I too would like to know how to go about systematically identifying security risks to our Active Directory.
We have been asked to establish a project to assess and potential risks to our foundational Active Directory deployment, and while we have some ideas, it would be nice to have some input from others as well, as to what might be the best way to approach such an assessment.
One challenge that we face is what depth to aim for in our assessments? Meaning, do we do a cursory assessment of high-level risks, or do we deep dive into specific areas (which could take a long time to do) and do a complete and thorough assessment.
I suppose one of my key questions how does one whether one has covered all areas, since Active Directory is such a vast topic and subject.
It is very important to protect Active Directory and a risk assessment is very good place to start, because it can help identify all the key areas where you need to protect it, and what the deficiencies may be, so you can mitigate them.
I would recommend using professionals to do this though because the subject area is just so vast that it would take weeks to learn everything pertinent there is to know, and then to start doing the assessment and finding weaknesses. Its one of those things where a specialist could actually save you lots of pain, time and money.
That said, one of the most important places to start is by seeing who all have what administrative access in Active Directory, because their accounts are one of the most critical things to protect, as if someone could compromise these accounts, they would basically have full admin control over your Active Directory.
Thanks for bringing this question up though, as it is certainly very important.
- Geoffrey
__________________
Wherever you go and whatever you do, may the luck of the Irish be there with you.
Indeed, Active Directory security is a very subject and in my experience, I have found that it is always best to first perform a cursory risk assessment and only after that perform an in-depth risk assessment.
It is also very important to define the boundary of what you wish to cover in your Active Directory risk assessment, because in the absence of a well-defined boundary, it is very easy to get swayed into a host of Windows security aspects that may or may not strictly fall under Active Directory security.
Also, I would tend to agree with Joe, that in depth assessments are best performed by SMEs (Subject Matter Experts) as this is a very broad and arcane area of security. It is nonetheless very important.
/Simone
__________________
Women's eyes have pierced more hearts than ever did the bullets of war.
