Commissum

Active Directory Assessment


Active Directory Permissions

Commissum provides an AD Permissions Audit to ensure Microsoft Active Directory security.

Many organisations moved to the Active Directory (AD) platform several years ago. They believe that if they have IP addresses, files, printing, Internet access and email, then the AD must be in order. Indeed, it may well be functioning adequately at a basic level, but on the other hand it may not be. In either case, the AD is unlikely to be robust, and almost certainly will not be documented.

Over the course of time, assignment of permissions across your infrastructure will have become fragmented as employees change roles. In addition, separation of duties (if built in originally) may have slipped, controls may no longer be rigorous enough, and security gaps may lead to security issues. This “permissions creep” is of particular concern where permissions may “open a back door” into your infrastructure for remote users and third-party VPN users.

To address this problem, Commissum has developed an Active Directory Permissions Audit, whereby we conduct a security-driven investigation into user and administrator permissions within the directory infrastructure. This audit identifies irregular permissions and permissions that appear to be excessive or outdated.

Our Approach

Commissum’s approach is to audit membership of groups to assist in:

  • Identifying users in an excessive number of groups
  • Identifying users in legacy groups
  • Identifying users in sensitive groups
  • Identifying users in administrative groups

Commissum will audit access rights on key programs, prioritising users and groups relating to third-party VPN access. This process assists in the following:

  • Identification of excessive rights for executing sensitive server functions
  • Identification of excessive rights to IT support functions
  • Identification of legacy permissions
  • Production of a report on the above, which includes recommendations to address current issues, and any high-level recommendations as to future monitoring and management

Active Directory Structural Audit

Commissum’s Active Directory Structural Audit is a higher-level audit than the Permissions Audit, but in terms of issue resolution it is of vital importance. The Permissions Audit focuses on which users can access which objects from a current and historical perspective; the Structural Audit, on the other hand, ensures that the fundamental AD structure does not contain loopholes in the permissions set-up. Such loopholes might be exploited by users to create new objects which can be used as “stepping stones” to access data that the users are not authorised to access. A Permissions Audit alone is not sufficient to prevent this, and so an Active Directory Structural Audit is needed in addition.

The AD Structural Audit focuses on the business fitness of your Active Directory set-up, rather than individual permissions. It will determine whether individual permissions, objects and policies can be used to circumvent one another (as is often the case). It is measured in terms of security and stability as well as regulatory and best practice compliance. While the Permissions Audit can address short-term issues, the Structural Audit will prevent problems occurring in the future. Both audit types are essential to a comprehensive review, with robust recommendations to address future situations.

The AD Structural Audit has no impact on your infrastructure. The consultant will spend a day on-site evaluating the structures within your AD. During that day, he/she will need three to four hours, ideally with the senior AD administrator, to ask questions about why certain structures are used and how some requirements are fulfilled.

If the senior AD administrator is unavailable, then the consultant will work with someone who can grant administrative access to a domain controller. While no changes are made to your systems, we usually expect that the consultant has access to a local employee that he/she can question, in order to get the most out of the engagement.

At the end of this consultancy day, we hold an informal meeting for an hour, which both the senior administrator and the CIO/IT manager should attend. At this meeting, we discuss the overall audit findings, their impact on the business, and what actions could be taken to optimise the Active Directory. You will be able to ask any questions you might have. The extra depth of explanation that this meeting provides will make our report more meaningful when you receive it.

The final stage of the AD Structural Audit is the writing of the full report, including metrics taken from the audit observations. Once the report is complete, we can return to deliver the report in person, or we can discuss it remotely by conference call.