DOMAIN ADMIN TOOLS

Tips and tutorials for webmasters and domain administrators

What Is a Hostname?

A hostname is a label assigned to a device (a host) on a network. It distinguishes one device from another on a specific network or over the internet. The hostname for a computer on a home network may be something like new laptopGuest-Desktop, or FamilyPC.

Hostnames are also used by DNS servers so you can access a website by a common, easy-to-remember name. This way, you don’t have to remember a string of numbers (an IP address) to open a website.

A computer’s hostname may instead be referred to as a computer name, sitename, or nodename. You may also see hostname spelled as host name.

Examples of a Hostname

Each of the following is an example of a Fully Qualified Domain Name with its hostname written off to the side:

  • www.google.com: www
  • images.google.com: images
  • products.office.com: products
  • www.microsoft.com: www

The hostname (like products) is the text that precedes the domain name (for example, office), which is the text that comes before the top-level domain (.com).

How to Find a Hostname in Windows

Executing hostname from the Command Prompt is the easiest way to show the hostname of a computer.

hostname command prompt command in Windows 10

Never used Command Prompt before? See our How to Open Command Prompt tutorial for instructions. This method works in a terminal window in other operating systems, too, like macOS and Linux.

Using the ipconfig command to execute ipconfig /all is another method. Those results are more detailed and include information in addition to the hostname that you might not be interested in.

The net view command, one of the several net commands, is another way to see your hostname and the hostnames of other devices and computers on your network.

How to Change a Hostname in Windows

Another easy way to see the hostname of the computer you’re using is through System Properties, which also lets you change the hostname.

System Properties can be accessed from the Advanced system settings link inside the System applet in Control Panel. Or, press Win+R and then type control sysdm.cpl to go to the correct screen.

System Properties dialog box

More About Hostnames

Hostnames can’t contain a space because these names can only be alphabetical or alphanumerical. A hyphen is the only allowed symbol.

The www portion of a URL indicates a subdomain of a website, similar to products being a subdomain of office.com.

To access google.com’s images section, you must specify the images hostname in the URL. Likewise, the www hostname is always required unless you’re after a specific subdomain. 

For example, entering www.lifewire.com is technically always required instead of only lifewire.com. This is why some websites are unreachable unless you enter the www portion before the domain name.

However, most websites you visit open without specifying the www hostname—either because the web browser does it for you or because the website knows what you’re after.

What is a DNS Cache and How Does It Work

A DNS cache (sometimes called a DNS resolver cache) is a temporary database, maintained by a computer’s operating system, that contains records of all the recent visits and attempted visits to websites and other internet domains.

In other words, a DNS cache is just a memory of recent DNS lookups that your computer can quickly refer to when it’s trying to figure out how to load a website.

The information in this article applies to home users who haven’t changed their DNS settings.

The Purpose of a DNS Cache

The internet relies on the Domain Name System to maintain an index of all public websites and their corresponding IP addresses. You can think of it as a phone book.

With a phone book, we don’t have to memorize everyone’s phone number, which is the only way phones can communicate: with a number. In the same way, DNS is used so we can avoid having to memorize every website’s IP address, which is the only way network equipment can communicate with websites.

This is what happens behind the curtain when you ask your web browser to load a website.

You type in a URL like lifewire.com and your web browser asks your router for the IP address. The router has a DNS server address stored, so it asks the DNS server for the IP address of that hostname. The DNS server finds the IP address that belongs to lifewire.com and then is able to understand what website you’re asking for, after which your browser can then load the appropriate page.

This happens for every website you want to visit. Every time you visit a website by its hostname, the web browser initiates a request out to the internet, but this request cannot be completed until the site’s name is “converted” into an IP address.

The problem is that even though there are tons of public DNS servers your network can use to try to speed up the conversion/resolution process, it’s still quicker to have a local copy of the “phone book,” which is where DNS caches come into play.

The DNS cache attempts to speed up the process even more by handling the name resolution of recently visited addresses before the request is sent out to the internet

There are actually DNS caches at every hierarchy of the “lookup” process that ultimately gets your computer to load the website. The computer reaches your router, which contacts your ISP, which might hit another ISP before ending up at what’s called the “root DNS servers.” Each of those points in the process has a DNS cache for the same reason, which is to speed up the name resolution process.

How a DNS Cache Works

Before a browser issues its requests to the outside network, the computer intercepts each one and looks up the domain name in the DNS cache database. The database contains a list of all recently accessed domain names and the addresses that DNS calculated for them the first time a request was made.

The contents of a local DNS cache can be viewed on Windows using the command ipconfig /displaydns, with results similar to this:

docs.google.com
-------------------------------------
Record Name . . . . . : docs.google.com
Record Type . . . . . : 1
Time To Live . . . . : 21
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 172.217.6.174

In DNS, the “A” record is the portion of the DNS entry that contains the IP address for the given host name. The DNS cache stores this address, the requested website name, and several other parameters from the host DNS entry.

What Is DNS Cache Poisoning?

A DNS cache becomes poisoned or polluted when unauthorized domain names or IP addresses are inserted into it.

Occasionally a cache may become corrupted because of technical glitches or administrative accidents, but DNS cache poisoning is typically associated with computer viruses or other network attacks that insert invalid DNS entries into the cache.

Poisoning causes client requests to be redirected to the wrong destinations, usually malicious websites or pages full of advertisements.

For example, if the docs.google.com record from above had a different “A” record, then when you entered docs.google.com in your web browser, you’d be taken somewhere else.

This poses a massive problem for popular websites. If an attacker redirects your request for Gmail.com, for example, to a website that looks like Gmail but isn’t, you might end up suffering from a phishing attack like whaling.

DNS Flushing: What It Does and How to Do It

When troubleshooting cache poisoning or other internet connectivity problems, a computer administrator may wish to flush (i.e. clear, reset, or erase) a DNS cache.

Since clearing the DNS cache removes all the entries, it deletes any invalid records too and forces your computer to repopulate those addresses the next time you try accessing those websites. These new addresses are taken from the DNS server your network is set up to use.

So, to use the example above, if the Gmail.com record was poisoned and redirecting you to a strange website, flushing the DNS is a good first step to getting the regular ​Gmail.com back again.

In Microsoft Windows, you can flush the local DNS cache using the ipconfig /flushdns command in a Command Prompt. You know it works when you see the Windows IP configuration successfully flushed the DNS Resolver Cacheor Successfully flushed the DNS Resolver Cachemessage.How to Flush and Clear Windows DNS Cache

Through a command terminal, macOS users should use dscacheutil -flushcache but know that there is not a “successful” message after it runs, so you’re not told if it worked. In some cases, Mac users will also have to kill the DNS responder (sudo killall -HUP mDNSResponder.) Linux users should enter the /etc/rc.d/init.d/nscd restart command. The exact command will vary based on your Linux distribution, though.

A router can have a DNS cache as well, which is why rebooting a router is often a troubleshooting step. For the same reason you might flush the DNS cache on your computer, you can reboot your router to clear the DNS entries stored in its temporary memory.

Best Free Public DNS Servers

The best free public DNS servers include GoogleQuad9OpenDNSCloudflareCleanBrowsingAlternate DNS, and AdGuard DNS.

Here’s a quick reference if you know what you’re doing, but we get into these services a lot more later in this article:

Best Free & Public DNS Servers
ProviderPrimary DNSSecondary DNS
Google8.8.8.88.8.4.4
Quad99.9.9.9149.112.112.112
OpenDNS Home208.67.222.222208.67.220.220
Cloudflare1.1.1.11.0.0.1
CleanBrowsing185.228.168.9185.228.169.9
Alternate DNS76.76.19.1976.223.122.150
AdGuard DNS94.140.14.1494.140.15.15

A list of additional free DNS servers can be found in the table near the bottom of the page.

What Are DNS Servers?

DNS servers translate the friendly domain name you enter into a browser (like lifewire.com) into the public IP address that’s needed for your device to actually communicate with that site.

Your ISP automatically assigns DNS servers when your smartphone or router connects to the internet but you don’t have to use those. There are lots of reasons you might want to try alternative ones (we get into many of them in Why Use Different DNS Servers? a bit further down the page) but privacy and speed are two big wins you could see from switching.

Primary DNS servers are sometimes called preferred DNS servers and secondary DNS servers sometimes alternate DNS servers. Primary and secondary DNS servers can be “mixed and matched” from different providers to protect you if the primary provider has problems.

Best Free & Public DNS Servers (Valid March 2021)

Below are more details on the best free DNS servers you can use instead of the ones assigned.

If you’re not sure, use the IPv4 DNS servers listed for a provider. These are the IP addresses that include periods. IPv6 IP addresses use colons.

GOOGLE: 8.8.8.8 & 8.8.4.4 

Google Public DNS website

Google Public DNS promises three core benefits: a faster browsing experience, improved security, and accurate results without redirects.

  • Primary DNS: 8.8.8.8
  • Secondary DNS: 8.8.4.4

Google also offers IPv6 versions:

  • Primary DNS: 2001:4860:4860::8888
  • Secondary DNS: 2001:4860:4860::8844

Google can achieve fast speeds with its public DNS servers because they’re hosted in data centers all around the world, meaning that when you attempt to access a web page using the IP addresses above, you’re directed to a server that’s nearest to you.

QUAD9: 9.9.9.9 & 149.112.112.112

Quad9 website

Quad9 has free public DNS servers that protect your computer and other devices from cyber threats by immediately and automatically blocking access to unsafe websites, without storing your personal data.

  • Primary DNS: 9.9.9.9
  • Secondary DNS: 149.112.112.112

There are also Quad 9 IPv6 DNS servers:

  • Primary DNS: 2620:fe::fe
  • Secondary DNS: 2620:fe::9

Quad9 does not filter content—only domains that are phishing or contain malware will be blocked. Quad9 also has an unsecured IPv4 public DNS at 9.9.9.10 (2620:fe::10 for IPv6).

OPENDNS: 208.67.222.222 & 208.67.220.220

OpenDNS public DNS server website

OpenDNS claims 100% reliability and up-time and is used by 90 million users around the world. The offer two sets of free public DNS servers, one of which is just for parental controls with dozens of filtering options.

  • Primary DNS: 208.67.222.222
  • Secondary DNS: 208.67.220.220

IPv6 addresses are also available:

  • Primary DNS: 2620:119:35::35
  • Secondary DNS: 2620:119:53::53

The servers above are for OpenDNS Home, which you can make a user account for to set up custom settings. The company also offers DNS servers that block adult content, called OpenDNS FamilyShield: 208.67.222.123 and 208.67.220.123 (shown here). A premium DNS offering is available, too, called OpenDNS VIP.

CLOUDFLARE: 1.1.1.1 & 1.0.0.1

Cloudflare 1.1.1.1 public DNS server website

Cloudflare built 1.1.1.1 to be the “fastest DNS service in the world” and will never log your IP address, never sell your data, and never use your data to target ads. 

  • Primary DNS: 1.1.1.1
  • Secondary DNS: 1.0.0.1

They also have IPv6 public DNS servers:

  • Primary DNS: 2606:4700:4700::1111
  • Secondary DNS: 2606:4700:4700::1001

There’s a 1.1.1.1 app for Android here and iOS here, for quick setup on mobile devices.

CLEANBROWSING: 185.228.168.9 & 185.228.169.9

CleanBrowsing public DNS server website

CleanBrowsing has three free public DNS server options: a security filter, adult filter, and family filter. These are the DNS servers for the security filter, the most basic of the three that updates hourly to block malware and phishing sites:

  • Primary DNS: 185.228.168.9
  • Secondary DNS: 185.228.169.9

IPv6 is also supported:

  • Primary DNS: 2a0d:2a00:1::2
  • Secondary DNS: 2a0d:2a00:2::2

The CleanBrowsing adult filter (185.228.168.10) prevents access to adult domains, and the family filter (185.228.168.168) blocks proxies, VPNs, and mixed adult content. More features can be had at a price: CleanBrowsing Plans.

ALTERNATE DNS: 76.76.19.19 & 76.223.122.150

Alternate DNS website

Alternate DNS is a free public DNS service that blocks ads before they reach your network.

  • Primary DNS: 76.76.19.19
  • Secondary DNS: 76.223.122.150

Alternate DNS has IPv6 DNS servers, too:

  • Primary DNS: 2001:4801:7825:103:be76:4eff:fe10:2e49
  • Secondary DNS: 2001:4800:780e:510:a8cf:392e:ff04:8982

You can sign up for free from their signup page. There’s also a Family Premium DNS option for $2.99 /month that blocks adult content.

ADGUARD DNS: 94.140.14.14 & 94.140.15.15

AdGuard DNS website

AdGuard DNS has two sets of DNS servers, both of which block ads in games, videos, apps, and web pages. The basic set of DNS servers are called the “Default” servers, and block not only ads but also malware and phishing websites:

  • Primary DNS: 94.140.14.14
  • Secondary DNS: 94.140.15.15

IPv6 is supported, too:

  • Primary DNS: 2a10:50c0::ad1:ff
  • Secondary DNS: 2a10:50c0::ad2:ff

There are also “Family protection” servers (94.140.14.15 and 2a10:50c0::bad1:ff) that block adult content plus everything included in the “Default” servers. Non-filtering servers are available if you’re not interested in blocking anything: 94.140.14.140 and 2a10:50c0::1:ff.

Why Use Different DNS Servers?

One reason you might want to change the DNS servers assigned by your ISP is if you suspect there’s a problem with the ones you’re using now. An easy way to test for a DNS server issue is by typing a website’s IP address into the browser. If you can reach the website with the IP address, but not the name, then the DNS server is likely having issues.

Another reason to change DNS servers is if you’re looking for better performing service. Many people complain that their ISP-maintained DNS servers are sluggish and contribute to a slower overall browsing experience.

Yet another common reason to use DNS servers from a third party is to prevent logging of your web activity and to circumvent the blocking of certain websites.

Know, however, that not all DNS servers avoid traffic logging. If that’s what you’re interested in, make sure you read through the FAQs on the DNS provider’s site to make sure it’s going to do (or not do) what you’re after.

If, on the other hand, you want to use the DNS servers that your specific ISP, like Verizon, AT&T, Comcast/XFINITY, etc., has determined is best, then don’t manually set DNS server addresses at all—just let them auto assign.

Finally, in case there was any confusion, free DNS servers do not give you free internet access. You still need an ISP to connect to for access—DNS servers just translate between IP addresses and domain names so that you can access websites with a human-readable name instead of a difficult-to-remember IP address.

Additional DNS Servers

Here are several more public DNS servers. Let us know if we’re missing any major providers.

OpenNIC has several DNS servers. Visit its website and select one that’s geographically nearby for the optimal performance.

More Free DNS Servers
ProviderPrimary DNSSecondary DNS
DNS.WATCH84.200.69.8084.200.70.40
Comodo Secure DNS8.26.56.268.20.247.20
CenturyLink (Level3)205.171.3.66205.171.202.166
SafeDNS195.46.39.39195.46.39.40
OpenNIC192.71.245.20894.247.43.254
Dyn216.146.35.35216.146.36.36
FreeDNS45.33.97.537.235.1.177
Yandex.DNS77.88.8.877.88.8.1
UncensoredDNS91.239.100.10089.233.43.71
Hurricane Electric74.82.42.42 
puntCAT109.69.8.51 
Neustar64.6.64.664.6.65.6
Fourth Estate45.77.165.19445.32.36.36

DNS servers are referred to as all sorts of names, like DNS server addresses, internet DNS servers, internet servers, DNS IP addresses, etc.

The Ultimate Guide to Active Directory Best Practices

Security Groups, User Accounts, and Other AD Basics

At many enterprises and SMBs that use Windows devices, IT teams are likely to use Active Directory (AD). Essentially, Active Directory is an integral part of the operating system’s architecture, allowing IT more control over access and security. AD is a centralized, standard system that allows system administrators to automatically manage their domains, account users, and devices (computers, printers, etc.) within a network.

AD is crucial for a number of functions—it’s can be responsible for storing centralized data, managing communication between domains, and implementing secure certificates. But perhaps most importantly, it gives system administrators control over passwords and access levels within their network to manage various groups within the system. At the same time, Active Directory can also help support the ability for users to more easily access resources across the network.

Since Active Directory is a central IT tool for managing access control and security, here’s what you need to know:

  1. Structures Within Active Directory
  2. The Difference Between Security Group vs. Distribution Group
  3. What are Group Scopes?
  4. Everything Active Directory Best Practices:
  5. Choosing the Best Tools for Active Directory Security
  6. What Attacks Can Active Directory Help Prevent?
  7. The Future of Active Directory

Structures Within Active Directory

The structure is important to understand for effective Active Directory administration, as good storage and organization practices are key to building a secure hierarchy. The following are some basic structural aspects of Active Directory management:

  • Domains: An AD domain is a collection of objects, like users or hardware devices, that share policies, and a database. Domains contain identifying information about those objects and have a single DNS name. A group policy may be applied to a whole domain or sub-groups called organizational units (OU).
  • Trees: Multiple AD domains within a single group are known as trees. They share a network configuration, schema, and global catalog. There’s a rule of trust with trees— when a new domain joins a tree, it’s immediately trusted by the other domains in the group.
  • Forests: A forest is a group of trees that share a single database. This is the top of the organizational hierarchy within an AD. A single forest should be used for each department. It’s important to note that user admins within one forest cannot automatically access another forest. 

The Difference Between Security Group vs. Distribution Group

AD is comprised of two main groups—distribution groups and security groups. Distribution groups are built primarily to distribute emails. These are useful for applications like Microsoft Exchange or Outlook, and it’s generally straightforward to add and remove contacts from one of these lists. You can’t use a distribution group to filter group policy settings. When possible, users should be assigned to distribution groups rather than security groups, since membership in too many security groups could lead to slow logon functionality.

On the other hand, security groups allow IT to manage access to shared resources by controlling user and computer access. Security groups can be used to assign security rights within the AD network. (These groups can also be used for email distribution.) Each security group is assigned a set of user rights, dictating their abilities within the forest. For example, some groups may be able to restore files, while others are not.

These groups give IT control over group policy settings, meaning permissions can be changed across multiple computers. Permissions differ from rights—they apply to shared resources within a domain. The simplest way to understand permissions is to think of Google Docs. The owner of such a document can decide who has permission to edit their work, who can comment on it, and which parties can merely view the document. Security group permissions are similar. Certain groups may have more access than others when it comes to shared resources.

What Are AD Group Scopes?

“Group scope” is the term used to categorize the permission levels of each security group. Microsoft has outlined three main scopes within AD:

  • Universal: Members from any domain can be added to a universal security group. These groups are often used to define roles and manage permissions within the same forest or trusting forests.
  • Global: Global groups pertain mostly to the categorization of users based on business roles. Users often share similar network access requirements. This group has the ability to assign permissions for access to resources in any domain.
  • Domain Local: This grouping can be applied everywhere in the domain and is often used to assign permissions for access to resources. One thing to note—you can assign these permissions only in the domain where the domain local group was created.

By adding a user account to a group, you’re eliminating the administrative legwork that comes with handling individual user access. Groups can also become members of other groups. This is called group nesting. Nesting is a helpful way to manage your AD based on business roles, functions, and management rules.

Active Directory Nested Groups Best Practices

Before implementing nesting strategies, be sure to follow Active Directory nested groups best practices. These will ensure you’re keeping your data safe while simultaneously improving efficiencies, rather than adding more layers of confusion.

  • Stay in the Loop: Being aware of permission inheritance is probably the single most important thing to keep in mind when it comes to group nesting. You can nest groups based on a parent-child hierarchy, so if you make users of Group A members of Group B, the users within Group A would have the same permissions as Group B. This can lead to problems if the users in Group B have access to sensitive information the users in Group A shouldn’t be able to access.
  • Know Your Names: Naming conventions should be front and center when you’re creating groups. They should be obvious to a fault, citing the name of the department (sales, marketing, HR, etc.) and the level of permission that they have. You’ll be thankful you have this practice in place when it comes time to build your nested groups.
  • Keep It Local: Remember, domain local groups are used to manage permissions to resources. When nesting groups, add user accounts to a global group, then add that global group to a domain local group. The global group will have the same level of access to the resource that the domain local group has. 
  • Let Go:IT professionals don’t need to be the ones in charge of group management. The managers and directors across various departments who own the content within a certain group can be empowered to manage who has access to the group. 

Active Directory Security Groups Best Practices

In addition to group nesting management tips, there are also many things to keep in mind when it comes to managing your security groups:

  • Understand Who and What: It’s important to regularly take stock of which employees have access and permission to which resources. Most employees don’t need a high level of domain access. This is what’s called the “rule of privilege.” The rule emphasizes the importance of granting all user accounts with the absolute minimum level of permission necessary to complete their assigned tasks. This isn’t about not trusting your employees, it’s about limiting the spread of potential risk factors. Logging on with a privileged account means a user could accidentally spread a hidden virus to the entire domain, since the virus would have administrative access. However, if that same user uses a non-privileged account, the damage would only be local. Practice the principle of privilege and you can help prevent potential damage.
  • Delete the Default: AD assigns default permissions and rights to basic security groups, such as Account Operators. But these default settings don’t have to stick. It’s important to take a look and make sure they’re appropriate for your company. If not, go ahead and customize them. This will help you avoid hackers who are familiar with default settings. 
  • Practice Patching: The bad news? There are many well-known vulnerabilities (holes and weaknesses) within your computer software. The good news? Patches can fix them. A patch is a set of changes designed to fix security vulnerabilities and improve usability and performance. Take the time to research which patches are right for the applications within your network. This will help you avoid security risks due to attackers ready to pounce on these vulnerabilities through malicious code.

Active Directory Best Practices for User Accounts

With thousands of user accounts to manage, it’s easy to get overwhelmed. The best way to avoid headaches is to be proactive. If you can take steps to ensure a healthy Active Directory, your chances of a security breach drop significantly. Here are a few AD user management best practices to keep in mind:

  • Perform Housekeeping Duties: Regularly deleting unnecessary user accounts from your Domain Admins group is critical. Why? Members of this group are granted access to a plethora of devices and servers. This makes them a prime target for attackers, who have become experts at breaking into user credentials. Keep the number of users within your Domain Admins group to a bare minimum to safeguard against this possibility.
  • Keep Track of Terminations: When employees leave, so must their user accounts. Abandoned accounts leave room for former employees to gain access to information that is not rightfully theirs. They’re also a target for hackers, who prey on inactive accounts as an easy way to enter a domain under cover. Do your due diligence and regularly sweep out abandoned accounts. You won’t regret it.
  • Actively Monitor: It’s important to have an overview of your forests. This ensures you stay ahead of potential problems, like service outages, and quickly identify those that do pop up, such as syncing issues and user account lockouts. Practice monitoring for a spike in bad user account password attempts. This is often a red flag that you have attackers on your hands.
  • Implement Passwords Policies: It would be great if AD were configured to require users to update passwords on a periodic basis. Unfortunately, that’s not the case. But while it may involve some manual heavy lifting, it’s important to set up processes that require regular password updates. This preventative measure is well worth the time. A few tips:
    • Long passwords are king. Think 12 characters at least.
    • Implement paraphrases, that is, two or more unrelated words strung together.
    • Allow just three login attempts before the user is locked out.

Active Directory Tips and Best Practices Checklist

We’ve dug into Active Directory security groups best practices, Active Directory user account best practices, and Active Directory nested groups best practices, but there are also a number of tips and tricks for managing Active Directory as a whole.

active-directory-best-practices-checklist
  • Have a Plan B: You’re doing your best to ensure all security measures are taken, but what happens if your AD is breached? Have a disaster recovery plan in place so you can take swift action in these moments of crisis. It’s also a smart idea to regularly backup your AD configurations.
  • Get Automated: Automated AD workflows can save you hours of time. Take tedious tasks off your plate by automating activities like onboarding and ticket management. Automation is especially helpful when it comes to putting proactive maintenance measures in place. Standardizing and streamlining practices in this way allows you to minimize the number of mistakes that can happen as a result of human error.
  • Assist from Afar: The reality is, many of the devices and servers you oversee are spread across buildings, towns, and even state lines, national borders, and other continents. Set up remote management systems that allow you to troubleshoot technical issues, like locked user accounts or replication errors, without leaving your desk. This will make you and your team more efficient.
  • Stay Alert: It’s important to have your finger on the pulse of your network. Active Directory monitoring tools, as we discussed, are essential for this. They give you a comprehensive view of your forests so can keep an eye out for security threats and easily troubleshoot technical issues. Take monitoring a step further and create custom alert thresholds that offer real-time notifications when something is not quite right. The earlier you can catch a problem, especially those that can put your entire security at risk, the better.

Choosing the Best Tools for Active Directory Security

It can be hard to keep up with all of the Active Directory best practices out there. Luckily, you don’t have to go it alone. There are countless software, platforms, and services to help you navigate this complex environment. 

Here are a few of the most common:

  • Permissions Analyzers: This tool helps you quickly and easily figure out what rights and access groups someone is assigned. Simply enter the user’s name and the software will provide a hierarchical view of effective permissions & access rights, allowing you to quickly identify how each user gained their rights. Think of this as your bird’s eye view of your security groupings.
  • Access Rights Managers: Implementing an access rights manager can help you manage user permissions, ensuring access capabilities are in the right hands and providing you with a way to monitor the overall activity of your AD. These tools also come equipped with intuitive risk assessment dashboards and customizable reports, making it easy to demonstrate compliance with regulatory requirements, such as GDPR, PCI DSS, and HIPPA.
  • Monitoring Platforms: Server and application management software allows you to quickly and easily get a snapshot of the overall health of your directory, while also providing ways to dig deeper into domain controllers. You can use these platforms to create custom alert thresholds and define what’s normal for your server, thus avoiding alert fatigue. They make staying ahead, and taking action, extremely simple.
  • Remote Software: The moment you implement a remote access tool, you’ll wonder how you ever survived without it. This type of software is designed to help you solve issues, fast, from anywhere and everywhere. With remote access, you can gain control of computers while a user is logged in, giving you an inside look at the issues they’re experiencing. This gives you a better picture of the problem at hand.
  • Automation Managers: These tools are pretty straightforward and often include a “drag and drop” scripting interface to create repeatable processes. Do you have many tasks that need to be performed on a regular basis? An automation manager will allow you to roll these tasks up into a “policy” and then set up a schedule for this policy.

What Attacks Can Active Directory Help Prevent?

As you can see, Active Directory is a central tool for managing a number of business security functions. There are, in fact, some common attacks that good Active Directory practices could help prevent. Watch out for the following issues:

  • Pass-the-Hash: This attack has been around for over a decade. Despite the fact that it’s one of the most well-known, it has still managed to do its fair share of damage. With pass-the-hash, an attacker extracts a hashed (shorter, fixed-length value) user credential to navigate their way into a remote server.  Put simply, if an attacker makes it through using a pass-the-hash tactic, there’s a weakness in your authentication process.
  • Brute Force: Elementary-level, yet effective, brute force involves an attacker using random usernames and passwords in rapid succession to gain access to your system. What are the chances of hacker success using this method? More than you’d think. Attackers who practice brute force use advanced programming to attempt trillions of combinations in seconds.

The Future for Active Directory

Whether it’s to up your security game, help you become more efficient, or, in many cases, achieve both, putting Active Directory best practices in place is an essential part of any IT strategy. From monitoring platforms to remote access software, there are dozens of tools out there to help you through the process. Choose what you need to streamline your workflow, ensure security, and ultimately improve both IT operations and user experience.

is Email Secure?

Yes and No. Email is a highly valuable tool that has evolved to be more secure, but there are still ways to exploit email for nefarious purposes. Email users should be careful with how they use email and the emails they respond to. Let’s look at email security in more detail.

A Little History

Electronic mail originated on the early experimental Arpanet, the precursor to the Internet. At that point, all the interconnected servers were within high-security facilities. Since the security was on the outside, researchers did not consider protocol security; everything was sent in clear text – HTTP for browsing documents, FTP for sharing data files, and SMTP for electronic communications. When the Arpanet opened up to universities and then to businesses and private users, those same protocols were still transmitting data and passwords in clear text. Unfortunately, clear text communications are susceptible to man-in-the-middle attacks – corrupted computers or routers between the two computers in communication.

The early Internet was not secure, so new technologies were developed to improve security:

  • HTTPS to secure online transactions involving credit cards
  • SFTP to secure file transfers (now replace by HTTPS in many cases)
  • TLS to encrypt email communications between email servers

With the adoption of TLS, Transport Layer Security, email was secured from potential man-in-the-middle attacks. However, there are other ways to exploit email.

Alternate Technologies

There were other technologies that attempted to “secure” email communications, all had various degrees of success, but none of them have really gone mainstream.

  • PGP, or Pretty Good Privacy, used a Public-Private encryption key system to encrypt and decrypt email. Email was completely secure in transit, and from administrators, but unfortunately, PGP was bulky to use. TLS solved the problem of securing communication between servers without the user needing to do anything.
  • “Secure” Email Servers are web servers where communication could be secured behind a password protected web login. It was not really email but a way to communicate in an email-like fashion. You often see these secure communications websites with Legal and Medical professions, but they suffer from bulky interfaces and the inconvenience of going somewhere other than your normal email applications to view the communication.
  • Sender Verification Services respond to an unsolicited email with an email demanding the sender verify their identity. The goal here is to reduce the potential for spam and phishing attempts by creating a hurdle for senders to jump. The inbox provider then only passes on “verified” email to the user. This technique essentially removes any automated email, including newsletters, as marketing teams are unable to monitor the verification email. The downside is that a legitimate sender may not register so you miss important email.

The Threat of Spam and Phishing

Email is the #1 preferred method for perpetrating online scams. The marginal cost of sending an email is negligible and the rewards for a successful scam can be thousands or millions of dollars. According to Cisco, approximately 84% of all email is spam, much of which is phishing scams and much also escaping spam filters. By that measure, email is not “secure”.

“Securing” Email

Improving email security is not a single technology or vendor but involves changing business processes, adopting new standards and continuously adapting to the ever-evolving landscape of email scams. Some recommendations:

  • Stop hosting your own email – Inbox providers like Google Workspace, Microsoft 365, Yahoo!, etc. have dedicated teams to managing and blocking spam and phishing. Most businesses would benefit by leveraging these external experts and outsourcing email inbox services.
  • Turn on 2-factor authentication – Securing email communication, both sending and receiving, means securing access to email accounts. 2-Factor Authentication helps make email more secure.
  • Invest in Spam and Phishing Awareness Training – Email scams exploit human weakness through social engineering to gain access to your email, bank accounts and secure data. Training your team to recognize these scams will improve your email security.
  • Leverage DMARC and supporting technologies – SPF, DKIM, DMARC and BIMI work hand-in-hand to 1) declare who can send email on behalf of a domain, 2) digitally sign email from that domain, 3) report compliance to the sending domain, and 4) apply a corporate logo to compliant email. When a domain leverages these technologies, it is secured against being used in spam and phishing attempts and gives the recipients peace-of-mind that the email is genuine.

To maintain the highest levels of email deliverability using DMARC, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:

  • Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
  • Gradually move your DMARC policy to Reject to enable better inbox placement opportunities.
  • Manage the on-going requirements of maintaining high levels of email deliverability

On-Premise Email Security Best Practices

If your company strategy requires on-premise email management, then there are some best practices you can adopt:

  • Use Inbound Email filtering gateways – Out of the box inbound filtering either software or hardware will block most threats using threat detection algorithms. Basic gateways block blacklisted senders. More advanced options allow you to write your own acceptance policies.
  • Create Advanced Acceptance Policies – Your business is unique. Threats come in many forms. Maybe you want to filter all incoming image files or executables or maybe eliminate objectionable terms associated with risks. Sophisticated algorithms might help protect your business.
  • Accept only DMARC compliant email – One great idea that Google has pioneered is prioritizing DMARC compliant email. If you do the same, you dramatically reduce the potential for fraud and phishing emails making it to your users.
  • Setup Outbound Email filters – You do not want to become a source of spam, so setting up filters to control outbound email will reduce the risk of being blacklisted or of sending spam emails within your network.
  • Setup Advanced Outbound Policies – Advanced policies could include forcing the legal team to encrypt all outbound email or prevent emailing large files, executables, etc. Leveraging advanced policies will help make using email more secure.
  • Setup DMARC for all outbound email sources – Adopting DMARC for all your outbound email sources will help you protect your sending reputation and reduce the risk of your domain names being used in spam.
  • Invest in Spam and Phishing Awareness Training – As mentioned above, when employees are trained to recognize spam and phishing attempts, they are less likely to click on dubious links in spam and phishing attempts or click on and install malware.

While email was not initially designed with security in mind, new technologies are improving the security posture of email. Adopting these as they arise makes your business more secure and protects your users, clients and partners.