The hidden danger of manual authorization assignments

Fast, unbureaucratic and uncomplicated – this is how the assignment of rights in the system seems to proceed when it is carried out manually by administrators. It is obvious that this makes it difficult to implement the need-to-know principle. In practice, however, more and more extensive authorizations accumulate over time, and not all of them are needed. But that is not all. In addition to the effort involved in manual administration and the historically grown authorizations, there is another problem: undocumented AD groups created by hackers.

This is exactly where Access Manager steps in and offers a way to put a stop to growing permissions and malicious AD groups through automatic SET-ACTUAL matching. We will explain why it is not enough to manually document changes and remove them yourself.

Security gaps due to manual authorization assignments

In recent Exchange hacker attacks, one of the attack tactics is often the creation of new AD groups that gain access to the file servers. This gives hackers access to secret elements. Especially the manual assignment of permissions makes it difficult for an admin to recognize which changes were made from the outside and which from the inside. Accordingly, it can take a long time to identify which groups belong to the “bad guys”. Valuable time is wasted in this process, during which vast amounts of sensitive data can be tapped. Another countermeasure would of course be to temporarily paralyze everything, but the disadvantages of such an action should be obvious. And after these measures, in the end it is still not clear from where exactly the rights and groups came and who inserted them. This means that effectively closing the security gap in order to prevent future attacks in the long term will be costly and complicated.

How the Access Manager works

With the Access Manager, this vulnerability is eliminated. The automatic SET-ACTUAL comparison detects AD groups and not only deletes them directly, but also creates detailed documentation. This makes AD groups easily traceable and closes security gaps. This effectively prevents further damage.

Access Manager positions itself as the primary data source of the authorization system. All changes that have been stored in the Access Manager and set by means of a workflow are finally implemented in the system. All other AD groups and permissions are removed, extensively audited, and can be thoroughly investigated and tracked with comprehensive reports, even after the fact.

Flexibility despite security

However, if you wish to set up access rights directly, this is possible. Portals for administrators and direct authorization assignments are also available within the Access Manager. The TARGET-ACTUAL comparison can be triggered here immediately and the desired right can be implemented in the system immediately – as a primary data source, traceable and secure.

What are AD groups?

Active Directory groups are used to collect user accounts, computer accounts, and other groups into manageable units. Working with groups instead of individual users simplifies network maintenance and management.

Learn more now

To learn more about the TARGET-ACTUAL comparison and the advantages of the Access Manager, we cordially invite you to an individual product presentation. Simply fill out the form below.

Arrange individual product presentation now

The hidden danger of manual authorization assignments

Security gaps due to manual authorization assignments

How the Access Manager works

Flexibility despite security

Learn more now

Folgen Sie uns schon?

News