Active Directory Security Assessment (ADSA)
An in-depth review of Active Directory configurations and Group Policy Object (GPO) settings to enhance security for in-scope domains, including their Organizational Units (OUs), groups, computers, users, and service accounts. Illumant employs automated GPO analysis tools and detailed manual reviews to deliver recommendations aimed at strengthening your Active Directory implementation.
Illumant analyzes the Active Directory from a variety of perspectives in order to evaluate the security of the AD implementation, and the security AD provides to users, computers, and the organization as a whole:
Classification of Users and Groups: Privileged vs. Unprivileged
- Illumant evaluates multiple factors for each AD group to identify privileged access, especially beneficial for environments with numerous groups.
- Group classification directly assists in determining user privileges based on group memberships. Advanced techniques ensure accurate group membership resolution, even with deeply nested groups.
Discovery of Sensitive Information:
- Illumant routinely identifies sensitive information such as passwords or encryption keys within accessible sections of Active Directory, even in mature deployments.
Review of GPO Permissions:
- Identification of sensitive GPOs potentially modifiable by low-privileged users, posing a risk of privilege escalation.
- Analysis of inactive accounts or accounts needing password updates based on inactivity or password age.
Comparison Against Industry Best Practices:
- Password complexity and rotation
- Account management practices
- Group Policy Object (GPO) configurations
- Kerberos configurations
- System configuration standards
- Network vulnerability management
- Other relevant security practices
Case Study - Fortune 500 Company
Our client has a sprawling Active Directory implementation that has grown organically over time to include ~30,000 users and service accounts, and over 100,000 groups ...
View Case Study
Assessment Highlights
- Comprehensive Active Directory (AD) configuration review
- Detailed analysis of Group Policy Object (GPO) settings
- Automated benchmarking for efficiency
- Expert manual validation of findings
- Comparison with industry-standard security best practices
- Detailed evaluation of Organizational Units (OUs), groups, users, and computers
- Prioritized severity classification for identified risks
- Clear, actionable remediation recommendations
Targets
- Active Directory
- GPO Settings
- Domain controllers
- Domains
- Forests
- OUs
- Groups
- Users
- Service accounts
GPO Settings
OUs
Groups
Computers
Service Accounts
Best-Practices