How to Measurably Enhance Active Directory Security
One of the most effective ways to measurably enhance Active Directory security is to commission and implement an Active Directory Risk Management project.
The 1st part of this project should involve performing an Active Directory Risk Assessment. This will help you assess and prioritize the risks to the various components of your Active Directory.
The 2nd part of this project should involve engaging in Active Directory Risk Mitigation. This process involves analysis and decision making, and helps you determine which risks you wish to mitigate and which ones you wish to manage. This process also involves conducting decision support to determine and substantiate the need for specific security measures that you wish to implement.
In order to maximize efficacy, it is highly recommended that the IT group first obtain the executive support needed, from the highest levels of organizational leadership. In this regard, communicating the importance of securing Active Directory to executive management can be very helpful.
How to Assess Risk to Active Directory Deployments
One of the most effective ways to measurably assess risk to Active Directory deployments is to begin by identifying the assets that the Active Directory is comprised of, then individually assessing the risks to which each of these assets may be currently exposed.
How to Assess the Current Security State of an Active Directory
One of the most effective ways to assess the current security state of an Active Directory is to perform an Active Directory Security Audit. Such an audit can help you get a very good sense of the security afforded to all the major components of your Active Directory deployment.
How to Perform an Active Directory Security Audit
The first step in performing an Active Directory Security Audit is to define the scope of your audit (e.g. Domain Controller Security, Administrative Delegations etc.) Once you have defined the scope of your audit, the next step is to determine the specific details that you wish to audit (e.g. Domain Controller Security Policy Settings, The Top-10 Administrative Delegations etc.), as well as determine how you wish to audit these details.
Some details, such as documenting your Active Directory's logical structure, can be audited manually whereas others, such as identifying the list of all administrative delegations in your Active Directory, can be automated. Automation is not necessary, but can be very helpful as it usually delivers substantial time and cost efficiency gains.
Once you have defined the scope of your audit, determined the details you wish to audit, and how you plan to go about performing the audit of these details, you are ready to perform the audit.
How to Perform an Active Directory Effective Access Audit
An Active Directory Effective Access Audit involves performing an audit of the effective delegated access grants in an Active Directory deployment.
It differs from performing an audit of Who has what permissions in Active Directory in that it involves finding out Who has what effective permissions in Active Directory. This difference is subtle yet substantial, and thus it is rather important to understand.
An audit of Who has what permissions in Active Directory reveals all the permissions that exist for a given user. An audit of Who has what effective permissions in Active Directory reveals the effective set of permissions that a user actually has, by virtue of the all the permissions that exist in the Active Directory for that user, after all conflicts have been resolved (e.g. Allow versus Deny), all precedence orders applied (e.g. Explicit versus Inherited) and all group memberships expanded and taken into account, to ultimately determine the real/actual access that a user has on an Active Directory object. A good example of what is involved in an effective access audit can be found here.
The process of determining true effective permissions/access in Active Directory is very complicated, detail-intensive, and time-consuming, and is thus one that is best automated. The most efficient way to perform an Active Directory effective access audit is to use an automated tool, such as an Active Directory Effective Access Audit Tool.
How to Find Out who has Permissions in Active Directory
The easiest way to find out who has what security permissions/rights, where in Active Directory (e.g. in an Organizational Unit / Container) is to use any Active Directory Permissions Analyzer of your choice.
How to Find Out who has Effective Permissions in Active Directory
The easiest way to find out who has what effective security permissions/rights on a given Active Directory object, is to use any Active Directory Effective Permissions Tool of your choice.
How to Export Active Directory Security Permissions /Rights
The easiest way to export/dump security permissions/rights in an Active Directory container, such as an OU or a domain, is to use any Active Directory ACL Export Tool of your choice.
How to Enumerate an Active Directory Security Group Membership
The easiest way to enumerate all the members of an Active Directory security group, and/or all the security groups to which a user belongs, is to use any Active Directory Group Membership Enumeration Tool of your choice.
How to Audit Delegations in Active Directory
The easiest way to audit administrative delegations (i.e. delegated authority / delegated administrative tasks) in Active Directory is by using any Active Directory Delegation Audit Tool of your choice.