Active Directory Security Assessment (ADSA)
Active Directory is the Cornerstone of Network Security
Microsoft Active Directory forms a critical backbone for the support of your enterprise's information structure. A poorly functioning Active Directory environment impacts security boundaries, replication, and delegate administration, causing significant impact to your business. With Active Directory security across your network is primarily managed via the Forests, Domains, Organizational Units (OU's) and their associated attributes. Confirming or improving the security of Active Directory will provide an immediate and tangible return on the investment. This is especially important in this age of security breaches and personal information disclosures.
Auditing Active Directory is Different
Of all the technologies at an organization Active Directory is one of the most - if not the most - important technology to control and secure. However, auditing Active Directory requires a unique methodology compared to auditing other technologies.
Understanding AD Structure is Crucial
Any effective audit of Active Directory must be based on the architecture of AD which includes Forests, Domains, Organizational Units, Domain Controllers and Sites. There are different controls at each of these architectural component levels that must be audited. In addition there are arcane relationships and dynamics at work between each of these components that must be understood if you are to recognize and test for the more obscure risks of AD that your IT department may not even be aware of.
Don't Become a Headline
If you don't want your company, your office, or yourself, to become a headline you should enlist the expert Active Directory assessment services provided by the trusted professionals at Illumant's professional services department. Here are just a few of the warning signs that your Active Directory policies and procedures might need an overhaul:
- Does your company have more than one Forest? Has one Forest conveyed an explicit trust to another? If so, then a controlled consolidation could do much to improve the security of your enterprise.
- Can IT Staff indiscriminately create Domains on the fly Do all Domains trace their parentage back to the root Forest or are their Domains within Domains? If so, then the creation of Domains is probably out of control and needs to be remediated with a functional audit of the hierarchy.
- Administrators, by definition, usually have the access to create any structure in Active Directory. Doing so must be controlled by policy, procedure, and by Active Directory Audit settings. Most admins don't like the housekeeping associated with audit logging and therefore turn the logging off. Is your Active Directory Audit logging capability defeated? If so, then you are at severe risk for unauthorized change.
What can Illumant's ADSA do for you?
- The principal objective is to identify and prioritize all security risks associated with your Active Directory.
- The assessment will undertake a systematic evaluation of every aspect of your AD Deployment. This includes all of the trust relationships between all existing Forests, Domains, and Domain Controllers; along with the all important audit settings. Access rights and rights management will be examined where appropriate.
- When needed, and when the overall structure is complex enough, the evaluation can include a master mapping of the hierarchy along with a detailed examination of the trust inheritances and their associated security impact.
- By mutual agreement the assessment can also include an evaluation of management practices, policies and procedures, and security incident readiness.
ADSA Deliverables
Using a modified version of the Visio tool for Creating Active Directory Diagrams can result in the production of hierarchical maps to any level of detail. The most common sort of map included in the master report is the high level overview, which gives the Forest and Domain relationships as depicted in the following simplified example:
Or, a more complex enterprise with multiple geographic locations could benefit from a higher level analysis which might look like this:
This can be taken to any level of detail, but normally it is only taken to the OU level, and then only if circumstances require it (and by mutual agreement):
If the client desires so, the Containers (the lowest horizontal row) can be taken to the next level showing the members belonging to each annotated group.
In addition to the graphic reports the ADSA would present a narrative overview of the organizations Active Directory Deployment and an executive summary. The executive summary would include a summary of the top x security threats to the organizations Active Directory deployment. Lastly the narrative report will detail all of the risks to the Active Directory deployment along with a summary of suggested security risk remediation action items. This latter form would be in a format suitable for assignment or delegation.
To request a quote or more information, click here.