topic Active Directory group naming scheme in General Topics

Active Directory group naming scheme

jezkerwin — Thu, 21 Jul 2016 01:48:23 GMT

Hi all,

I'd be interested to here is anyone has come up with interesting naming schemes for AD groups used within Palo Alto firewall policies.

I'm looking for inspiration as I'm looking to come up with a logical scheme on our end.

Cheers.

Re: Active Directory group naming scheme

Roby_Sreejith — Thu, 21 Jul 2016 07:38:02 GMT

Can you elaborate your request

Re: Active Directory group naming scheme

jezkerwin — Thu, 21 Jul 2016 12:45:21 GMT

I'm interested to learn how people name their groups within Active Directory that are used within the Palo Alto Firewall Policies.

Are they named randomly or does the name of the group identify what the policy does within the firewall.

I'm looking to come up with a naming scheme for myself that makes sense, is easy to manage and has relevance when identifying the policy within the firewall so I'd like to learn if others have come up with a scheme or system that they use that I could draw inspiration on for my requirements.

For example, if a policy is giving RDP access to a bunch of servers on floor 3 of office 1 is the rule named 'Off_1_Flr_3_RDP_allow' or is it called 'access to rdp for developers'.

Re: Active Directory group naming scheme

Brandon_Wertz — Thu, 21 Jul 2016 19:03:06 GMT

Do you mean just the security rule names / nomenclature?

If you're actually talking about security groups in AD that are used in policy on the firewall...Well in most environments the guys that control the firewall have no input on the naming standard of AD security groups.

Re: Active Directory group naming scheme

jezkerwin — Fri, 22 Jul 2016 00:22:26 GMT

Yeah, I'm talking about the nomenclature of the AD security groups themselves.

I guess I'm in a different position where I have the input in naming both.

Re: Active Directory group naming scheme

pulukas — Sat, 23 Jul 2016 12:49:04 GMT

Naming conventions that I've found most helpful over various employers are ones that are both brief and meaningful. This usually entails determining first the major categories and then sub-groups that have logical meaning for the organization. Then developing a short 3-4 letter abreviation for them to encode into the name.

You can further simplify the AD setup by creating security groups that simply contain other groups.

For example:

List of job roles that contain actual users

List of resources needing access security that contain job role groups only

The security policy then can be nuanced to either the resource or the role depending on the details of the rule.

And names are recognizable abbreviations of the resource or the role.