Undergoing MyBlogLog Verification

Monday, March 5, 2007

Security Settings to Audit Active Directory

5 of the more important security settings that need to be audited to protect your computers at the highest level.

To discover incorrect security settings, some key security settings to be audited for Windows Active Directory enterprise.

5 of the more important security settings that need to be audited to protect your investment at the highest level.

Windows Active Directory Security:

Standard attacks launched on Windows environments which these security settings can help protect against, if configured correctly.

1. Password Policies:

Password policies for an Active Directory domain are initially configured in the Default Domain Policy Group Policy Object (GPO).

Check with your security policies to determine what these values have been set to for your enterprise. If you have not set, here are some recommended values:

Password Policy Setting

Recommended Value Range

Enforce password history

12 to 24 passwords remembered

Maximum password age

30 to 90 days

Minimum password age

1 to 3 days

Minimum password length

7 to 14 characters

Password must meet complexity requirements

Enabled

Store password using reversible encryption

Disabled

2. Account Lockout Policy:

Account lockout policy controls what happens when a user fails to remember their password.

Following table illustrates some best practice values for these settings:


Account Lockout Policy Setting

Recommended value range

Account lockout duration

9999 (this can also be set to a lower number, such as 5, but should never be 0)

Account lockout threshold

3 to 5

Reset account lockout counter after

9999


Settings are stored in the Default Domain Policy GPO, a tool such as DUMPSEC or a domain controllers’ Local Security Policy should be analyzed.


3. Enterprise Admin Group Membership:

Members of the Enterprise Admins are an essential group for an Active directory enterprise. Members of this group can perform global changes to “enterprise” type of functions.

Members of this group also have control over all user accounts, group accounts, and computer accounts in entire domain.

To audit this group, need to check in one domain Active Directory forest. This group should be limited to only a few administrators. I suggest this group has no members on a daily basis.

DUMPSEC does an excellent job of auditing this group. Also, use the Active Directory Users and Computers to view groups and users that have membership in this group.

4. Schema Admins Group Membership:

Admins group can modify the Active Directory schema, which affects all domains in the forest.

This group can have no members on a daily basis. By limiting the members, or eliminating them, changes can be better managed and controlled.

5. Domain Admins Group Membership:

The one group that has global control over all users, groups, and computers in a single domain is the Domain Admins group. This group is very powerful and used on a daily basis. The members of this group should also be limited, but typically not empty.

2 comments:

Anonymous said...

In addition I would also implement active directory auditing. I'm not sure that native tools can make it a snap so I would recommend looking into 3rd party solutions. Personally I use scriptlogic's active administrator. What I like in this tool that it collects information from domain controller's event logs to one centralized sql database providing the ability of easy searching specific events based on different criterias like event type, domain controller, administrator and etc.

Active Directory Audit Tools said...

Hello all,

To discover these incorrect security settings, you typically need to provide an internal or external security audit. When there is just a short amount of time, there are some key security settings that need to be audited for your windows active directory enterprise. Thanks for sharing it....