Securing and Auditing Windows Active Directory (Part 1)

by [Published on 30 April 2014 / Last Updated on 30 April 2014]

This article series discusses securing and auditing your Windows environment.

If you would like to be notified of when Derek Melber releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

Introduction

I have a mission! I want to ensure that all auditors, network admins, security professionals, and anyone related to a Windows network understand the importance, details, and tasks required to secure and audit their network. We are now in the year 2013 and I still find the most basic tasks are overlooked, ignored, or not understood. We should have systems, procedures, and understanding on how to properly audit Windows Active Directory and Windows servers, as well as network admins that don’t only care about up time, but also care about security. I am not saying that we are at 100% failure. Nowhere near that! However, we in the IT security field get paid well above average and I feel that it is our duty to do our job to the fullest. This series of articles is designed to fill in gaps, open eyes, and force you to think out of the box when it comes to securing and auditing your Windows environment. It will be detailed where details are necessary and high level when that is appropriate. There is no right or wrong answer when it comes to security, but there is usually a “better” answer overall.

Get Mentally Prepared to be an Active Directory Admin

Being an Active Directory admin for much of my life, I feel I can talk to this. Active Directory has not changed much in the past 13 years. Yes, there have been some great changes, but when it comes down to actually managing an existing Active Directory domain or forest of domains, the process has not changed much.

Given that there have not been all that much in the form of changes, the core Active Directory concepts need to be understood and managed well in order for Active Directory to be stable and secured. Here are some concepts that every Active Directory domain admin need to understand!

  • NetBIOS name vs DNS name of the domain
  • How domain, child domain, tree, and forest concepts work together
  • How Active Directory replication works between domain controllers
  • What is replicated between domain controllers and what is unique for each DC
  • What the Default Domain Controllers Group Policy Object (GPO) does by default
  • What the Default Domain GPO does by default
  • What an Active Directory Site is and how DCs, replication, and Active Directory access plays a role
  • What Group Policy can do to manage users
  • What Group Policy can do to manage computers
  • How Group Policy, organizational units, and location of user/computer objects function together
  • What delegation of administration within Active Directory means
  • How to manage delegation of administration within Active Directory
  • What a trust relationship is and what the difference is between internal and external trusts

I could create a list ten times this size, but I think you get my drift! Active Directory is big, huge, and complex. In order to do your job well, you need to take the time to get educated and keep up with the changes. Here are some concepts that have come “after” the initial version of Active Directory that all Active Directory admins should at least know about:

  • Forest level trust
  • Functional levels
  • Fine Grained Password Policies
  • Tombstone reanimation
  • Recycle Bin
  • PowerShell

Again, this list can be expanded, but if you are not aware of these concepts, you need to be!

Get Mentally Prepared to be an Active Directory Auditor

I have been involved with the auditing community for years now. I will admit that I was not the most “educated” auditor in the world. I was an Active Directory admin by trade and coming to the audit world was a bit of a shock. I was able to produce a series of books to help auditors understand Active Directory and Windows servers, which have been very successful. Not only did I provide these books, but I have been teaching auditors for years and finally created www.auditingwindowsexpert.com to help support this community.

As an internal or external auditor that is responsible for auditing Windows Active Directory and Windows servers, you can’t just “sorta know” what you are talking about. In a similar vane as the admins that I just challenged, auditors need to have a core set of knowledge in order to audit Windows. At a minimum, auditors need to know the following as a base for auditing Windows:

  • What domain controllers do for Active Directory
  • What domain, tree, forest, organizational unit, and site mean
  • How the default password policy is deployed for Active Directory users
  • What a trust relationship is and what access it provides by default
  • How an organizational unit is different from a group
  • What Group Policy is used for and why it is so important for Active Directory
  • What a user right is
  • Why every service pack and patch can’t be installed
  • What the Security Accounts Manager (SAM) is for a server and workstation
  • Why a GPO report can’t be used for the audit

I would say there are about 30 to 35 moving parts of Active Directory and Windows servers that every auditor needs to understand at a very high level. Not the level to administer the settings, but to know the importance of the settings enough to audit them.

Not only does an auditor need to be knowledgeable about these concept, but auditors need to be flexible when it comes to tools and reports. A service I have been providing for years (more so lately) is helping internal audit teams with windows audits. I find that most audit departments rely on the administrators to provide them with good quality reports, but that is just not acceptable. I find that it is not acceptable for a few reasons. First, admins are busy and should not be responsible for deciding which tools and reports are required for the audit. Second, auditors need to know what to ask for, which tool(s) are acceptable, which tools are available, and what format each report should be in. Here are some tools that I find most companies have for auditing:

  • DumpSec
  • Hyena
  • Built-in tools (ADUC, ADDT, services.msc, secpol.msc, etc)
  • PowerShell
  • WSUS
  • Dell/Quest tools
  • VMWare tools

Almost every consulting project I work on requires that I investigate the tools and then decide on which tool(s) to use to gather the information. This is not up to the admin, but rather the auditor.

Summary

Securing and auditing Windows is not a part time job. It is a full time job and I hope everyone reading this understands why. If you don’t… let me refresh your memory of why!

  • Bradley “Chelsea” Manning
  • RSA tokens
  • Oak Ridge Laboratories
  • Facebook and Mark Zuckerberg
  • Sony Playstation

We are under attack every day. We are not under attack only from outside, but the majority of our attacks are from within! That means that our own employees are attacking us. This means we must secure the internal network (Active Directory) fully, so that we are at a lower risk at a s successful attack. Not securing and ensuring the security of our networks (auditing) is appropriate is asking for an attack! In our future articles we will discuss how admins and auditors need to work together, which settings need to be secured, which controls need to be audited, and much more! If you need help with an audit, please visit www.auditingwindowsexpert.com or email me at Derek@derekmelber.com.

If you would like to be notified of when Derek Melber releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

Featured Links