you can achieve a fully redundant and highly available implementation.
Hard to delegate ^
Since the early days of AD Domain Services, Microsoft has offered ways to delegate control in AD. Its built-in roles (like Account Operators, Server Operators, and Backup Operators) offer broad delegation options. But most enterprise organizations opted to delegate more granularly through the Delegation of Control wizard and access control lists (ACLs) on organizational units (OUs) and objects.
Unfortunately, a delegated user always needs one of the available AD tools to do the work. The same problems arise here as with AD admins, so you'd think Adaxes' Web Interface would be an ideal fit here too. However, there are more problems to overcome in this area.
Besides offering a secure and device-agnostic interface, the interface needs to be multilingual and tailored to the specific tasks for the delegated person in terms of commands and information.
Delegation in Adaxes 2018.1's Web Interface ^
I can't escape thinking that Softerra has really thought this through. The Adaxes Web Interface is a true gem when it comes to delegation. It's where its reporting capabilities also come into play.
To me, a solution's delegation capabilities display its maturity. By default, Adaxes offers delegation options as web interfaces to split administrators, help desk personnel, and mere mortals.
Build your own interfaces
This role distinction works in most organizations, but enterprise organizations typically need more granular access controls. The above three web interfaces are built in, but in the Adaxes Web Interface Configurator, you can develop new interfaces from scratch or copy them from pre-existing ones. You can edit every aspect of each interface, such as automatic logon (based on Kerberos) per group, OU, Adaxes business role, and so on. Need approvals too? Not a problem; that's included too.
For instance, let's say you wanted managers to be able to reset the passwords for their subordinates. An admin can specify a new web interface for these people and allow them to log on automatically. You can then scope the reset password action on all subordinate user objects referenced in the manager field. Of course, you'd except admins. A specific report would show the number of subordinates in a graph on the homepage.
You could apply the same method to the people in the human resources department if you wanted to let them create user objects for new hires. Simply create a new web interface and assign it to the HR department or Adaxes business role. Since you'd want to pre‑populate certain fields, you can supply the values and hide the fields from view, like computers, groups, and OUs they have no business with. There's no need for HR people to come up with usernames, email addresses, and such, right? A graph on the homepage would display the new hires and (possible) layoffs over time.
The animation below from Softerra’s Adaxes Web Interface Customization article provides the best view on the possibilities for customizing the web interface:
Of course, Adaxes offers multilanguage support for delegation across country and language borders.
However, in some cases AD under-the-hood terminology might not align with the business language the organization uses. Not everybody in your organization knows what a domain name (DN) is, right? As an Adaxes admin, you can change any text throughout the entire Adaxes Web Interface. English, German, and French are enabled by default, but adding a language and editing the text is easy in the Web Interface Configurator.
Hard to align with business goals ^
Even in a perfect world, AD admins never make all AD-related decisions themselves, nor should they have to.
In both examples of the HR people and managers, Adaxes provides the tasks they need to perform and the information they need to perform the tasks well. Instead of having them manage AD, they now manage the business goals they are responsible for. This way, AD and all AD-integrated applications, systems, and services align with the business.
When the entire AD ecosystem within an organization aims at enabling the people in the organization, you'll want to act on soon-to-expire accounts and locked-out users. In security-centered environments, application owners will want to regularly review group memberships that provide (privileged) access to their applications.
Adaxes 2018.1's reporting capabilities ^
Adaxes 2018.1 comes with 200 built-in reports. Admins can use these reports to gain quick insights on what's happening in their AD environments. These are typical reports on things such as soon-to-expire accounts and locked-out accounts.
Make your own reports
In the Adaxes Management Console, you can build your own reports. You can make them from scratch, but you can also build off the built-in reports. If you want to use a script to wrestle data into a report or graph, this is also entirely possible.
As with the limitless delegation options in Adaxes 2018.1, you can also control every aspect of these reports. Admins can create their own reports based on any required business logic. Do you want to order additional domain controllers when your own custom script detected your current domain controllers were under heavy load for most of the month? Go ahead.
Where the magic happens
Combining reports with delegation is where the real magic happens. I've shown you two examples of graphs from reports, but let's dig a bit deeper.
You can schedule reports in Adaxes. This way, every morning at 8 AM, you can have it mail a report to the help desk with locked-out accounts as a to-do list or double-check list. Or you can have it mail a list with soon-to-expire accounts to a department owner. Or you can have it store access reviews in the shared folder of an application owner automatically.
Adaxes can also provide reports on demand to any of the delegated scopes. Whenever users need the most up-to-date information, they can gather it by simply pressing the button to generate the report. The self-service report functionality even allows them to schedule the report themselves.
Think about it ^
These are three areas where Adaxes can help.
Today, you're the admin. But anyone in the organization can do anything you need to. You can granularly delegate, change the interface, change the options users have, the actions they can perform, change the fields they see—you name it.
They won't know they manage Active Directory. They don't have to know they manage AD—or Exchange. The Adaxes Web Interface allows that level of business abstraction and alignment.