risk assessment of domain controllers AD

Are there any useful tools to run a risk assessment and health assessment of domain controllers/AD? i.e. security issues, design issues, general non-compliance with best practice etc.
LVL 4
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph MoodyBlogger and wearer of all hats.Commented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Is that ADRAP tool one you can run yourselves? Is it an automated tool that churns our a report of non-compliant settings?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Joseph DalyCommented:
The MBSA is always a good place to start.
http://www.microsoft.com/en-us/download/details.aspx?id=7558

Then you have Security compliance manage which has some pre defined policies or you can create your own.
http://technet.microsoft.com/en-us/library/cc677002.aspx

You could use a third party tool like nessus to scan for know vulnerabilities and configuration issues.
http://www.tenable.com/products/nessus/features
0
Mike KlineCommented:
A lot of tools

repadmin & AD Replication status tool
dcdiag
AD Best Practice Analyzer
Check your Event Logs

There are scripts that people have written that you can search for and test.

...if you have a premiere contract with Microsoft you can get their official risk assessment.  It is known as "ADRAP"   http://www.microsoft.com/en-us/download/details.aspx?id=19464

I wish they made the ADRAP tool available publically but that is never going to happen so for most places we have to use different tools to get a good picture of the system.

Thanks

Mike
0
pma111Author Commented:
What kinds of issues is AD BPA testing for Mike?
0
pma111Author Commented:
I was hoping for something that would analyze domain group policies and flag up weak settings? Does such exist?
0
Mike KlineCommented:
You can use Microsoft's Security Compliance Manager

http://technet.microsoft.com/en-us/library/cc677002.aspx

I support the federal government so I use an SCAP tool

http://nvd.nist.gov/scapproducts.cfm

As you can see there are many, I use the free one from SPAWAR

Thanks

Mike
0
pma111Author Commented:
xxdcmast - is there any automated way of checking your OS settings against the security compliance manager baselines - or does it need to be manual. MBSA only checks a small portion of each setting in each cmpliance manager policy.
0
pma111Author Commented:
Mike - so you can esentially asses the security compliance with the baselines using a SCAP scanner?
0
Mike KlineCommented:
Yes, I haven't used all of them but the one I use gives me a score.  That is against federal govt baselines but most places will accept that.

Thanks

Mike
0
pma111Author Commented:
Did you run it from an XP machine, I had a quick look and couldnt see Windows 7 support for the free tool..
0
Mike KlineCommented:
I ran it from 7 we don't have XP left in our environment so I haven't tested that.
0
pma111Author Commented:
Thats good then sounds like it runs ok from windows 7. Do you export from security compliance manager then? How long were scans taking against servers? What roles did you audit, ie file, AD, SQL etc?
0
Mike KlineCommented:
All the above, scans don't take long but that is with the tool I used.  It might only available to those with a .gov or .mil address but the others ones are probably good too...just can't vouch for them myself.

Thanks

Mike
0
kutesirCommented:
SYSTEM CENTER 2012.....Can help you monitor.Are you looking for a non Microsoft Solution.
0
pma111Author Commented:
What kind of audit/best practice reports would you get from system center?
0
kutesirCommented:
About Systems Center -Ill elaborate With Operations Manager The ACS reporting component is installed separately from ACS and consists primarily of a reporting model and set of reports based on the audit collection database. These reports provide summaries and analysis of the security events that have been collected.
The ACS reporting component can be hosted on a separate server, the audit collection database server, Reporting data warehouse, or even the Reporting Server component. The security is fully integrated with the OpsMgr Reporting Services security module.
Factors that impact the Audit Collection Services reporting include the following:
• Number and type of reports generated
The ACS reporting component can be installed on as many SRS instances as needed.
0
Mike KlineCommented:
The big thing with the new system center licensing is that now you buy it you get the entire suite of system center products.  you can no longer pick or choose.  System center is a great product but just letting you know you would be buying it all.

Thanks

Mike
0
pma111Author Commented:
Mike - where do you get the actual SCAP files from? i.e. a SCAP file for windows server, exchange, AD, etc.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.