ADSA

Trimarc’s focus on Active Directory and Windows platform security means we are uniquely positioned to improve enterprise Active Directory and Windows platform security. We work with a wide range of customers from government to private companies to educational institutions and have evaluated their Active Directory security posture and provided security recommendations and solutions. We also implemented these recommendations which greatly improved system security.

 

Active Directory Security Assessment

Trimarc performs an Active Directory Security Assessment (ADSA) at the customer’s site (or remotely, as appropriate) in order to assess known security configuration issues. The ADSA involves document review, discussions with staff, running scripts and tools, and/or manual review of the Active Directory configuration and settings. The assessment process has three primary phases: 1) gathering data from the environment; 2) interpreting the results; and 3) completing the assessment report.

Trimarc approaches this process as a partner and is fully committed to provide Active Directory security guidance that makes it more difficult for an attacker to gain access to the “crown jewels” on the network. This interactive assessment is meant to help answer questions about current and future project plans relating to AD security to support both short-term and long-term planning. Furthermore, Trimarc will model typical attacker methods and how they apply to the network, identifying the areas of concern and how best to mitigate them.

Benefits:

  • A snapshot of the Active Directory security configuration as a point in time.

  • Identification of the most common and effective attack vectors and how best to detect, mitigate, and prevent them.

  • Tailored recommendations focused on leveraging existing technology investments to improve the enterprise security posture.

  • Active Directory security best practices customized to align with business process and requirements and minimize impact.

  • As part of the report’s executive summary, the top security issues are highlighted and described, along with the best method to mitigate/resolve the issues.

  • All discovered issues are detailed in the report along with effective impact and recommended remediation.

  • The final section of the document summarizes all of the identified issues along with mitigation/resolution recommendations which can be used to develop a plan of action.

 

Key Security Assessment Components:

  • Active Directory forest and domain configuration. This includes evaluating the current Domain and Forest functional levels and identification of security enhancements in the current and higher levels.

  • Active Directory security misconfigurations are highlighted and recommended remediation/mitigation is provided specific to the environment (with the understanding that often these issues can’t be fully resolved in the near term).

  • Active Directory trust configuration and security.

  • Active Directory administration groups. This includes Enterprise Admins, Administrators, Domain Admins, custom delegation groups, and others as identified. Groups with logon rights to Domain Controllers are scrutinized and membership is expanded to gain a complete picture of the Active Directory administrators.

  • Custom security groups with privileged access to Active Directory are discovered and their access rights identified.

  • Group Policy security configuration for the domain and Domain Controllers.

  • Permissions for all Group Policy Objects (GPOs) are reviewed and issues with the delegation of GPOs are noted along with recommended remediation.

  • Service Accounts with elevated permissions. Identification of Kerberos enabled services and their associated service accounts. Special focus on service accounts with domain-level admin rights.

  • Domain Controller management review including Operating System versions, patching, backup, server lifecycle management, and FSMO role holder locations.

  • Security software and tools. This involves identifying the security components and their purpose and this information is used to identify potential gaps in defenses an attacker could leverage.

  • Active Directory organizational unit (OU) permissions with a focus on top-level domain OUs. Additional Active Directory object permissions are reviewed to identify potential “backdoor” access which is not obvious based on group membership.

  • Identify Domain Controller auditing configuration and determine what event IDs will flow to the central logging system (SIEM/Splunk). Provide recommendations for Domain Controller auditing and what specific event IDs should be sent to the central logging system in order to detect attacker activity.

  • Provide broad recommendations for all Windows system auditing (specific event IDs) that should be forwarded to the central logging system (SIEM/Splunk).

AD Assessment Report
The final report provides key information on the AD environment, is specific to the environment, and is typically over 200 pages. The document includes an executive summary which can be shown to management and summarizes what was discovered along with the potential impact. The primary report sections each include findings and recommendations which are all captured in the final section. The final section of the report is a summary of the AD environment issues and recommendations which simplifies the remediation process. Furthermore, this section includes a table highlighting the most critical findings and recommended remediation actions, levels of criticality, and estimated level of effort (all of which are specific to the environment assessed) and is often used to generate a remediation project plan. Report data detail is included in an appendix and referenced from each of the relevant sections. Recommendations for domain and Domain Controller security settings are provided along with recommended event log auditing configuration at the end of the document.

Our key differentiator is that we provide a report specific to the customer environment. Furthermore, the issues we look for are based off Sean Metcalf’s Active Directory security research, some of which is not public knowledge.

 

High Level Sample Report Outline:

  • Executive Summary

    • Introduction

    • Active Directory Security Best Practices

    • Microsoft Active Directory Security Reference Documents

  • Active Directory Overview

  • Existing Active Directory Architecture

  • Active Directory Administration, Permissions, & Rights

  • Configuration Management, Security Controls, & System Config

  • Domain Controller Security Configuration

  • Audit Policy Configuration

  • Active Directory Security Findings & Recommendations

  • Additional Report Detail

    • Account Reports

    • OU Reports

    • Group Policy Reports

    • Recommended Configuration

  • Resources & References

 

Trimarc provides a variety of security solutions customized to meet each organization’s specific security needs and concerns. Please Contact Us for more information on how we can help you!