Active Directory Security Assessment Tool

-->

The Active Directory Security assessment is designed to provide you specific actionable guidance to mitigate security risks to your Active Directory and your organization. This solution also provides you with status on your progress relative to Microsoft’s recommended roadmap for Securing Privilege Access (SPA), of which Active Directory is a critical component.

The Active Directory Security Assessment focuses on several key pillars, including:

  • In-depth review of Active Directory configuration and GPO settings that drive security for in-scope domains and their affiliated OUs, groups, computers, users, and service accounts.
  • Illumant uses automated GPO settings analysis tools along with manual reviews of the findings and the domain configurations themselves to develop recommendations to improve the security of AD implementations .
  • Illumant analyzes the Active Directory from a variety of perspectives in order to evaluate the security of the AD implementation, and the security AD provides to users, computers, and the organization as a whole: .
  • Classification of users and groups as privileged or unprivileged .
  • Illumant observes a variety of factors of each Group in AD to determine whether or not it has above average privileges.
  • Very useful when there are hundreds or thousands of groups.

Running the Active Directory Security Assessment

Prerequisites

In order to take full advantage of the On-Demand Assessments available through Services Hub, you must:

  1. Once the groups are classified we can use that information to determine which users are privileged or not based on their group membership. Due to cutting edge analysis techniques it is possible to determine user's complete group membership even when extreme nesting of groups has taken place.
  2. Discovery of sensitive information hidden deep within world readable portions of the AD implementation. Illumant has a history of finding things like passwords or private encryption keys, even in mature AD deployments Review of GPO permissions .
  3. It is not uncommon to discover sensitive GPOs which are modifiable by low privilege users resulting in privilege escalation Identifying accounts which are candidates for removal due to factors such as the last time it was logged in to, or has its password changed .
  • Comparison against best-practices: .
  • Password complexity / rotation. Kerberos configuration. System configuration.
  • Network-based vulnerabilities. Our client has a sprawling Active Directory implementation that has grown organically over time to include ~30,000 users and service accounts, and over 100,000 groups ..
  • Review of AD configurations. Review of GPO Settings. Automated benchmarking. Comparison against best-practices.
  1. Review of OUs, groups, users, computers. Classification of severity of findings. Remediation recommendations. Active Directory. Domain controllers. Service accounts. GPO settings analysismanual reviewreview of usersreview of groupsreview of service accountsGPO settingsOUsgroupscomputersservice accountsbest-practicesDetailed Description An Active Directory structure consists of one or more forests, each of which can contain a complex collection of interrelated Domains, Organizational Units, Groups, Users, Computes and Service Accounts.

GPO settings drive and constrain the interactions between these elements, and are ultimately responsible in large part for the security of a Microsoft computing environment.

The ADSA involves an in-depth review of AD configurations and GPO setting in comparison with best-practices, to identify security weaknesses that could open up internal networks to attack propagation, and unnecessary internal threats. Illumant also reviews OU and group membership to identify potential risks, as well as key properties of users, computers and service accounts to ensure maximal security.

Setup the AD Security Assessment -Watch Video Guide

Illumant runs automated GPO settings and AD analysis tools to gather preliminary information.

This is supplemented by manual reviews of the automated findings along with manual reviews of the settings themselves in order to identify additional issues and weaknesses. Based on the findings, Illumant prepares a report highlighting recommended changes to GPO setting and AD configuration that will serve to improve the security of Active Directory infrastructure and the network as a whole.

  1. review of usersreview of groupsreview of service accountsGPO settingsOUsgroupscomputersservice accountsbest-practicesDetailed Description An Active Directory structure consists of one or more forests, each of which can contain a complex collection of interrelated Domains, Organizational Units, Groups, Users, Computes and Service Accounts.
  2. GPO settings drive and constrain the interactions between these elements, and are ultimately responsible in large part for the security of a Microsoft computing environment.

Add-ADSecurityAssessmentTask -WorkingDirectory command,

where workingdirectorypath is a path to an existing directory used to store the files created while collecting and analyzing the data from the environment.

  1. The ADSA involves an in-depth review of AD configurations and GPO setting in comparison with best-practices, to identify security weaknesses that could open up internal networks to attack propagation, and unnecessary internal threats.
  2. Illumant also reviews OU and group membership to identify potential risks, as well as key properties of users, computers and service accounts to ensure maximal security. Illumant runs automated GPO settings and AD analysis tools to gather preliminary information. This is supplemented by manual reviews of the automated findings along with manual reviews of the settings themselves in order to identify additional issues and weaknesses.
  3. Based on the findings, Illumant prepares a report highlighting recommended changes to GPO setting and AD configuration that will serve to improve the security of Active Directory infrastructure and the network as a whole.
  4. review of service accounts. GPO settingsOUsgroupscomputersservice accountsbest-practicesDetailed Description An Active Directory structure consists of one or more forests, each of which can contain a complex collection of interrelated Domains, Organizational Units, Groups, Users, Computes and Service Accounts.
  5. GPO settings drive and constrain the interactions between these elements, and are ultimately responsible in large part for the security of a Microsoft computing environment.
AgreementRemote EngineerOnsite Engineer
Premier ADS Remote Datasheet ADS Onsite Datasheet
Unified ADS Remote Datasheet ADS Onsite Datasheet

For general feedback on the Resource Center or content, please submit your feedback to your Microsoft representative. For specific requests and content updates regarding the Services Hub, contact our Support Team to submit a case.

Comments are closed.