Solved

AD Healthcheck tools

Posted on 2013-01-29
7
425 Views
Last Modified: 2013-02-12
Are there any tools you'd recommend for an IT Healthcheck/Audit of Active Directory, above and beyond the AD best practices analyzer. If so can you list the tools and what kinds of risks/misconfigurations they are looking for?

Also can you give me an idea on the cruical health metrics and audit checks youd recommend for a good audit of AD? based on previous audits or healthchecks youve been subject too?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 3

Author Comment

by:pma111
ID: 38830866
An IT audit is not the same as a tool that creates audit logs of changes made to AD. An IT audit is similar to a risk assessment/best practice alignment/evaluation
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 167 total points
ID: 38831014
You can use a lot of Microsoft's tools

repadmin/dcdiag/AD replication status tool/event logs/dfsrdiag

If you have a contract with Microsoft you can ask them to come in and run an "ADRAP"  It is a custom tool they use to asses the health of AD and they give you a nice report.   ADRAP is not available to the public.

Thanks

Mike
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 3

Author Comment

by:pma111
ID: 38831026
Hi Mike,

Any idea on the ADBPA - can you give a flavour of the types of issue its checking compliance against, perhaps with a few examples of the higher risk checks it performs?
0
 
LVL 18

Assisted Solution

by:Sarang Tinguria
Sarang Tinguria earned 167 total points
ID: 38832605
You need to understand first that health checks and security compliance are two different concepts or requirement
There are different tools for monitoring different processes for eg. Replication monitoring tool used for monitoring replication status which can be found here

As far as audit is concerned there are different practices followed by organisations depending upon business requirements which are defined by internal IT security & compliance team
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 38833184
Did you already try MBSA (Microsoft freeware)? http://www.microsoft.com/en-us/download/details.aspx?id=7558
Also remember the rule of thumb: Left with default settings, the server is secure (and I mean it). So whenever you change something to non-defaults, you would have to know exactly...
-what security trade off that implies (if any)
-if that security trade off applies to your software environment
-...and if it applied, what consequences this would have and if there are ways to mitigate it.
0
 
LVL 3

Author Comment

by:pma111
ID: 38840057
>You need to understand first that health checks and security compliance are two different concepts or requirement
There are different tools for monitoring different processes for eg. Replication monitoring tool used for monitoring replication status which can be found here



I am aware. However, if you are looking at RISKS, then a risk assessment needs to look at far more than just security compliance. Security is just one metric in my opinion. There are many issues above and beyond security that can affect the smooth running of an AD, hence just focusing purely on security seems naive and pretty stupid in my opinion.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question