Pau Lo
asked on
risk assessment of domain controllers AD
Are there any useful tools to run a risk assessment and health assessment of domain controllers/AD? i.e. security issues, design issues, general non-compliance with best practice etc.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What kinds of issues is AD BPA testing for Mike?
ASKER
I was hoping for something that would analyze domain group policies and flag up weak settings? Does such exist?
You can use Microsoft's Security Compliance Manager
http://technet.microsoft.com/en-us/library/cc677002.aspx
I support the federal government so I use an SCAP tool
http://nvd.nist.gov/scapproducts.cfm
As you can see there are many, I use the free one from SPAWAR
Thanks
Mike
http://technet.microsoft.com/en-us/library/cc677002.aspx
I support the federal government so I use an SCAP tool
http://nvd.nist.gov/scapproducts.cfm
As you can see there are many, I use the free one from SPAWAR
Thanks
Mike
ASKER
xxdcmast - is there any automated way of checking your OS settings against the security compliance manager baselines - or does it need to be manual. MBSA only checks a small portion of each setting in each cmpliance manager policy.
ASKER
Mike - so you can esentially asses the security compliance with the baselines using a SCAP scanner?
Yes, I haven't used all of them but the one I use gives me a score. That is against federal govt baselines but most places will accept that.
Thanks
Mike
Thanks
Mike
ASKER
Did you run it from an XP machine, I had a quick look and couldnt see Windows 7 support for the free tool..
I ran it from 7 we don't have XP left in our environment so I haven't tested that.
ASKER
Thats good then sounds like it runs ok from windows 7. Do you export from security compliance manager then? How long were scans taking against servers? What roles did you audit, ie file, AD, SQL etc?
All the above, scans don't take long but that is with the tool I used. It might only available to those with a .gov or .mil address but the others ones are probably good too...just can't vouch for them myself.
Thanks
Mike
Thanks
Mike
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What kind of audit/best practice reports would you get from system center?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The big thing with the new system center licensing is that now you buy it you get the entire suite of system center products. you can no longer pick or choose. System center is a great product but just letting you know you would be buying it all.
Thanks
Mike
Thanks
Mike
ASKER
Mike - where do you get the actual SCAP files from? i.e. a SCAP file for windows server, exchange, AD, etc.
ASKER