After my initial Global Active Directory Seminar world tour, I came back with one key concept that I feel all Active Directory admins need to consider: Active Directory security baselines. Knowing the current state of your Active Directory security is the first step. This means that you need to perform an analysis on all areas of Active Directory to ensure you know where your overall security stands.
Next, you need to resolve any security configurations that don’t meet your internal and external compliance and overall security needs. Some of the key areas for this analysis and resolution would include:
-
Security groups with privileges.
-
User rights.
-
Password policies.
-
Account lockout policies.
-
Active Directory delegations.
-
Group Policy delegations.
-
Trust relationships.
-
User accounts not meeting security requirements.
-
Security permissions for key operating system files.
You must establish this security baseline, so you can move forward knowing that you have a good security foundation. If you fail to achieve this security baseline, you will constantly be troubleshooting issues that stem from incorrect security configurations. You will also be more susceptible to attacks, which normally take advantage of elevated privileges in some form or another.
Some tools that can help you establish reports for analysis of these key areas include:
-
Secpol.msc (built in to all Microsoft operating systems).
-
Dumpsec (free from Somarsoft).
-
Dsacls (built in to all domain controllers).
-
Nltest (built in to all domain controllers).
-
Group Policy Management Console (GPMC).
-
Xcacls and icacls (built in to all Microsoft operating systems).
It is only after you achieve this security baseline that you can truly start to monitor security and know security within your organization is solidified.