-
User Accounts
Include the domain user account of every individual who has Read or Modify access to any IT asset that falls under the purview of the applicable regulation.
For instance, in the case of SOX compliance, domain user accounts of all individuals who can read or modify or authorize changes to material financial information (e.g. residing in a file / database / other medium) such as financial earnings reports and the like, must be included in your assessment.
Typical examples include the Chief Financial Officer's (CFOs) and the Financial Controller's user account etc.
-
Security Groups
Include every domain security group that is being used to provision access to any IT asset that falls under the purview of the applicable regulation.
For instance, in the case of SOX compliance, if in a fictional organization, a fictional group called Financial Controllers was being used to provision access to a financial database (or to a file server etc.) that contains material information (such earnings release numbers), this group must be included in the assessment.
Certain organizations may, at their discretion, additionally choose to include vital administrative groups such as Domain Admins etc. that have administrative access over the entire IT infrastructure, in their assessment.
-
Domain Root Object
The domain root object of every domain that contains a user account that falls under the assessment purview must be included, so as to cover the security of specific user authentication policies protecting these user accounts.
In particular, user authentication policies that govern the protection afforded to user passwords and account lockouts needs to be included. These policies include Maximum Password Age, Minimum Password Age, Account Lockout Duration, Account Lockout Threshold and Account Lockout Observation Window.
These policies need to be included because if mis-configured, whether accidentally, intentionally or maliciously, they could weaken the security afforded to domain user accounts and consequently weaken and jeopardize the security afforded to material information that falls under the purview of a stipulated regulation.
The Domain Root object needs to be included because these policies are stored as attributes of this object.
-
Organizational Units (OUs)
Include every OU within which reside the computer accounts of those computers on which IT assets (files, databases etc.) that fall under the purview of the applicable regulation are stored.
For instance, in the case of SOX compliance, if in a fictional organization, a fictional server named Financial Server hosts a database or an application that contains material information (such as confidential earnings release numbers), then the OU in which the computer account of this server resides must be included in the assessment.
The is because anyone who can modify group policies linked to this OU could in effect modify this host's security policy and consequently modify the security protecting material information residing on this server.
-
Service Connection Points [Optional]
Organizations need to include service connection points (SCPs) only if there exist one or more specific applications in their environment that store or protect (or play a role in provisioning access to) material information that falls under the purview of a stipulated regulation.
In such cases, SCPs need to be included, because the enactment of certain administrative tasks on these SCPs could lead to a denial-of-service attack or result in a situation where clients could be maliciously redirected to fake versions of the service, in effect weakening the security afforded to material information.
The decision as to whether or not to include SCPs in the compliance assessment scope is discretionary.
The following administrative tasks should be covered in a regulatory compliance report that documents the grant of access rights in Active Directory –
| AD Object |
Administrative Task |
Why Task Must Be Included In Assessment |
| . |
1. Create a user account |
Create account with spurious name & request to be granted access to sensitive IT assets |
| . |
2. Delete the user's account |
Prevent a user from carrying out vital functions essential to maintaining security on IT assets |
| User Accounts |
3. Reset the user account's password |
Take over the user's identity to obtain access to sensitive IT assets, violating their security |
| . |
4. Disable the user's account |
Prevent a user from carrying out vital functions essential to maintaining security on IT assets |
| . |
5. Unlock the user's account |
Subvert account protection mechanisms and increase likelihood of compromising account |
| . |
| . |
1. Create a security group |
Create group with misleading name, causing users to use it to protect sensitive assets |
| . |
2. Delete a security group |
Jeopardize security afforded to all IT assets currently being protected by security group |
| Security Groups |
3. Modify a security group's membership |
Obtain access to all IT assets to which the security group is currently provisioned access |
| . |
4. Modify a security group's scope |
Jeopardize security afforded to all IT assets currently being protected by security group |
| . |
5. Modify a security group's type |
Jeopardize security afforded to all IT assets currently being protected by security group |
| . |
| . |
1. Change the maximum password age |
Increase the amount of time that attackers have to attempt to crack domain passwords |
| . |
2. Change the minimum password age |
Weaken password security by allowing users to rapidly recycle their passwords |
| Domain Root |
3. Change the account lockout duration |
Reduce amount of time an account remains locked, increasing password crack attempts |
| . |
4. Change the account lockout threshold |
Increase number of failed password attempts, to increase opportunity to crack passwords |
| . |
5. Change acct lockout observation window |
Reduce amount of time after which account's failed logon attempt counter is reset to 0 |
| . |
| . |
1. Create an organizational unit |
Create unauthorized user accounts, security groups and SCPs to jeopardize security |
| . |
2. Delete an organizational unit |
Delete all accounts and groups residing in OU that are used to protect sensitive IT assets |
| OUs |
3. Change list of linked group policies |
Modify (possibly weaken) the security policy protecting computers that reside in the OU |
| . |
4. Disable linked group policies |
Modify (possibly weaken) the security policy protecting computers that reside in the OU |
| . |
5. Change linked group policy precedence |
Modify (possibly weaken) the security policy protecting computers that reside in the OU |
| . |
| . |
1. Create a service connection point |
Redirect clients to a spurious instance by setting same keywords as an existing service |
| . |
2. Delete a service connection point |
Deny service to clients by making a specific instance of the service undiscoverable |
| SCPs |
3. Change a SCP's keywords |
Redirect clients to a spurious instance and/or make specific service instance undiscoverable |
| . |
4. Change a SCP's DNS Name |
Redirect clients to a spurious instance and/or make specific service instance undiscoverable |
