asked on

risk assessment of domain controllers AD

Are there any useful tools to run a risk assessment and health assessment of domain controllers/AD? i.e. security issues, design issues, general non-compliance with best practice etc.

ASKER CERTIFIED SOLUTION

Joseph Moody

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

Pramod Ubhe

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Pau Lo

ASKER

Is that ADRAP tool one you can run yourselves? Is it an automated tool that churns our a report of non-compliant settings?

SOLUTION

Joseph Daly

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

Mike Kline

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Pau Lo

ASKER

What kinds of issues is AD BPA testing for Mike?

Pau Lo

ASKER

I was hoping for something that would analyze domain group policies and flag up weak settings? Does such exist?

Mike Kline

You can use Microsoft's Security Compliance Manager

http://technet.microsoft.com/en-us/library/cc677002.aspx

I support the federal government so I use an SCAP tool

http://nvd.nist.gov/scapproducts.cfm

As you can see there are many, I use the free one from SPAWAR

Thanks

Mike

Pau Lo

ASKER

xxdcmast - is there any automated way of checking your OS settings against the security compliance manager baselines - or does it need to be manual. MBSA only checks a small portion of each setting in each cmpliance manager policy.

Pau Lo

ASKER

Mike - so you can esentially asses the security compliance with the baselines using a SCAP scanner?

Mike Kline

Yes, I haven't used all of them but the one I use gives me a score. That is against federal govt baselines but most places will accept that.

Thanks

Mike

Pau Lo

ASKER

Did you run it from an XP machine, I had a quick look and couldnt see Windows 7 support for the free tool..

Mike Kline

I ran it from 7 we don't have XP left in our environment so I haven't tested that.

Pau Lo

ASKER

Thats good then sounds like it runs ok from windows 7. Do you export from security compliance manager then? How long were scans taking against servers? What roles did you audit, ie file, AD, SQL etc?

Mike Kline

All the above, scans don't take long but that is with the tool I used. It might only available to those with a .gov or .mil address but the others ones are probably good too...just can't vouch for them myself.

Thanks

Mike

SOLUTION

kutesir

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Pau Lo

ASKER

What kind of audit/best practice reports would you get from system center?

SOLUTION

kutesir

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Mike Kline

The big thing with the new system center licensing is that now you buy it you get the entire suite of system center products. you can no longer pick or choose. System center is a great product but just letting you know you would be buying it all.

Thanks

Mike

Pau Lo

ASKER

Mike - where do you get the actual SCAP files from? i.e. a SCAP file for windows server, exchange, AD, etc.