Missouri School District Finds, Fixes Active Directory Security Gaps

By Semperis Team October 06, 2022 | Active Directory

“As a K–12 environment, our Active Directory [AD] deployment is a bit unique compared to how a standard business network would look,” says John Hallenberger, systems administrator and project leader for the Fox C-6 school district. “Users are added and removed pretty much daily. Things like complex password enforcement and multi-factor authentication [MFA] are challenging as well, especially with younger students; there are different expectations on what security looks like for them.”

In addition to 12,00 students and their parents, Fox C-6 employs roughly 2,200 staff, including faculty, administrators, bus drivers, and custodians. AD is the foundation of the district’s services and technology, including identity and access management (IAM), Office 365, Microsoft Azure, and Google Gmail. Hallenberger and his team are responsible for maintaining the entire technology stack.

As one might expect, this is easier said than done.

No funding? No Problem!

“We don’t have tons of funding available for security,” Hallenberger admits. “There’s a lot of transition in our Active Directory, and keeping track of entities that need to be disabled has always been a challenge. And we’re not unique in that; there are a lot of schools and organizations out there that may not even have a dedicated security person, let alone an entire team.”

When the school district’s Dell representative contacted them about the free Purple Knight AD security assessment tool, Hallenberger was immediately intrigued. He saw an opportunity to gain new insights about the district’s network—insights that otherwise may have been out of the school district’s reach. A short time later, Fox C-6 began running Purple Knight scans.

“What really stood out to me was the fact that we only scored 66% on our first scan,” recalls Hallenberger. “It really did a good job of pointing out simple things one wouldn’t necessarily think of and helped us close quite a few gaps. Initially, we ran Purple Knight about six different times, resolving a different set of issues with each scan.”

Watch Hallenberger talk with Petri IT Knowledgebase about Fox C-6’s experience using Purple Knight to identify—and help District leadership understand the importance of fixing—Active Directory security gaps.

Changes made by the district include:

  • A streamlined onboarding and offboarding process
  • Automated creation and depreciation of student accounts via PowerShell
  • Adjustments to policy management, particularly group policy
  • Processes and policies aligned with relevant ISO frameworks

Proving the need with Purple Knight

Flash-forward to today, and the school district no longer uses Purple Knight. In its place, they’ve deployed Semperis’s Directory Services Protector (DSP) and Active Directory Forest Recovery (ADFR) solutions. Now, instead of running individual scans, Fox C-6 monitors its AD deployment for threats 24/7/365. And, more importantly, the District has the necessary tools to remediate and recover from attacks targeted at Active Directory.

“Beyond identifying and remediating vulnerabilities, Purple Knight’s reporting is excellent at identifying and explaining gaps to leadership,” says Hallenberger. “We’ve upgraded to Semperis’s paid service because it offers a lot of additional features, but I’d strongly recommend Purple Knight to anyone with an Active Directory environment. It’s an invaluable resource, and it’s great that it’s free.”

“One of the nice things about the tool is that it not only shows you your vulnerabilities, but links to articles on how to address them,” he concludes. “Someone not as familiar with security could learn about how to resolve issues with Active Directory. For us, it’s been really good.”

Learn more about Active Directory security

About the author
Semperis Team
Semperis Team
Semperis, the pioneer of identity-driven cyber resilience for cross-cloud and hybrid environments, offers educational resources, commentary, and research findings to inform technology leaders who are responsible for securing enterprise directory services. Linkedin
Unlock cyber resilience. Get a demo