Insider Threat Mitigation on Windows Active Directory Domains Identifying & mitigating the risk from authenticated users

With insider threats emerging as one of the biggest risks to corporate data, organizations are recognising that either malicious or careless activity both involve authenticated users who have authorized access and rights to an organization’s network, systems and/or data.

Highly technically and proficient external hackers are often likely to access sensitive information is by acquiring someone’s credentials, through the use of phishing and/or social engineering or even simply posing as some figure of authority in order to get them to hand it over.

So, how do organizations make sure authenticated users are who they say they are? And how do they identify any ‘risky behaviour’ from any employee and put a stop to it before it ends up costing capital, customers and/or reputation?

Active Directory provides basic user security, checking that credentials supplied match stored user profiles and then opening up access to resources. Authenticating those credentials is another matter; for this organisations need to turn to stronger authentication techniques to ensure a user really is who they say they are.

Bob Tarzey

Bob Tarzey

Analyst and Director

The need for improved Identity and Access Management

Identity is one of the most important security controls for IT access especially as traditional boundaries around IT systems have dissolved.

Microsoft Active Directory, which is almost a de facto standard in larger organizations, is used by the majority of companies to authenticate and authorize user access to Windows Networks.

However, Active Directory is by no means a full access management system and provides only basic user security, checking that credentials supplied match stored user profiles and then opening up access to resources.

% of IT professionals think there are no security holes in Microsoft Active Directory

With security across the whole extended enterprise relying so heavily on a user’s login credentials, Active Directory is just the starting point when it comes to controlling what users can do, and recording all session activity throughout the network.

How to mitigate Insider Threats from authenticated users

A user access control policy

Create and enforce a customized access policy that restricts logins according to multiple criteria. Employees should be restricted to specific workstations, devices, departments and IP ranges to reduce the number of systems login credentials can access.

Any security policy should come with education on why restrictions are in place. Once users understand not only what the restrictions are, but why, they will be empowered to follow them of their own volition.

Control across all session types

Logins are the first line of defense in securing network access and therefore must be controlled across all session types, including Wi-Fi/VPN or Internet Information Services (IIS). This ensures that IT can immediately respond to any suspicious behaviour, whether it originates on a PC, laptop, tablet or smartphone, which is especially important for companies with a BYOD policy.

Read 6 Steps to Multi Device Security in the age of BYOD

Automatically enforce restrictions

Set controls to automatically close or lock user sessions or shut down workstations that are out of compliance with company access policies. Even when aware of password policies, employees will often share passwords (without considering the risk to corporate data) if there is no consequence for their actions.

Real-time monitoring & alerts

Monitor and report on network and file access in real-time and schedule instant alerts triggered by predetermined access events (e.g., access denied, file deletion, specific user or file access, etc.). Patterns of unusual activity may point to employees who are likely to commit a cybercrime.

Centralized access reporting

Centralize and archive all access events occurring on your Windows systems and in the cloud. This step will facilitate and ease the burden of performing accurate, detailed IT forensics in the event of a security breach.

Insider threat and the Privileged User

Privileged user monitoring and auditing is a large part of Carnegie Mellon Computer Emergency Response Team (CERT) recommendations for prevention of insider threats and for compliance reporting of administrator actions.

In addition to the risk of any malicious privileged user, privileged users pose great risks to an organization because they are high-value targets to hackers and adversaries eager to penetrate a company’s defenses.

IS Decisions own security solution UserLock protects against any abuse from its privileged users who manage UserLock’s own settings, logs and policy rules. Monitoring and auditing all activities offers visibility into everything that administrators are doing on UserLock to help mitigate the risk from these trusted users and verify the actions they undertake.


To mitigate insider threats it's important organizations build on native Active Directory with specialist security technologies to better control, restrict, monitor & audit internal network access for all authenticated users, across the extended enterprise.

Next chapter Insider Threat Prevention: Identity & Access Control Management

IS Decisions software offers organizations proven and effective solutions to help protect a Windows Network against Insider Threats.


Manage, control and secure network access for all authenticated users.


Secure and report on all access to files, folders and file shares that reside on Windows Systems and in the cloud.