ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: What to cover in an Active Directory Security Audit


Member

Posts: 16
Date: May 25, 2011
What to cover in an Active Directory Security Audit
Permalink  
 


We are in the midst of consolidating two Active Directory forests into one, with the intention of reducing our management overhead and improving IT efficiency.

Before we perform our consolidation however, we would like to perform an audit of each one of our Active Directory forests, to get insight into their current state.

Ideally, we want to be able to get a list of all accounts in various states, all security groups and their memberships, all OUs and their contents, and a list of all objects where all our IT management group have specific permissions.

We were wondering as to what else should we be covering in our Active Directory audit? If you happen to have done an audit of your Active Directory, it would be appreciated if you could share some inputs.

We would also like to know if there is an efficient way to perform an Active Directory audit, as we would like to certainly like to document our findings as well.

Thanks.



__________________
Driod Rules!


Member

Posts: 10
Date: Jun 15, 2011
What to cover in an Active Directory Security Audit
Permalink  
 


Hi Jeremy,

That's an important question, because AD audits are vital to organizational security.

As a penetration tester, I frequently perform Active Directory audits, and based on my experience, here are the most important things to cover in an Active Directory audit (listed in decreasing order of importance)  -  

Most Important:

  1. List of all administrative accounts, security groups and workstations
  2. List of all people who can reset passwords of all administrative accounts
  3. List of all people who can change membership of all administrative groups
  4. List of all people who can modify GPOs linked to OUs with adm wrkstns.
  5. List of all people who can change permissions on all adm accounts/groups
  6. List of all people who can delete admin accounts, groups and workstations
  7. List of all high-value accounts (e.g. C*O accounts), computers and groups
  8. List of all people who can manage high-value accounts and groups
  9. List of all essential OUs and all people who can manage these OUs
  10. List of all people who have been delegated authority in the domain

Note: When determining who can reset passwords, change memberships etc, be sure to determine effective-permissions (also known as "Active Directory Resultant-Access"). Don't rely on simply finding/listing who has what permissions in Active Directory because that is not accurate.

The aspects listed above are most important to audit because anyone who can do any of the above could control and/or seriously endanger the entire AD domain.

 In addiiton, after you have audited the above, you should also cover the following aspects -

Important:

  1. List of external/X(cross)-forest trust relationships with the domain
  2. List of all external/X-forest trusts on which SID filtering is disabled
  3. List of all active (in-use) and inactive* (stale/expired) domain accounts
  4. List of all domain user accounts that do not require passwords to logon
  5. List of all domain user accounts that do not have an expiration date set
  6. List of all domain computer accounts trusted for unconstrained delegation
  7. List of all vital and all large domain security groups, & their memberships
  8. List of all unmanaged (no manager specified) OUs, accounts & groups
  9. List of all recently created/deleted OUs, accounts and groups
  10. All domain (e.g. password policy) & domain-controller security policies

Note: * When enumerating inactive domain user/computer accounts, make sure that you're using True Last Logon values, and not relying on the lastLogonTimestamp value.

The basic aspects listed above are important for audits because they provide a good picture of the security state of all vital IT resources stored in your AD.

If you have any questions in regards to why I consider these aspects to be essential to an Active Directory audit, just ask, and I can share more details.

/Simone



__________________

Women's eyes have pierced more hearts than ever did the bullets of war.



Member

Posts: 16
Date: Jul 12, 2011
What to cover in an Active Directory Security Audit
Permalink  
 


Hi Simone,

Thank you for sharing this list - we have reviewed it and found it to be very useful.

Most reports pointed out in the Most Important section seem to do with finding out who can perform administrative actions in our Active Directory.

While we know its important to know Who can do What in Active Directory, we are struggling to correctly make these determinations. For example, just trying to find out exactly who can change the membership of the Domain Admins group has turned out to be very difficult.

We thought it might easy, but when tried to do so, we realized that many admins and groups granted various permissions in the object's access control list and trying to determine effective access on even this one object has been difficult.

In particular, it has been difficult because we've had to first list everyone who is granted access, then enumerate nested groups, consider conflicting rights, Deny permissions and inheritance flags, the Apply Onto field, map out Full Control and blanket permissions and so on, and this has turned out to be very difficult to do.

If it is so difficult to make such a determination on Active Directory object alone, it could take us weeks or months to determine effective access on all objects, and that is just something we aren't staffed to do.

There must be an easier way to reliably and efficiently find out who has what effective/resultant delegated access in our Active Directory.

So my question is - How do YOU currently find out who has what delegated access in your own Active Directory?

Jeremy



__________________
Driod Rules!


Member

Posts: 10
Date: Jul 23, 2012
RE: What to cover in an Active Directory Security Audit
Permalink  
 


Jeremy,

We use the Microsoft-endorsed Gold Finger for AD solution to find out who is delegated what access in our Active Directory - www.paramountdefenses.com/goldfinger.

Its the only solution that we've come across that can correctly determine and show who is really delegated what effective access in Active Directory.

Good luck to you.

/Simone



__________________

Women's eyes have pierced more hearts than ever did the bullets of war.



Member

Posts: 7
Date: Mar 6, 2013
RE: What to cover in an Active Directory Security Audit
Permalink  
 


Hi Jeremy,

Not sure if this helps, but FWIW, I came across a helpful Active Directory Audit Checklist here the other day, and I think that it could serve as a good starting point for your audits. It doesn't seem to be a complete itemized list, but it seems to cover all the areas quite well.

In my experience, I have found that in addition to the usual areas of DC security and the security of AD's operational aspects, it is also important to cover delegations, elevated access rights, helpdesk entitlements, service account access and password reset analysis in Active Directory security audits.

Good luck.

Guido.



__________________

If you can't explain it simply, you don't understand it well enough” - Albert Einstein



Member

Posts: 8
Date: Apr 11, 2013
RE: What to cover in an Active Directory Security Audit
Permalink  
 


Jeremy,

Take a look at this list - it might be helpful. Nathan pointed me to it, and it did help us out. More important, we've been looking for a tool to help us make AD audits simple, especially delegation audits, since we have a fair amount of delegation in our 3 domains, and I chanced upon this.

Best wishes,

Richard.



__________________

I would trade all my technology for an afternoon with Socrates - Steve Jobs

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me