Auditing Active Directory

By Art WahlOctober 1, 2014

Presented to the National State Auditors Association

2014 Information Technology Conference

Active directory provides centralized management of network resources.

• Active directory is not the network.• Active directory is not network security.• Active directory does not secure all network resources.

2

Active directory only helps secure those resources defined within the active directory domain. These resources can include:

• Workstations• Servers• Switches and Routers• Printers• Firewalls

3

The computer-level security for each resource includes:

• Users and Groups• Password and Lockout Settings• Auditing and Lockout Settings• Available Services• Patch Level

4

Active directory provides a centralized means to manage:

• Users and Groups• Password and Lockout Settings• Administrative Authorities

5

Active directory runs on the Windows domain controllers.

• Domain controllers have no separate:– Users and Groups– Password and Lockout Policies

6

Domain controllers should be dedicated.

• The domain controller could be compromised if another service is compromised.

• Nondedicated domain controllers can also lead to inappropriate individuals with domain administrative authority.

7

Active directory structure includes forests, trees, and domains.

• Due to a Security Identifier (SID) filtering flaw, any domain admin can assume authority anywhere in the forest:– Enterprise Admins– Schema Admins– Domain Admins– Default Administrators Group

8

Domain trusts allow access to users from trusted domains.

• Two-Way Trusts • One-Way Trusts• Transitive Trusts

9

Administrators from trusted domains could have rogue administrative access.

• SID filtering between the trusted domain is required to prevent administrative access from the trusted domain.

10

Password and lockout policy is usually controlled at the domain level.

• Fine-grain password policies can be defined in the domain.

11

Groups are used to grant rights to objects such as users.

• Organizational units are used to apply policies to or grant administrative authority over objects such as users or computers.

12

Group policy objects are used to apply policies and security settings to the objects in organizational units.

• The Group Policy Results Wizard can be used to generate a report of security settings applied to the domain or individual users:– Password and Lockout Settings– Screen Saver Timeout Settings– Logging Settings– Permissions

13

The advanced security settings for an organizational unit can be used to identify specific permissions over the organizational

units.

• Resetting Passwords• Full Control

14

Questions?

Contact:artwahl@aud.state.fl.us

15