Active Directory Security dot com

Complete Coverage of Delegation, Security Audit & Compliance Reporting in Active Directory

Brought to you by former Microsoft Program Manager for Active Directory Security
REFERENCE GUIDANCE REPORTING
Reference | Top-20 D | Risks | FAQ Delegate | Verify | Assess | Audit | Report | Comply Reports Tools
| Overview | What To Audit in Active Directory | Top-100 Security Audit Reports | How to Audit Security |



How to Audit Security in Active Directory

Organizations can reliably generate Active Directory audit reports by following a simple 3 step process –


Step 1 – Identify the Active Directory domain to audit.

Step 2 – Identify the reports you wish to generate as a part of your audit.

Step 3 – Proceed to generate these identified reports as specified below.

        NOTECompile your assessment in the form of an audit report.



The process of auditing Active Directory can be performed manually or via an automated solution –


Option 1 – Manually Audit Active Directory
    (Approximate time needed – 2 hours)


  1. Open a Command Prompt

    (To do so, click on Start, then click on Run, then type "cmd" in the box and finally press Enter)
  2. To generate security reports, download dsquery.exe and then type dsquery to view its usage options.
  3. For each security report you wish to generate, determine and specify corresponding LDAP filter.
  4. For each security report, run dsquery.exe with the appropriate LDAP filter and any required flags.
  5. For each security report, copy output to Clipboard.
  6. For each security report, paste output into text file.
  7. After you have done so for each security report, assimilate outputs of all reports into a single file.
  8. Type Exit to close the Command Prompt
  9. In order to generate access reports, substantial additional time and expertise will be required.

    The precise details are complicated, but following are some helpful pointers to take into account.

    For each object in your Active Directory, proceed to analyze its access control list, as follows –

    1. A recommended starting point is to figure out if there are any Deny permissions specified.
    2. Then, look for any Allow permission entries that seem to conflict with Deny permissions.
    3. Meticulously intersect every set of effective conflicting permissions, keeping in mind that Explicit permissions override Inherited ones.
    4. Expand every group membership specified in every relevant ACE, as users could belong to multiple groups with conflicting permissions.
    5. Dynamically evaluate the membership of every well-known SID encountered in ACEs.
    6. Check Schema to determine if authorized objects creations are in fact permissible.
    7. In this manner, include every relevant detail to precisely simulate a real access check.
    Upon the successful completion of this step, you will have successfully determined one entry of your access report i.e. who can do what on this object.

    To complete the generation of your access reports, repeat the process of ACL analysis on all objects in your domain.
  10. After you are done, assimilate your access report results with your security report results to obtain a complete audit report.
Option 2 – Use an Automated Solution
    (Approximate time needed – 2 minutes)


  1. Launch Gold Finger.

    (To do so, click on Start, then click on Programs, then on Paramount Defenses, then on Gold Finger)
  2. Activate Print Mode by pressing Alt-P.
  3. Specify the scope of your audit by entering the distinguished name of the target AD domain.
  4. Select the reports you wish to generate for your IT audit, from over 425 Security and Access Reports.
  5. Press Enter or click the Gold Finger button.
  6. Click on View Report to view and print your 100% complete and accurate Active Directory audit report.
DEMO – To view a brief demo, please click here
Gold Finger - Microsoft-endorsed, Active Directory Resultant Access/Security Auditing/Reporting Tool
About Copyright ActiveDirSec.Com 2008 – 2011. All Rights Reserved Disclaimer
Active Directory Security Active Directory Reports Active Directory Reporting Tools Cyber Security and Global Security
Active Directory Audit Tool Active Directory Reporting Tool Active Directory Reporting Tools Active Directory Effective Permissions