Paramount Defenses Company | Leadership | Products | Solutions | Partners | Privileged Access Insight | Support | News | Careers | Blog | Contact 100%
Our Global Customers - Cyber Security Thought Leaders
Welcome | Importance | Assets | Top Risks | Mitigation | Audit | Auditing | Checklists | How-Tos | Tools | Guides | Learning | Technicals | Resources

The  Top-5 Areas to Cover in an Active Directory Security Audit

Active Directory Audit

Active Directory Audit

Proactive Active Directory Audits provide mission-critical insight and are essential for Active Directory Security.


Active Directory Audit, a proactive security measure, is mission-critical for Active Directory Security because it empowers organizations to obtain the insight they need to assess and minimize risks to all vital aspects of Active Directory security. The ability to assess and minimize risks substantially reduces the possibility of security incidents.


Active Directory Audit Checklist

The following Active Directory Audit Checklist may be used to identify what to audit in Active Directory –

The checklist provided above is focused on an audit of administrative delegations in Active Directory.


Top-5 Active Directory Audit Areas

Comprehensive security protection requires an audit of administrative delegations as well as an audit of domain controller security, an audit of all admin accounts and groups, as well as an audit of the tasks being audited.

Thus, an Active Directory Audit should ideally cover the following 5 areas of Active Directory Security –


  1. Complete list of All Domain Controllers and Admin Workstations, + who can manage them:

    • List of all domain controllers (DCs) and admin workstations, and their physical locations

    • List of all individuals who have admin access on each of these DCs and workstations

    • List of all individuals who can logon to these DCs and workstations

    • List of all individuals who have physical access to these DCs and workstations

    • List of all security policies protecting these DCs and workstations

    • List of all software (including any apps/agents) installed on these DCs and workstations

    • Trustworthiness (vendor/supplier, authenticity, support policy and country of origin/development) of all software installed on these DCs and workstations

    • List of all procedures related to the maintenance of these DCs and workstations

    • List of all individuals who can manage or modify the computer objects representing these DCs and workstations in the Active Directory


  2. Complete list of all Administrative Accounts, Groups, their memberships, + who can manage them:

    • List of all admin accounts i.e. those that have unrestricted access in Active Directory (not just members of the Domain Admins group)

    • List of all individuals who can reset the passwords of each of these admin accounts

    • List of all individuals who can disable each of these admin accounts

    • List of all individuals who can unlock each of these admin accounts, when locked

    • List of all admin groups, and a complete list of all members (including via nested groups)

    • List of all individuals who can modify the membership of each of these admin groups

    • List of all individuals who can effectively change the security permissions protecting each of these admin accounts and groups


  3. Complete list of all Administrative Delegations in Active Directory, + who can manage them:

    • List of all individuals who can create user accounts, groups and Organizational Units

    • List of all individuals who can delete user accounts, groups and Organizational Units

    • List of all individuals who can reset user account passwords, unlock locked accounts, unexpire expired accounts, and change user logon scripts

    • If smart cards are in use, list of all individuals who can disable smart card requirement for interactive logon, on all accounts that use a smart card for interactive logon

    • List of all individuals who can modify group memberships and group types

    • List of all individuals who can link and unlink group policies to Organizational Units

    • List of all individuals who can set the Trusted for Unconstrained Delegation bit on all sensitive computer accounts (e.g. a sensitive domain-joined Server's computer account)

    • List of all individuals who can effectively change the security permissions protecting all important accounts (e.g. the CEO's account), groups (e.g. Executives Group) and OUs


  4. Complete list of all Administrative Tasks being audited in Active Directory + who can manage them:

    • For example, user account creations, deletions and account state changes

    • For example, group creations, deletions and group memberships changes

    • For example, Organizational Unit creations, deletions and GPO link changes to OUs

    • For example, computer account creations, deletions and Kerberos delegation state changes

    • For example, security permissions changes on all important accounts (e.g. the CEO's account), groups (e.g. Executives Group) and on all OUs


  5. Complete list of all vital Active Directory configuration settings, + who can manage them:

    • For example, Active Directory Schema changes, and who can change the Schema

    • For example, Active Directory replication settings and access rights, and who can change them

    • For example, Active Directory FSMO role assignments, and who can change them

    • For example, GPOs linked to default Domain Controllers OU, and who can change them

    • For example, domain password policy settings, and who can change them

    • For example, LDAP policies, and who can change them




Proactive Active Directory Audits are much more important than reactive Active Directory Auditing because they provide proactive insight that can be used to eliminate risks before they can be exploited by malicious entities to inflict damage.

Active Directory Auditing is helpful but it only provides reactive insight once an action has been enacted, which can help detect a security incident. While reactive Active Directory Auditing can help detect an incident, the proactive insight obtained from Active Directory Audits can help prevent a security incident.

For instance, it is better to know that only 10 IT admins can enact a certain task, than it is to have no idea (or just an approximate idea/hunch) as to how many IT admins can perform the task and rely solely on auditing to detect the enactment of the task.

In the worst case scenario, depending on the skill of the perpetrator, the enactment of a single malicious administrative task may be sufficient to inflict substantial and possibly irreversible damage. In such situations, although auditing could detect the occurrence of this task, by then, it may very well be too late.



Risk Mitigation Risk Mitigation
Auditing Auditing


Welcome
Who We Are What We Do How We Protect You
Sitemap