Scribd Logo
Upload

Welcome to Scribd!

  • Active Directory Audit Checklist

    Uploaded by

    Chirri Corp
    5K views3 pages
    ad

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ad

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5K views3 pages

    Active Directory Audit Checklist

    Uploaded by

    Chirri Corp
    ad

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Active Directory Audit Checklist

    Top-25 Tasks to Audit in Active Directory

    Active Directory is the foundation of identity and access management in Microsoft Windows Server based IT infrastructures.

    Active Directory also provides the infrastructure to facilitate the delegation of administrative tasks involved in identity and access
    management. An effective access audit, a proactive security measure, helps identify who can perform these administrative tasks.

    Active Directory Audit Checklist

    The following checklist is provided to help organizations determine the identities of all individuals who possess sufficient effective
    access to be able to enact the following administrative tasks

    Note: A proactive access audit helps identify who can enact these tasks in an Active Directory deployment, and thus helps
    identity and minimize the number of individuals who possess sufficient privilege to enact these sensitive tasks. The ability to
    proactively identify who can perform these tasks, and minimize this number, results in real and measurable risk reduction.

    In contrast, auditing, a reactive security measure merely helps identify who has already enacted a sensitive administrative
    task. It provides after-the-fact information that can help identify a potential security incident. However, it is not a preventative
    measure as it does not prevent the enactment of a sensitive administrative task. Organizations must thus not rely solely on
    auditing to protect their Active Directory deployments. They must periodically perform proactive access audits to reduce risk.

    I. User Account Management

    Organizations must generate the following effective access audit reports related to user account management tasks
    1. List of all individuals who can create user accounts
    2. List of all individuals who can delete user accounts
    3. List of all individuals who can reset a user accounts password
    4. List of all individuals who can unexpire an expired user account
    5. List of all individuals who can enable a disabled user account
    6. List of all individuals who can change the smart card requirement for interactive logon for a user account
    7. List of all individuals who can change the logon script of a user account
    8. List of all individuals who can change the security permissions protecting a user account
    II. Computer Account Management

    Organizations must generate the following effective access audit reports related to computer account management tasks
    1. List of all individuals who can create computer accounts
    2. List of all individuals who can delete computer accounts
    3. List of all individuals who can change a computer accounts service principal name(s)
    4. List of all individuals who can change the security permissions protecting a computer account

    III. Security Group Management

    Organizations must generate the following effective access audit reports related to security group management tasks
    1. List of all individuals who can create security groups
    2. List of all individuals who can delete security groups
    3. List of all individuals who can change a security groups membership
    4. List of all individuals who can change the ability to add/remove oneself from a security group
    5. List of all individuals who can change a security groups scope
    6. List of all individuals who can change a security groups type
    7. List of all individuals who can change the security permissions protecting a security group

    IV. Organizational Unit Management

    Organizations must generate the following effective access audit reports related to organizational unit management tasks
    1. List of all individuals who can create organizational units
    2. List of all individuals who can delete organizational units
    3. List of all individuals who can change the list of group policies linked to an organizational unit
    4. List of all individuals who can change the precedence of group policies linked to an organizational unit
    5. List of all individuals who can change the security permissions protecting a organizational unit

    V. Active Directory Schema Management

    Organizations should generate the following effective access audit reports related to Schema management tasks
    1. List of all individuals who can change security permissions protecting the Schema partition root
    2. List of all individuals who can create Schema classes
    3. List of all individuals who can create Schema attributes
    4. List of all individuals who can delete Schema classes
    5. List of all individuals who can delete Schema attributes
    6. List of all individuals who can modify a Schema class
    7. List of all individuals who can modify a Schema attribute
    8. List of all individuals who can change the security permissions protecting a Schema class
    9. List of all individuals who can change the security permissions protecting a Schema attribute
    VI. Active Directory Configuration Management

    Organizations should generate the following effective access audit reports related to Configuration management tasks
    1. List of all individuals who can change the security permissions protecting the Configuration partition root
    2. List of all individuals who can create sites
    3. List of all individuals who can delete sites
    4. List of all individuals who can change the security permissions protecting a site
    5. List of all individuals who can create subnets
    6. List of all individuals who can delete subnets
    7. List of all individuals who can change the security permissions protecting a subnet
    8. List of all individuals who can create site-links
    9. List of all individuals who can delete site-links
    10. List of all individuals who can change the security permissions protecting a site-link
    11. List of all individuals who can change the list of group policies linked to the Sites container
    12. List of all individuals who can change the precedence of group policies linked to the Sites container
    13. List of all individuals who can change the dsHeuristics attribute of the cn=Directory Service.cn=Windows
    NT,cn=Services,cn=Configuration,DC=<forest-root-domain> object
    14. List of all individuals who can change the ldapAdminLimits attribute of the cn=Default Query Policy,cn=Query
    Policies,cn=Directory Service.cn=Windows NT,cn=Services,cn=Configuration,DC=<forest-root-domain> object
    15. List of all individuals who can change the security permissions protecting all domain partition roots
    16. List of all individuals who can change the list of group policies linked to all domain partitions
    17. List of all individuals who can change the precedence of group policies linked to all domain partitions
    18. List of all individuals who can change the security permissions protecting the default Domain Controllers OU
    19. List of all individuals who can change the list of group policies linked to the default Domain Controllers OU
    20. List of all individuals who can change precedence of group policies linked to the default Domain Controllers OU
    21. List of all individuals who can change the security permissions protecting the default System container
    22. List of all individuals who can create group policies in the Policies container, cn=Policies,cn=System,dc=<domain>
    23. List of all individuals who can delete group policies in the Policies container, cn=Policies,cn=System,dc=<domain>
    24. List of all individuals who can change security permissions protecting the Policies container
    25. List of all individuals who can change the security permissions protecting the AdminSDHolder object,
    cn=AdminSDHolder,cn=System,dc=<domain>
    26. List of all individuals who can change all domain security policies
    27. List of all individuals who can transfer and seize all Flexible Single Master Operations (FSMO) roles

    VII. Administrative Account and Group Management

    Organizations must also audit the identities of all individuals who can enact tasks related to the management of administrative
    accounts and groups. The tasks listed in the user account and group management sections cover these audit requirements.
    Disclaimer: The information furnished in this document is provided for guidance purposes only and cannot be understood as substituting for authoritative technical information furnished by the pertinent official
    vendor. Reliance upon any information furnished in this document is at your own risk. Paramount Defenses Inc provides no warranty and makes no representation that the information provided is suitable or
    appropriate for any situation, and cannot be held liable for any claim or damage of any kind that users of the information furnished in this document may suffer.

    Paramount Defenses www.paramountdefenses.com


    Copyright Paramount Defenses Inc. All Rights Reserved.

    You might also like