Active Directory is the foundation of cyber security in Microsoft Windows Server based platforms. Its security is thus mission-critical to organizational and cyber security. In order to ensure its security, organizations perform Active Directory Security ads Audits on a periodic basis. Such audits provide them the insight they need to ensure that their Active Directory is adequately secure at all times.
While Active Directory security audits are important, it can sometimes be challenging to determine exactly what to cover in the audit. This is primarily because Active Directory is a vast technology and entails numerous components all of which need to be audited.
Selecting the Type of Audit – Cursory or In-depth
A good starting point when performing an audit is to define the type and scope of the audit, considering the unique requirements of the organization. There are two primary types of audit that can be performed.
A cursory audit is a high-level audit that is performed to obtain high-level insight into the security state of the Active Directory. Such an audit is usually helpful in obtaining high-level insight and identifying key areas that might need detailed attention. For instance, one component of such an audit might involve obtaining high-level insight into the administrative delegation model currently implemented in the Active Directory.
An in-depth audit is a detailed audit that is performed to obtain detailed insight into the security state of the Active Directory. Such an audit is usually helpful in obtaining in-depth insight and identifying weaknesses in specific security settings. For instance, one component of such an audit might involve performing a detailed analysis to security permissions and access rights on all critical objects, such all administrative accounts and groups, or the default domain controllers organizational unit.
Determining the Scope of Audit
The scope of the audit is also important to define because it helps determine exactly what will be covered in the audit. Depending on nature of the audit, an audit can focus on individual areas such as domain controller security, or administrative delegation, or it could be comprehensive in scope and cover all relevant aspects of Active Directory security, a list of which is provided below.
What to Cover in the Audit
Once the type and the scope of the Active Directory Security Audit have been defined, the next step is to identify the areas of Active Directory that will be covered in the audit.
The following is a list of areas of Active Directory that should ideally be covered in an audit –
- Domain Controller Security – It is very important to ensure that all domain controllers are secure at all times. An audit of the security afforded to domain controllers is essential.
- Active Directory Logical Structure – It is important to ensure that the logical structure, comprised of forests, domains and trust relationships is sound. A high-level audit of the logical structure is thus recommended.
- Administrative Access – It is equally important to ensure that only a select set of highly trustworthy and proficient individuals are granted unlimited administrative access in Active Directory. An audit of administrative access entitlements in Active Directory is thus essential as well.
- Administrative Delegation – In most organizations, all non-administrative tasks such as account and group management tasks are delegated amongst a larger group of lesser-privileged administrators. The need to know who is delegated what administrative tasks is also essential because unauthorized delegations could potentially be used to elevate privilege and compromise security. An Active Directory Access Audit is thus very important as well. (This is sometimes also known as an Active Directory Delegation Audit.)
- Configuration Settings – The proper function of Active Directory involves numerous configuration settings, such as, but not limited to data replication, Schema object definitions, site and subnet management, flexible single-master operations (FSMO) and FSMO role assignments and SYSVOL security. It is recommended that organizations put together a list of all vital configuration settings and consider performing periodic audits of these configuration settings.
- Auditing – The primary purpose of auditing, which is a reactive security measure, is to aid in accountability. Auditing helps identify who may have carried out a specific administrative task, assuming the enactment of that task was being audited. An audit of the auditing settings and the auditing mechanisms in place are also recommended.
- Backup and Backup Protection – Every Active Directory must have a reliable backup in place, and these backups must be performed periodically. It is also important to ensure that the backup media, such as tapes, itself is provided adequate physical security. An audit of backup procedures and the physical security afforded to backups is also essential.
- Disaster Recovery Plan – All organizations must have a disaster recovery plan in place for their directory service. This plan must also be rehearsed on at least a semi-annual basis. An audit of the organization’s disaster recovery plan is also important.
- Security Incident Plan – All organizations must also have a security incident plan in place to ensure that ay potential security incidents can be handled swiftly and adequately. An audit of the organization’s security incident plan is also recommended.
- Tool Assessment – In the course of managing an Active Directory deployment, IT personnel often obtain and deploy various tools from various vendors. Examples of such tools include reporting tools, assessment tools, audit tools and auditing tools. These tools are often used in administrative contexts and thus an untrustworthy tool could threaten organizational security. It is thus important to ensure that all tools have been procured from a trustworthy source, are developed in trustworthy regions of the world, and are digitally signed so as to ensure their authenticity. An audit of the various tools in use and their trustworthiness is also recommended.
The list of areas provided above can be used as a starting point to tailor a custom audit list that fulfills the unique audit requirements of the organization. Once such an audit list is in place, it can be used to perform audits on a periodic basis.