Agent security: 3 tips to step up your Active Directory agent game
A company’s directory serves as the foundation for its Identity and Access Management (IAM) policies. Organizations worldwide turn to Microsoft Active Directory (AD) for a centralized approach to IAM in distributed networks, but its reliance on manual processes can hinder businesses. Many companies that already have AD in place need to make sure they’re getting the most out of their infrastructures while remaining efficient and secure, especially as they adopt an increasing amount of cloud technology. To address this issue, they integrate their company’s AD with Okta, using the Okta AD agent.
Integrating with the Okta AD agent allows organizations to benefit from the easy maintenance of a cloud-native solution and adopt Okta’s intelligent, powerful provisioning and IAM capabilities. However, ensuring that their Okta AD agent deployment and configurations are secure is the key to success. The following tips can help your company secure its AD agents by reducing the risks presented by over-provisioned admins or outdated agent versions.
Downscope over-provisioned admins
In the past, viewing, managing, and registering agents required Super Admin permissions. This method introduced Super Admin sprawl, as organizations had to grant privileged permissions to a broader set of admins. Or, to avoid increasing the number of Super Admins, some organizations created shared accounts with elevated credentials. However, since multiple people might have used these accounts, the organizations had to disable MFA, exposing significant security risks.
To address the Super Admin issue, Okta recently introduced granular permissions with the Custom Admin Role framework for agent management and registration. Now, you can downscope Super Admins to tighten your security posture and instead rely on custom permissions to manage agents. Users who manage or install agents but otherwise only need baseline permissions no longer receive Super Admin permissions.
Set it and forget it with auto-update
To ensure your organization benefits from the latest security features and efficiency improvements, you should keep your AD agent up to date. This process once depended on admins uninstalling and reinstalling the agent each time a new version was released.
However, the new AD agent auto-update feature allows you to set an auto-update schedule to maintain good agent hygiene and improve the admin experience. With flexible scheduling, admins can auto-update single or multiple agents on demand. You can also schedule the updates to occur outside of business hours, reducing downtime and disruption to your users.
Adopt the latest agent version
With an auto-update schedule set, Okta customers can also benefit from the newest version of the Okta AD agent, v 3.18.0, very soon! This new version allows for important security enhancements, including deployment through a device registration flow and the use of OAuth tokens and Demonstrated Proof of Possession (DPoP) rather than long-lived SSWS tokens.
The new version will also secure agent administration by creating registration and management flows independent of the Okta Admin account used to register the agent. This helps eliminate the need to create shared accounts to manage agents.
Learn more about the Okta AD agent
By eliminating the need for over-provisioned admins, setting an auto-update schedule, and leveraging the latest agent versions, organizations can maximize the benefits of their Okta AD agent while minimizing potential security risks. To learn more, check out our product documentation.
