How to Perform an Active Directory Security Audit
IT personnel responsible for managing IT infrastructures that operate on Microsoft’s Windows Server platform are often required to perform an Active Directory Security Audit.
This requirement is usually driven by the need to adequately secure their foundational Active Directory deployments. As a result, in most organizations, these audits are performed on a regular basis, usually once every business quarter.
There are two primary aspects to performing an Active Directory Security Audit. The first aspect is about what to cover in an Active Directory security audit, and the second aspect is about how to efficiently perform the audit.
What to Cover – Developing an Audit Checklist
In terms of what to cover in such an Active Directory audit, it is always helpful to develop an audit checklist. Developing a checklist helps ensure adequate coverage as well as makes it easy to repeat the audit process and compare results.
In terms of developing a checklist, a basic understanding of the various components of Active Directory as well as the nature of the content stored in it and protected by it can be very helpful. For instance, the need to ensure adequate security for all domain controllers, administrative workstations, administrative groups, accounts and delegations, sensitive configuration information as well as the Schema is important, and thus ensuring adequate coverage for auditing the security of these components is a good starting point for the checklist.
In addition, the need to ensure adequate security for all vital content stored in the Active Directory is also essential. For instance the need to know who is delegated what administrative tasks, where and how, in Active Directory, such as the ability to create and delete user accounts, modify sensitive group memberships, manage and delete organizational units, reset user account passwords etc. is essential for maintaining adequate security, and thus is an integral component of any Active Directory security audit. Thus, ensuring adequate coverage for auditing delegated/provisioned effective access in Active Directory is a must-have item on the checklist.
It is thus recommended that IT personnel begin by developing a list of all important and essential aspects of Active Directory that should be covered in the audit. While providing detailed guidance on exactly what to cover in such an audit is outside the scope of this article, a good Active Directory security checklist or a good Active Directory audit checklist can both be useful resources to begin with. In most cases, customizing such lists to suit the unique audit requirements of your organization can be an efficient way to determine what to cover in the audit.
The comprehensiveness of the list depends on the organization’s needs. In most cases, a basic list that covers all essential areas such as domain controller security, administrative delegation, administrative access, account and group management policies and procedures, and configuration content security should suffice. Organizations can then refine their audit list to suit their unique requirements.
How to Perform – Automation Using Scripts and Tools
The next step is to determine how to go about performing the audit itself. In this regard, it is always advisable to ensure that the process of performing the audit is not only relatively simple and repeatable but also time and cost efficient.
The reason for this is that in most environments, IT personnel have limited time to devote to performing audits and thus any process that lends itself to being simple, repeatable and efficient has a higher chance of being successful and useful to the organization.
One useful resource that IT personnel can avail of to make the audit process simple, repeatable and efficient is the power of automation. In particular, because such an audit involves an assessment of large amounts of technical data, such as the enumeration and analysis of accounts and group memberships, an analysis of security permissions and the determination of true effective permissions,
IT personnel can save substantial time and resources by automating the data gathering and analysis involved in the audit process. This is especially helpful given that these audits usually need to be performed on a periodic basis. In regards to automation, there are generally two options to choose from, each having its advantages as well as trade-offs.
The first option is to invest in creating a set of in-house scripts to automate certain aspects of the audit. Scripts can be very useful and save time, but the trade-off is that they need to be written, tested and maintained over time. Testing is important because Active Directory is a sophisticated technology, and all its intricacies need to be correctly included. Maintenance is important primarily to ensure that the integrity of the script is preserved and that it is not accidentally or malicious tampered or compromised by anyone. Digitally signing scripts can be helpful in ensuring their integrity. The advantage of developing scripts in-house is that there is no monetary cost involved, in that they do not need to be procured, and the only cost is that of the valuable time invested by the IT personnel who build, test and maintain them.
The second option is to harness the power of automated tools that may be designed to help perform audits efficiently. For instance, a dedicated and trustworthy Active Directory Effective Permissions tool can help automate the determination of effective permissions, which is often the most complicated aspect of the audit. Similarly a dedicated Active Directory Permissions Analyzer can be very helpful in analyzing security permissions. The advantage of using tools is that the need to invest the effort to build, test and maintain scripts in-house is eliminated, thus saving IT personnel valuable time and effort. The trade-off with tools is that they are generally developed by vendors and thus there is a procurement cost involved.
In regards to the use of tools, during the selection process, one important aspect that is often overlooked is an evaluation of the trustworthiness of a tool. This is very important because these tools often run in highly powerful administrative contexts and thus it is imperative that they be trustworthy. For instance, certain tools may be free but may have been developed by non-experts and thus may not be accurate. Other tools may be accurate but they may not be supported, or may have been developed in potentially untrustworthy regions of the world. It is always advisable to use a trustworthy tool and basic factors such as ensuring the source, integrity, supportability and accuracy of a tool can help in reliable tool selection.
In summary, an Active Directory Security Audit is important for organizational security, and periodic audits should be a top security priority. An Active Directory Security Checklist or an Active Directory Audit Checklist can help determine what to cover in an audit, and automation, via in-house scripts or automated AD security audit tools, can help perform the audit efficiently, reliably and periodically.
Article by: William H Edwards