The world's most trusted forum on Active Directory Security
I too would like to know how to go about systematically identifying security risks to our Active Directory.
We have been asked to establish a project to assess and potential risks to our foundational Active Directory deployment, and while we have some ideas, it would be nice to have some input from others as well, as to what might be the best way to approach such an assessment.
One challenge that we face is what depth to aim for in our assessments? Meaning, do we do a cursory assessment of high-level risks, or do we deep dive into specific areas (which could take a long time to do) and do a complete and thorough assessment.
I suppose one of my key questions how does one whether one has covered all areas, since Active Directory is such a vast topic and subject.
I look forward to your thoughts and inputs.
It is very important to protect Active Directory and a risk assessment is very good place to start, because it can help identify all the key areas where you need to protect it, and what the deficiencies may be, so you can mitigate them.
I would recommend using professionals to do this though because the subject area is just so vast that it would take weeks to learn everything pertinent there is to know, and then to start doing the assessment and finding weaknesses. Its one of those things where a specialist could actually save you lots of pain, time and money.
That said, one of the most important places to start is by seeing who all have what administrative access in Active Directory, because their accounts are one of the most critical things to protect, as if someone could compromise these accounts, they would basically have full admin control over your Active Directory.
Thanks for bringing this question up though, as it is certainly very important.
Wherever you go and whatever you do, may the luck of the Irish be there with you.
Indeed, Active Directory security is a very subject and in my experience, I have found that it is always best to first perform a cursory risk assessment and only after that perform an in-depth risk assessment.
It is also very important to define the boundary of what you wish to cover in your Active Directory risk assessment, because in the absence of a well-defined boundary, it is very easy to get swayed into a host of Windows security aspects that may or may not strictly fall under Active Directory security.
Also, I would tend to agree with Joe, that in depth assessments are best performed by SMEs (Subject Matter Experts) as this is a very broad and arcane area of security. It is nonetheless very important.
Women's eyes have pierced more hearts than ever did the bullets of war.
Active Directory is a vast technology and has many moving parts so it is not easy to identify risks to the Active Directory. That said, some aspects are certainly very important and I am listed them below -
1. List of all DCs and their security (physical, network, system)
2. List of all Admins and their security (Domain Admins, Enterprise Admins)
3. List of all Delegated Admins and what they are delegated where (E.g who can reset passwords, and whose passwords they can reset, and how including and esp. for administrative accounts.)
4. Active Directory Replication, Backups and FSMOs
5. Changes to Active Directory Schema
This is by no means a complete list but some of the most important things to look at as you try to assess risk to your Active Directory.
In addition to helpful info that Antoine, Simone and Geoffrey have shared with you, I woud like to point out that one of the most important aspects of Active Directory security to consider is delegation of administration in Active Directory.
In particular, as you may know, in most Active Directory deployments, numerous IT admins and service accounts are granted different levels of access, either beause they are delegated some access, or because some access has been provisioned for them.
In this regard, it is very important to know who is delegated what access in Active Directory, because there unauthorized elevated access rights in Active Directory could be used to escalate privilege in Active Directory and obtain domain wide administrative access.
I always recommend performing an Active Directory Access Audit (for more info, just Google "Active Directory Access Audit"). By the way, if you're looking for more information on how to audit elevated access in Active Directory, one of the best tools I know of to do this automatically can be found here.
It is one of those areas of Active Directory security that is often overlooked, but is very important, so I highly recommend performing periodic Active Directory access audits to find out who has what effective access in the Active Directory.
There isn't a system that cannot be broken into.