Solved

AD change control testing

Posted on 2016-08-15
2
19 Views
Last Modified: 2016-09-03
we wish to do some testing about how well managed our AD is. What we had in mind was to pick a sample of tickets from the helpdesk system to ensure:

Where an AD account was created in the domain - this was properly authorised by the users line manager.
Where a request was logged to add an AD account into a security group - this was properly authorised by the users line manager.

Can you think of any other useful checks in terms of AD changes that should have a proper authorisation, that we can build into our testing? Anything where end users could abuse the process to gain access to information in which they should not be able to. They were the 2 obvious ones but I am open to other ideas.
0
Comment
Question by:pma111
  • 2
2 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points (awarded by participants)
ID: 41756545
You are checking for the use case for doer-approver-checker in which the same person cannot be for the doer and approver as well as approver and checker. Likewise to avoid collusion between checker and approver as well as doer and checker. Area for such possibility is mainly on security services handling
-account login/logout for administrator, privileged group
- account policy like password restriction and complexity etc
-audit trail provisioning for policy changes, log archival purge scheme
-security centre support in use of firewall, defender etc
-network defence in use to tcp/ip parameter for DoS defends
-security services provisioning for applocker, dnssec, proxy lockdown,
-common services support like server core adoption for dhcp, dns roles
-end user application support like tampering browser policy config on default page, cipher suite etc
-service account and manage account used in running services
-login security option in enforcement of smartcard, credential option, guest, remote login etc
-interface changes and lockdown like storage media, wifi, MTP connectivity etc
-device sharing via common job services like print job, internet printing etc
-shared resource like shared folder access, profile mobility in term of roaming and folder access

There are specific mapping of above to MS security audit in term of GPO setting, will be handy
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
0
 
LVL 63

Expert Comment

by:btan
ID: 41782775
The events and descriptions are provided to oversight the activities.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question