DotW: AD Naming Convention
Resolution
In this week's Discussion of the Week, I've picked up on a question posted by community member @jezkerwin regarding naming conventions for Active Directory user groups.
Although there is no convention that dictates which names to use or not to use, thoughtful selection of a naming convention at the early stage will make life easier on the administrator later on when the organization or the security policy grows.
Community member @pulukas points out that a good methodology is to first determine the core components relevant to the organization, compressing those into easily recognizable acronyms/abbreviations and adding sub-categories where needed.
As an example, a good starting point could be to split up types of internet access based or job requirements and URL categories:
Management (MGT) could require full internet access to all non-malicious categories, human resources (HR) may be more restricted, but may need social media access and job search, while a contractor (CTR) may have access to only a single set of manual whitelisted URLs. IT may need access to some malicious categories to be able to research some threats.
Next, access can be split between applications: Some contractors, for example, may only be allowed access via Oracle or SQL database tools, which could spawn the sub-group CTR-DB. Some IT groups may only be allowed access to systems via SSH, IT-SSL or remote desktop for server admins: IT-RDP.
If even more granular control is desired, the destinations can be added to highlight which network or server farm a group has access to, such as CTR-DB-PROD, IT-RDP-CITRIX, GUEST-WEB-INTRA. This will allow an admin to easily identify groups in security rules and go about providing access to only members of those groups.
Please feel free to follow the original conversation here and weigh in on your thoughts, or feel free to comment below.
Thanks!
Reaper