ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: Privileged Account Management in Active Directory Environments


Newbie

Posts: 4
Date: Aug 5, 2013
Privileged Account Management in Active Directory Environments
Permalink  
 


Hello Forum,

We are in the process of hardening our internal Active Directory security controls, and as a part of this project, one of the things we are working on is Privileged Account Management in our Active Directory environment.

The priority of this project has recently been raised by management in light of a whitepaper released by Microsoft IT on Active Directory Security. They (management) have requested a status update of current AD security state, as well as assigned some specific projects, including this one, so we are trying to get this done on a priority basis.

We have a decent idea of what this entails, but thought would get some additional inputs so as to ensure that we're not missing out any major aspect of this crticial AD security control. I would appreciate it if you could look at our list below and let us know if we are missing anything -

1. Secure the Domain Admins, Enterprise Admins and Builtin Admins groups

2. Enumerate complete membership of these privileged AD admin security groups

3. Try to reduce the membership of these groups to minimum possible level

4. Establish secure administrative practives for all members of these groups

5. Identify who can manage (change) these security group memberships

5. Enable auditing of group membership changes for each of these groups

While this may seem like a simplistic list, we are going into suffficient details in this regard, so I have not mentioned the details, but merely the main points we are looking at.

If anyone feels that we might be missing any big ticket item on this list, kindly share your thoughts. Also, any additional/helpful ideas/thoughts always welcome!

I look forward to and thank you all for your inputs.

-Ken



__________________
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me