Active Directory is the foundation of cyber security in Microsoft Windows Server based platforms. Its security is thus mission-critical to organizational and cyber security. In order to ensure its security, organizations perform Active Directory Security Audits on a periodic basis. Such audits provide them the insight they need to ensure that their Active Directory is adequately secure at all times.
While Active Directory security audits are important, it can sometimes be challenging to determine exactly what to cover in the audit. This is primarily because Active Directory is a vast technology and entails numerous components all of which need to be audited.
Selecting the Type of Audit – Cursory or In-depth
A good starting point when performing an audit is to define the type and scope of the audit, considering the unique requirements of the organization. There are two primary types of audit that can be performed.
A cursory audit is a high-level audit that is performed to obtain high-level insight into the security state of the Active Directory. Such an audit is usually helpful in obtaining high-level insight and identifying key areas that might need detailed attention. For instance, one component of such an audit might involve obtaining high-level insight into the administrative delegation model currently implemented in the Active Directory.
An in-depth audit is a detailed audit that is performed to obtain detailed insight into the security state of the Active Directory. Such an audit is usually helpful in obtaining in-depth insight and identifying weaknesses in specific security settings. For instance, one component of such an audit might involve performing a detailed analysis to security permissions and access rights on all critical objects, such all administrative accounts and groups, or the default domain controllers organizational unit.
Determining the Scope of Audit
The scope of the audit is also important to define because it helps determine exactly what will be covered in the audit. Depending on nature of the audit, an audit can focus on individual areas such as domain controller security, or administrative delegation, or it could be comprehensive in scope and cover all relevant aspects of Active Directory security, a list of which is provided below.
What to Cover in the Audit
Once the type and the scope of the Active Directory Security Audit have been defined, the next step is to identify the areas of Active Directory that will be covered in the audit.
The following is a list of areas of Active Directory that should ideally be covered in an audit –
- Domain Controller Security – It is very important to ensure that all domain controllers are secure at all times. An audit of the security afforded to domain controllers is essential.
- Active Directory Logical Structure – It is important to ensure that the logical structure, comprised of forests, domains and trust relationships is sound. A high-level audit of the logical structure is thus recommended. inspection app
- Administrative Access – It is equally important to ensure that only a select set of highly trustworthy and proficient individuals are granted unlimited administrative access in Active Directory. An audit of administrative access entitlements in Active Directory is thus essential as well.
- Administrative Delegation – In most organizations, all non-administrative tasks such as account and group management tasks are delegated amongst a larger group of lesser-privileged administrators. The need to know who is delegated what administrative tasks is also essential because unauthorized delegations could potentially be used to elevate privilege and compromise security. An Active Directory Access Audit is thus very important as well. (This is sometimes also known as an Active Directory Delegation Audit.)
- Configuration Settings – The proper function of Active Directory involves numerous configuration settings, such as, but not limited to data replication, Schema object definitions, site and subnet management, flexible single-master operations (FSMO) and FSMO role assignments and SYSVOL security. It is recommended that organizations put together a list of all vital configuration settings and consider performing periodic audits of these configuration settings.
- Auditing – The primary purpose of auditing, which is a reactive security measure, is to aid in accountability. Auditing helps identify who may have carried out a specific administrative task, assuming the enactment of that task was being audited. An audit of the auditing settings and the auditing mechanisms in place are also recommended.