Feature request and security concern
Posted: Fri May 27, 2022 4:15 am
I wanted to ask about the Active directory UC tool. I think it's a great addition to your plugin arsenal, and I finally found time to start testing it. We are planning on using this tool for our helpdesk to be able to provide rapid assistance to our customers for things such as disabling users upon employment termination, unlocking accounts, and resetting passwords. We also use groups for deploying access to applications, printers, etc, so being able to quickly see groups is an essential piece. This tool would allow us to provide helpdesk staff essential access without giving helpdesk staff direct console access or MMC access to any customer servers or internal administrative resources unnecessarily.
However, I would like to ask for a few feature requests, some security-related. Can you provide a Settings administrative center similar to that of Habitat, where certain buttons can be turned off and on? For example, we don't want our helpdesk staff to be able to create or remove users as that requires documented approval and privileged access control for our customers and is a security risk per SOC2 MSP compliance. Therefore, we would need the ability to turn off the button for "Add New User" and "Remove User", as adding new users require evidence and privileged control, and user removal is never permitted as that would wipe out user object auditing.
Next, I have a request to auto-sort the users list. The list appears to be listed in the order the users are imported from one OU to the next. It can be problematic to find users if more than a couple OU's exist or you have more than a few dozen users. It would be helpful if there was a toggle for either a complete sort of the list with no OU's, or a sort of the list with OU structures included. A simple alphabetizing of the list is really all that is needed without any OU structure shown, but I thought I'd mention that as an alternative if you want to be creative.
The next request is the AD Groups tab. This seems like a very nice feature. It seems that this feature was designed to only show groups within groups and only add groups within groups. Can this feature be modified to show the contents of the groups so we can see all users and objects within the groups, such as groups, users, and computers? Currently, it does not do that or allow adding users to groups, as it's only groups within groups. We also need the ability to turn off the button for “Remove Group”, for the same reason as removing users, not to mention the risk of someone deleting a built in group.
Another request for the possible settings administrative center, is an on/off ability to be able to modify any built-in groups or AD default groups or add users to those groups. I say this because if the help desk could promote regular users to groups such as administrators or domain admins, they could circumvent all privileged access control. Due to SOC2 MSP compliance, only special access users are permitted to be able to change any administrative group membership. For MSP's that is a requirement to be able to disallow that ability in order to use such a tool. MSP's like us use groups to determine application deployment and printer deployment, among others, so being able to make those group changes without a potential security violation is highly beneficial.
All in all, I think this plugin is a great asset. The only reason we haven't fully deployed it is due to the above security challenges. If those are taken into consideration, then we would be all in to fully deploy this. Thanks again for another great plugin.
However, I would like to ask for a few feature requests, some security-related. Can you provide a Settings administrative center similar to that of Habitat, where certain buttons can be turned off and on? For example, we don't want our helpdesk staff to be able to create or remove users as that requires documented approval and privileged access control for our customers and is a security risk per SOC2 MSP compliance. Therefore, we would need the ability to turn off the button for "Add New User" and "Remove User", as adding new users require evidence and privileged control, and user removal is never permitted as that would wipe out user object auditing.
Next, I have a request to auto-sort the users list. The list appears to be listed in the order the users are imported from one OU to the next. It can be problematic to find users if more than a couple OU's exist or you have more than a few dozen users. It would be helpful if there was a toggle for either a complete sort of the list with no OU's, or a sort of the list with OU structures included. A simple alphabetizing of the list is really all that is needed without any OU structure shown, but I thought I'd mention that as an alternative if you want to be creative.
The next request is the AD Groups tab. This seems like a very nice feature. It seems that this feature was designed to only show groups within groups and only add groups within groups. Can this feature be modified to show the contents of the groups so we can see all users and objects within the groups, such as groups, users, and computers? Currently, it does not do that or allow adding users to groups, as it's only groups within groups. We also need the ability to turn off the button for “Remove Group”, for the same reason as removing users, not to mention the risk of someone deleting a built in group.
Another request for the possible settings administrative center, is an on/off ability to be able to modify any built-in groups or AD default groups or add users to those groups. I say this because if the help desk could promote regular users to groups such as administrators or domain admins, they could circumvent all privileged access control. Due to SOC2 MSP compliance, only special access users are permitted to be able to change any administrative group membership. For MSP's that is a requirement to be able to disallow that ability in order to use such a tool. MSP's like us use groups to determine application deployment and printer deployment, among others, so being able to make those group changes without a potential security violation is highly beneficial.
All in all, I think this plugin is a great asset. The only reason we haven't fully deployed it is due to the above security challenges. If those are taken into consideration, then we would be all in to fully deploy this. Thanks again for another great plugin.