Link to home
Create AccountLog in
Avatar of Pau Lo
Pau Lo

asked on

AD security scans

are there any free tools that can audit the configuration of your active directory and domain controllers against best practices and provide a report of any non compliance issues? I appreciate a domain controller needs all the same security hardening that a member server does, but I was more after a tool to look at AD specific configs/best practices and how our setup meets the suggested best practices.
ASKER CERTIFIED SOLUTION
Avatar of Matt Minor
Matt Minor
Flag of Canada image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of btan
btan

to add always good to take a look and reference to MS Best Practices for Securing Active Directory. Here is one for Windows 2008 AD. In fact, Microsoft Windows defaults and baseline recommendations were taken from the SCM and the latter can also be used to create initial baselines for your administrative hosts. http://blogs.microsoft.com/cybertrust/2013/06/03/microsoft-releases-new-mitigation-guidance-for-active-directory/
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
in fact, I also suggest for best practices aspect, to make sure the configuration and any conflict are flagged as well. Kinda of self checks on the baseline config is running fine without error to start off with. See the belwo suggested checks and also in particular, on the use of Active Directory Health Check Script
- Dcdiag.exe: Verification of successful domain controller deployment
- Repadmin /replsummary – Will show you an overview of any failures, and for which DC(s).
- Repadmin /showrepl – This will let you know if the last replication attempts where successful
http://www.cosonok.com/2012/08/how-to-do-active-directory-health-check.html
https://blog.thesysadmins.co.uk/active-directory-healthcheck-script.html