Active Directory Security Assessment (ADSA)

In-depth review of Active Directory configuration and GPO settings that drive security for in-scope domains and their affiliated OUs, groups, computers, users, and service accounts. Illumant uses automated GPO settings analysis tools along with manual reviews of the findings and the domain configurations themselves to develop recommendations to improve the security of AD implementations


Illumant analyzes the Active Directory from a variety of perspectives in order to evaluate the security of the AD implementation, and the security AD provides to users, computers, and the organization as a whole:


Classification of users and groups as privileged or unprivileged

  • Illumant observes a variety of factors of each Group in AD to determine whether or not it has above average privileges. Very useful when there are hundreds or thousands of groups.
  • Once the groups are classified we can use that information to determine which users are privileged or not based on their group membership. Due to cutting edge analysis techniques it is possible to determine user's complete group membership even when extreme nesting of groups has taken place


Discovery of sensitive information hidden deep within world readable portions of the AD implementation. Illumant has a history of finding things like passwords or private encryption keys, even in mature AD deployments Review of GPO permissions

  • It is not uncommon to discover sensitive GPOs which are modifiable by low privilege users resulting in privilege escalation Identifying accounts which are candidates for removal due to factors such as the last time it was logged in to, or has its password changed


Comparison against best-practices:

  • Password complexity / rotation
  • Account usage
  • GPO settings
  • Kerberos configuration
  • System configuration
  • Network-based vulnerabilities
  • And more ...

Case Study - Fortune 500 Company

Our client has a sprawling Active Directory implementation that has grown organically over time to include ~30,000 users and service accounts, and over 100,000 groups ...


Case study


Highlights

  • Review of AD configurations
  • Review of GPO Settings
  • Automated benchmarking
  • Manual review
  • Comparison against best-practices
  • Review of OUs, groups, users, computers
  • Classification of severity of findings
  • Remediation recommendations

Targets

  • Active Directory
  • GPO Settings
  • Domain controllers
  • Domains
  • Forests
  • OUs
  • Groups
  • Users
  • Service accounts

GPO settings analysis manual review review of users review of groups review of service accounts

GPO settings OUs groups computers service accounts

best-practices

Detailed Description
An Active Directory structure consists of one or more forests, each of which can contain a complex collection of interrelated Domains, Organizational Units, Groups, Users, Computes and Service Accounts. GPO settings drive and constrain the interactions between these elements, and are ultimately responsible in large part for the security of a Microsoft computing environment.

The ADSA involves an in-depth review of AD configurations and GPO setting in comparison with best-practices, to identify security weaknesses that could open up internal networks to attack propagation, and unnecessary internal threats. Illumant also reviews OU and group membership to identify potential risks, as well as key properties of users, computers and service accounts to ensure maximal security.

Illumant runs automated GPO settings and AD analysis tools to gather preliminary information. This is supplemented by manual reviews of the automated findings along with manual reviews of the settings themselves in order to identify additional issues and weaknesses.

Based on the findings, Illumant prepares a report highlighting recommended changes to GPO setting and AD configuration that will serve to improve the security of Active Directory infrastructure and the network as a whole.