Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

AD change control testing

Posted on 2016-08-15
2
Medium Priority
?
22 Views
Last Modified: 2016-09-03
we wish to do some testing about how well managed our AD is. What we had in mind was to pick a sample of tickets from the helpdesk system to ensure:

Where an AD account was created in the domain - this was properly authorised by the users line manager.
Where a request was logged to add an AD account into a security group - this was properly authorised by the users line manager.

Can you think of any other useful checks in terms of AD changes that should have a proper authorisation, that we can build into our testing? Anything where end users could abuse the process to gain access to information in which they should not be able to. They were the 2 obvious ones but I am open to other ideas.
0
Comment
Question by:pma111
  • 2
2 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points (awarded by participants)
ID: 41756545
You are checking for the use case for doer-approver-checker in which the same person cannot be for the doer and approver as well as approver and checker. Likewise to avoid collusion between checker and approver as well as doer and checker. Area for such possibility is mainly on security services handling
-account login/logout for administrator, privileged group
- account policy like password restriction and complexity etc
-audit trail provisioning for policy changes, log archival purge scheme
-security centre support in use of firewall, defender etc
-network defence in use to tcp/ip parameter for DoS defends
-security services provisioning for applocker, dnssec, proxy lockdown,
-common services support like server core adoption for dhcp, dns roles
-end user application support like tampering browser policy config on default page, cipher suite etc
-service account and manage account used in running services
-login security option in enforcement of smartcard, credential option, guest, remote login etc
-interface changes and lockdown like storage media, wifi, MTP connectivity etc
-device sharing via common job services like print job, internet printing etc
-shared resource like shared folder access, profile mobility in term of roaming and folder access

There are specific mapping of above to MS security audit in term of GPO setting, will be handy
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
0
 
LVL 65

Expert Comment

by:btan
ID: 41782775
The events and descriptions are provided to oversight the activities.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question