The University of Stuttgart is the hub of a wide-ranging research ecosystem in an economically strong region. Around 23,000 students in a variety of disciplines are supported by almost 5,700 employees, all dedicated to creating excellent conditions for researchers and students. This includes a digital infrastructure that guarantees smooth access to comprehensive resources—provided that the necessary authorizations are in place.
Managing hardware and comprehensive services is the responsibility of the Technical Information and Communication Services department, part of the university’s Information and Communication Center. The department’s Central Administration Services team ensures central workplace support of file and print servers as well as device and patch management. In addition, this team supports specialist applications, including document management and personnel administration.
The Central Administration Services team is also responsible for maintaining Active Directory, which gives employees and students access to the resources they need.
“We are responsible for the security and operation of Active Directory as part of identity management,” explains Mike Holz, head of Central Administration Services.
Securing Active Directory at the core
Due to the importance, sensitivity, and potential global value of the university’s research results, access security is subject to the utmost scrutiny. The special environment—in which a large number of students with private devices must be given access to the university network via a VPN—must be taken into account. Continuous user fluctuations also pose a challenge for the reprovisioning of rights. As a result, IT and personnel management systems must be closely integrated.
“Of course, we continuously monitor the current security situation, with particular attention to public infrastructure and universities,” explains Holz. “In recent years, we’ve noticed that attacks on these entities are continuously increasing. We became increasingly aware that we had to be proactive.”
Securing access to sensitive areas was only one of Holz’s concerns. In addition, if the central directory service were compromised, the ability of the entire institution to work could be restricted for days—or worse, come to a complete standstill. Consequently, Holz and his team considered third-party auditing of the security and functionality of the university’s identity management infrastructure.
“Even though we were sure that we had done what was necessary, there was still the possibility that we had overlooked weak points. And new attack vectors that we couldn’t have had on our radar—for example, new AI-based techniques—emerge every day.”
“Without support of a competent partner, this assessment would have required great deal of effort for us to achieve a similarly high-quality result. And it would have required comprehensive training of our employees.”
Mike Holz, Head of Central Administration Services
AD security assessment with a competent partner
For a basic Active Directory Security Assessment (ADSA), Holz’s team wanted a leading provider of Active Directory security solutions with sufficient experience and knowledge of current developments. The decision was made in favor of Semperis, a recognized expert who helps organizations protect their identities and optimize security processes.
Semperis offers a range of solutions that address the weaknesses and risks of using Active Directory, monitor changes to the directory service, detect possible threats even from privileged users, and enable rapid response to attacks.
Building on extensive experience from a variety of worldwide projects, Semperis ADSA provides a comprehensive view of the identity system.
- A detailed assessment of the security posture of the Active Directory environment gives organizations a sound understanding of identified risks and provides targeted recommendations for strengthening Active Directory security.
- In addition to identifying dangerous misconfigurations and the associated risks, the assessment detects attack paths within the AD environment that could allow an attacker to compromise critical Tier 0 resources.
- A review of the security architecture and operational processes completes the assessment by identifying deviations from best practices. Interviews with people and experts across key areas such as security governance, network architecture, domain trusts, system administration, and security monitoring uncover potential vulnerabilities and inform appropriate recommendations.
The result is tailored recommendations to strengthen security, including best practices for securely configuring Active Directory. The implementation of these measures is the responsibility of the organization.
A smooth and efficient security assessment process
After the decision was made to tackle the project, the relevant teams were assembled, and a structured process was undertaken.
Led by the project management team, Semperis experts from all over the world contributed their expertise to the assessment. Tools were used to efficiently and automatically capture the Active Directory configuration and supplementary information required for the analysis.
This coordinated approach minimized the time burden on the university’s own IT staff. The complete assessment—including definition of the goal, clarification of the domains to be evaluated, inventory of the identity structure, analysis of the full environment, and risk assessment—was completed in about six to eight weeks. The net time required of the university’s central administrative services staff was only a few days.
The resulting analysis provided the university with a comprehensive view of the existing infrastructure and processes.
“In fact, only a few critical problems were identified,” Holz notes. “Especially in comparison with other institutions of our size and with comparable security requirements, the result was quite positive.”
However, this does not mean that current practices can be continued with complacency. “Some things [in the assessment] give us cause to examine certain points, which, given the potential risks, should now be addressed step by step.”
Know-how transfer included
Even though the result of the assessment largely attested to the successful work of the university’s team, its implementation has a number of other positive influences.
First, it strengthens trust in the established security mechanisms and the people involved. It also enhances the university’s reputation in the international ecosystem, fostering trusted cooperation with other scientific institutions and partners in industry.
In addition, the results of the analysis will help the university to deploy available human resources more effectively. This positive effect can’t be understated, explains Holz. “Without support of a competent partner, this assessment would have required great deal of effort for us to achieve a similarly high-quality result. And it would have required comprehensive training of our employees.”
“In fact,” he says, “the expertise of our own team has grown considerably through collaboration with the experts from Semperis with regard to the function and vulnerabilities of Active Directory—a successful transfer of know-how.”
From a long-term perspective, the university’s AD team considers itself well-equipped with the now-optimized processes, although they also recognize that absolute security cannot be guaranteed in a highly dynamic environment.
“Given the effort that interested parties are making to obtain valuable research results, including leveraging artificial intelligence technologies, we must continuously deal with new attack vectors.”
In fact, managing identities always carries risks, but these can be minimized by using methods such as change tracking and auto-remediation. Ultimately, even in a worst-case scenario, it’s important to be able to restore the AD within minutes. Tools such as Active Directory Forest Recovery are available for this purpose and can be implemented with minimal effort.
