As the Identity and Authentication source of most Enterprises, Active Directory is the backbone of local and federated authentication. Coupled with the prevalence of Cloud computing, organizations are depending more-and-more on federated authentication and expanding their Active Directory into the Cloud.
While most organizations upgrade their Active Directory through Domain Controller OS upgrades, AD by design is meant to be as backwards compatible as possible, and therefore leaves many legacy protocols and configuration settings enabled. Many Domains originated long ago, and have been upgraded throughout the years, but the legacy protocols and settings enabled from the onset were never disabled. Attackers have developed automated tools to exploit these weaknesses, that while legitimate, are insecure none the less.
The firewall and network perimeter can no longer be considered the security boundary. You must assume that an internal user will inadvertently click on something and become compromised. The workstation is now the security boundary, and the older the origins of the AD network, the easier it becomes for an attacker to perform reconnaissance, compromise network traffic, sniff passwords, and move throughout your network.
With each new OS release from Microsoft come a series of improvements, many aimed at the stability and recoverability of Active Directory, but many are only enabled once extra steps are taken to configure and implement them. The audit outlined below will report what’s currently enabled, what should be disabled, ensures AD health, and provides recommendations for further securing AD based on your unique environment.
This audit will:
- Provide a point-in-time snapshot of AD
- Detect legacy artifacts and provide remediation steps
- Audit group membership and permissions
- Evaluate Group Policy as a means of compromise
- Compare Group Policy to Microsoft recommendations
- Check DNS health
- Provide Auditing and Security recommendations
- Ensure AD is healthy and protected!
“An ounce of prevention is better than having to rebuild your entire Domain from backup.”
– Benjamin Franklin