Some years ago, I worked as a software implementation consultant in the public sector. An IT Director pulled me into his office one day to ask about my team’s ERP deployment. After I answered his questions he said, “That all sounds fine. What isn’t so fine is the state of my Active Directory.” He proceeded to show me thousands of stale accounts across agencies, as well as global access rights that could put sensitive budget information at risk.
What he shared has always stayed with me. So I was excited to listen to a webinar on Best Practices for Auditing Active Directory.
The five actionable steps are exactly the advice I wish I had given that IT Director. Fortunately, you’re reading this blog so you can use these steps right away.
Active Directory Auditing
What is it?
Active Directory (AD) auditing is the process of collecting data about your AD objects and attributes—and analyzing and reporting on that data to determine the overall health of your directory. Organizations perform audits 1) to secure AD from attackers who are after credentials and 2) to keep IT operations running smoothly. The order of these two is debatable depending on your role.
Why do it?
By auditing Active Directory, you can reduce security risks by identifying and remediating toxic conditions like deeply nested groups and directly assigned permissions that attackers can exploit to gain access to your network resources. You can also uncover and fix conditions like token bloat and circular nesting that slow down, or hang applications, to improve operational efficiency.
How do you perform an audit?
Active Directory auditing consists of five steps, which help you prioritize your focus areas.
Step 1: Survey and Analyze
Step one is to scan and map your AD environment to answer questions like:
- How many accounts and groups do you have?
- What kinds of toxic conditions exist?
- Who has permissions to your domain controllers (DCs) and organizational units (OUs)?
Once you know what’s in your AD environment, you can start to triage.
Step 2: Focus on What Matters Most
Step two is prioritizing efforts based on your findings. Three places organizations often begin are:
- Privileged AD Access—Examine critical objects like group policy and domain/enterprise admins
- Large Group Remediation—Evaluate groups that in effect have the same membership as well-known security principles like all Domain Users or the Everyone groups
- Privileged User Access—Determine which users have elevated or direct access
Step 3: Get the Right Stakeholders Involved
Step 3 is gaining support to address priority issues. You can use permissions scans data, for instance, to identify stakeholders based on who has access within Active Directory—as well as who has access to Active Directory objects. For example, you can identify the manager of groups or users who will know why permissions have been set-up a certain way, e.g., delegated admin permissions to perform certain tasks like resetting passwords.
Step 4: Review and Remediate
With stakeholders onboard, you can review group memberships and remediate problematic AD conditions. First, remediate privileged access to AD by verifying that the right users are in domain and enterprise admins. This least privilege approach reduces the chance that a rogue admin will abuse privileges by accessing sensitive data or adding an unauthorized user to the group’s membership. Second, involve business owners in group governance to help validate that the right members are in their groups—and that the group overall has access to the resources it needs.
Step 5: Make the Process Repeatable
Step five is making the process a continuous cycle. Once you complete your top priorities, you return to step one and repeat the process for your next priority. For example, another focus area might be ensuring AD passwords follow change policies and aren’t stored in memory.
Active Directory Reporting
STEALTHbits offers a number of reports you can use to audit Active Directory. Here are some of the most popular reports used by customers:
- Active Directory Overview—presents a top-level view of multiple domains and their statistics, with the ability to drill-down into specific areas like user accounts with no password expiration
- Toxic Conditions—gives insight into toxic conditions like circular nesting, displaying the groups that are nested and at which levels
- Privileged Accounts—shows user accounts with admin rights to AD and systems (e.g. Windows and Windows Server), as well as the last time each account’s password was changed
- Sensitive Security Groups—provides more detail on privileged accounts, showing their effective membership in sensitive groups (domain, enterprise and schema admins) and their last logon
- DC Logon Rights—displays the users and groups that have logon rights to domain controllers, uncovering risks like service accounts that should never be able to logon to DCs
- AD Extended Rights—lists all default permissions for a domain without having to go into Active Directory Users and Computers (ADUC) or Active Directory Service Interfaces (ADSI) to see them
- AD Permissions—offers you the ability to look into issues you’ve discovered like directly assigned permissions by domain and whether these accounts have administrative rights
- DSRM Admin Security—lets you know whether the DSRM admin account can be used to logon to the DC, even if it hasn’t been started in DSRM (DSRM passwords aren’t controlled by policy)
- Password Status—lists the password status of all user accounts, highlighting potential issues like old and non-expiring passwords; another report shows where passwords are not in compliance
- Token Size—enables you to determine why it takes so long to log onto a workstation or server, e.g., the more groups that users belong to, the more group policies have to be applied for logon
Use these five steps to begin auditing your Active Directory environment. To take advantage of STEALTHbits AD auditing tools, please check out our Credential and Data Security Assessment or contact us at firstname.lastname@example.org. To watch the full webcast, please click here.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Tuula Fai is the Senior Marketing Director of StealthAUDIT at STEALTHbits. For the past 20 years, she has worked in a variety of roles within the software industry, starting as a developer and implementation engineer before moving into product marketing and digital campaigns. Having worked in both customer service and human resources, she is passionate about safeguarding customer and employee data as part of overall security initiatives. She graduated Summa cum Laude from Georgetown with an MBA in marketing and IT, and has won two technology marketing awards. You can find her running and writing in the Rocky Mountains of Colorado.