One of the nightmares that Active Directory admins dread is a simple human error in configuration that can cause crippling access or security problems across the organization. I’ve always said that one of the most unsettling remarks you may hear at work is an AD administrator saying “Oops”! As a nearly quarter-century-old technology, AD is a powerful but complex identity platform that was built long before the era of cyber warfare. Hardening AD against cyberattacks is an ongoing battle, and even routine maintenance operations can go awry, causing downtime or security risks.
To add to the problem, many organizations now lack AD expertise on staff. Misconfigurations can accumulate over time, leaving the AD environment with dozens of security vulnerabilities, some of which lurk under the surface as potential future attack vectors, and some of which require immediate action.
To stay on top of AD misconfigurations, you need a comprehensive AD threat prevention, detection, and response strategy. In other words, you need technology that will save your hide if you accidentally run a script that resets 5,000 passwords—the faster, the better.
The ability to quickly remediate configuration mishaps emerged as a significant benefit of Semperis Directory Services Protector (DSP) for customers who participated in the Forrester Total Economic Impact of Semperis report. Forester uncovered 90% faster object- and group-level remediation for Semperis customers who use DSP.
Download the report: Forrester Total Economic Impact of Semperis
One of the Semperis customers who participated in the study, a network systems analyst at a healthcare company, said that before implementing DSP, the organization was having frequent group- and object-level incidents that involved hours of effort to resolve.
“Now, we know how to fix the issue within minutes,” he said. “It’s night and day.”
Forrester study participants (representatives from five organizations across healthcare, consulting, financial services, and energy, with average annual revenue of $10B) reported multiple challenges in mitigating routine AD configuration errors, including:
- Unintended modifications to organizational units, affecting the organizational structure
- Unauthorized changes to user account attributes such as passwords and group memberships
- Deletion or modification of security groups, affecting access permissions
- Compromise of privileged user accounts or service accounts
- Changes to group policies that impact security settings across the network
- Unintentional misconfigurations that reduce productivity
As any AD admin knows, each incident on its own might be relatively easy to address. But in a large organization, misconfigurations can multiply and compound downtime, especially in cases where users are blocked from accessing critical apps and services or where an incorrect setting causes a security incident. DSP can roll back mistakes faster and more easily than any other solution on the market.
Semperis allows us to optimize our operations in regard to addressing [object- and group-level] incidents as they come up. It gives us an ongoing ability to reeducate our teams and train them on new and better ways of fixing issues to get end users back up and running.
Manager of identity management and engineering, healthcare company, in Forrester Total Economic Impact of Semperis
The Forrester study participants shared some anecdotes that illustrated the benefits of using DSP to save time in remediating operational errors:
- At a healthcare organization, AD misconfigurations occurred weekly, affecting between 300 and several thousand employees. These incidents each required several hours of remediation time. After deploying DSP, remediation time was reduced to 30 minutes.
- A manager in identity management and engineering in healthcare said that before deploying DSP, fixing role-based access control problems took six AD experts several days. With DSP in place, that effort was cut to about 2 hours and required only two team members.
- The senior manager of server architecture at an energy company reported that before deploying DSP, their team took up to 8 hours to remediate an AD-related error. By using DSP’s object- and group-level recovery capabilities, they cut that time to 30 minutes to fully resolve the problem and get users up and running again.
Participants reported that using DSP cut their remediation time by 90%. In the report, Forrester estimated that an average of 1% of the organization’s total headcount was affected by a major object- or group-level incident, each incident caused about 5 hours of downtime, and the study participants averaged 25 such incidents per year. Forrester concluded that organizations with similar characteristics would see about $4.3 million in savings over three years.
AD configuration mistakes cost time and money
Every AD misconfiguration can delay access to resources or open the door to security vulnerabilities—both of which require time and expertise to fix. The Forrester study points out the potential impact of accumulated misconfigurations—and the immediate benefit of implementing DSP to help remediate object- and group-level incidents.
For a deeper dive into more examples of cost savings related to reducing AD vulnerability remediation time, check out the Forrester TEI report. (And if you’re looking for a fast way to assess your own environment’s vulnerabilities, download Purple Knight, a free tool from Semperis that scans for 150+ IOEs and IOCs and provides an overall security report card.)
More resources
