While Active Directory security audits are important, it can sometimes be challenging to determine exactly what to cover in the audit. Because Active Directory is a vast technology and entails numerous components all of which need to be audited, this is primarily.
In order to ensure its security, organizations perform Active Directory Security Audits on a periodic basis. Such audits provide them the insight they need to ensure that their Active Directory is adequately secure at all times.
Selecting the Type of IT Audit – Cursory or In-depth
A cursory audit is a high-level audit that is performed to obtain high-level insight into the security state of the Active Directory. Such an audit is usually helpful in obtaining high-level insight and identifying key areas that might need detailed attention. One component of such an audit might involve obtaining high-level insight into the administrative delegation model currently implemented in the Active Directory.
A good starting point when performing an audit is to define the type and scope of the audit, considering the unique requirements of the organization. There are two primary types of audit that can be performed.
An in-depth audit is a detailed audit that is performed to obtain detailed insight into the security state of the Active Directory. Such an audit is usually helpful in obtaining in-depth insight and identifying weaknesses in specific security settings. One component of such an audit might involve performing a detailed analysis to security permissions and access rights on all critical objects, such all administrative accounts and groups, or the default domain controllers organizational unit.
Determining the Scope of Audit
Because it helps determine exactly what will be covered in the audit, the scope of the audit is also important to define. Depending on nature of the audit, an audit can focus on individual areas such as domain controller security, or administrative delegation, or it could be comprehensive in scope and cover all relevant aspects of Active Directory security, a list of which is provided below.
What to Cover in the Audit
Once the type and the scope of the Active Directory Security Audit have been defined, the next step is to identify the areas of Active Directory that will be covered in the audit.
The following is a list of areas of Active Directory that should ideally be covered in an audit –
Auditing – The primary purpose of auditing, which is a reactive security measure, is to aid in accountability. Auditing helps identify who may have carried out a specific administrative task, assuming the enactment of that task was being audited. An audit of the auditing settings and the auditing mechanisms in place are also recommended.
Depending on the type and scope of the Active Directory Security Audit, an audit could take a considerable amount of time to perform. Most audits involve the assessment of a combination of security controls such as an assessment of procedures and policies, as well an assessment of various security settings such security permissions and access rights. In addition, most audits involve at least some form of advanced security analysis such as effective permissions analysis or delegation audit analysis.
Backup and Backup Protection – Every Active Directory must have a reliable backup in place, and these backups must be performed periodically. It is also important to ensure that the backup media, such as tapes, itself is provided adequate physical security. An audit of backup procedures and the physical security afforded to backups is also essential.
Security Incident Plan – All organizations must also have a security incident plan in place to ensure that ay potential security incidents can be handled swiftly and adequately. An audit of the organization’s security incident plan is also recommended.
A cursory audit is a high-level audit that is performed to obtain high-level insight into the security state of the Active Directory. An in-depth audit is a detailed audit that is performed to obtain detailed insight into the security state of the Active Directory. Depending on the type and scope of the Active Directory Security Audit, an audit could take a considerable amount of time to perform. Most audits involve the assessment of a combination of security controls such as an assessment of procedures and policies, as well an assessment of various security settings such security permissions and access rights. In addition, most audits involve at least some form of advanced security analysis such as effective permissions analysis or delegation audit analysis.
Performing Audits Efficiently.
Examples of such tools include reporting tools, assessment tools, audit tools and auditing tools. An audit of the various tools in use and their trustworthiness is also recommended.
Because there is no procurement cost involved, in-house scripts are often advantageous to develop. Their only downside is that they can take weeks to develop and test as well as additional work to maintain them and ensure their integrity. For organizations that do not have the expertise or the time required to develop skills in-house, automated tools provide the benefit of being usable and instantly available, with the trade-off that there is a procurement cost involved.
Active Directory Logical Structure – It is important to ensure that the logical structure, comprised of forests, domains and trust relationships is sound. A high-level audit of the logical structure is thus recommended.
Configuration Settings – The proper function of Active Directory involves numerous configuration settings, such as, but not limited to data replication, Schema object definitions, site and subnet management, flexible single-master operations (FSMO) and FSMO role assignments and SYSVOL security. It is recommended that organizations put together a list of all vital configuration settings and consider performing periodic audits of these configuration settings.
An Active Directory Access Audit is thus very important. (This is sometimes also known as an Active Directory Delegation Audit.).
Irrespective of how automation is leveraged, it is almost always beneficial and recommended because Active Directory Security Audits do need to be performed on a frequent basis, and automation can help save substantial time and effort in the long run.
Disaster Recovery Plan – All organizations must have a disaster recovery plan in place for their directory service. This plan must also be rehearsed on at least a semi-annual basis. An audit of the organization’s disaster recovery plan is also important.
In order to make the audit process efficient, organizations can use the power of automation to automate repetitive tasks as well as to automate tasks involving difficulty and taking up a considerable amount of time. This can be done by using or developing in-house scripts specialized Active Directory security tools, such as tools that aid in Active Directory security analysis, or in performing an Active Directory delegation audit.
The list of areas provided above can be used as a starting point to tailor a custom audit list that fulfills the unique audit requirements of the organization. Once such an audit list is in place, it can be used to perform audits on a periodic basis.
Domain Controller Security – It is very important to ensure that all domain controllers are secure at all times. An audit of the security afforded to domain controllers is essential.
Administrative Access – It is equally important to ensure that only a select set of proficient and highly trustworthy individuals are granted unlimited administrative access in Active Directory. An audit of administrative access entitlements in Active Directory is thus essential.