Active Directory Audit Work Program

Table of Contents
ACTIVE DIRECTORY AUDIT WORK PROGRAM: ARCHITECTURE/DESIGN...........................................................................3

ACTIVE DIRECTORY AUDIT WORK PROGRAM: INFRASTRUCTURE.....................................................................................9
ACTIVE DIRECTORY AUDIT WORK PROGRAM: USER MANAGEMENT/ADMINISTRATION AND ACCESS REQUEST
PROCEDURES............................................................................................................................................................................ 15
ACTIVE DIRECTORY WORK PROGRAM: USER MANAGEMENT/ADMINISTRATION – GENERAL......................................17
ACTIVE DIRECTORY AUDIT WORK PROGRAM: USER MANAGEMENT/ADMINISTRATION AND POWERFUL USER
RIGHTS....................................................................................................................................................................................... 22
ACTIVE DIRECTORY AUDIT WORK PROGRAM: USER MANAGEMENT/ADMINISTRATION AND USER ID CREATION....25
ACTIVE DIRECTORY AUDIT WORK PROGRAM: USER MANAGEMENT/ADMINISTRATION – USER ID MAINTENANCE..27
ACTIVE DIRECTORY AUDIT WORK PROGRAM: USER MANAGEMENT/ADMINISTRATION – USER ID TERMINATION...30
2 Source: www.knowledgeleader.com
ACTIVE DIRECTORY AUDIT WORK PROGRAM:
ARCHITECTURE/DESIGN
PROJECT TEAM (LIST MEMBERS):
Project Timing Date Comments
Planning
Fieldwork
Report Issuance (Local)
Report Issuance (Worldwide)
The complete active directory (AD) work program covers the following areas:
• User Management/Administration
− General
− User ID Creation
− User ID Maintenance
− User ID Termination
− Access Request Procedures
− Powerful User Rights
• Architecture/Design
− General
− Domain Structure
− Supporting Infrastructure
− Failover/Availability
• Replication
− General
− Database Maintenance
− Replication Management
• Infrastructure
− General
− Platform Configuration
− Platform Security
This is Section 2: Architecture/Design.
GENERAL
Preferred Controls/Goal State for Intent/Status of

Key Control Question(s) Owner(s)
Production Designed Control
What level of system The backwards-compatible features of
compatibility is used in the active directory implementations enable

active directory additional services and security threats
implementation? present with older versions. It is
recommended to set the AD
• (List Systems)
implementation to the most recent setting
possible to enable the newest features and
disable backwards compatibility.
Has a standard naming A standard naming convention for all AD

convention been defined for objects is necessary to effectively manage
the following AD objects? the different objects. This facilitates the
ability of administrators to efficiently add
• Servers
users to groups, understand who uses
• User groups GPOs or find different objects.
• Group policy objects
• Organizational units
• Domains
• Forests
DOMAIN STRUCTURE

Verify that the domain The active directory domain structure

structure has been clearly diagrams are reviewed regularly to
mapped and documented. ensure accuracy. All additions and/or
changes to the active directory domain
• Who has access to the
structure are immediately added to the
active directory domain
diagrams.
structure diagrams?
Individuals working within the active
• Are the diagrams
directory have access to the active
distributed to any
directory domain structure diagrams.
personnel?
Unauthorized individuals and groups are
prevented from accessing these
diagrams.
Verify that an overall domain Overall AD domain structure

structure methodology has methodology policies and procedures
been developed as guidance should be developed to provide high-
for all tasks. level guidance on how to structure the
domain for future additions.
Minimal use of separate domains and
forests should occur. Separate domains
and forests are necessary in some
instances but also increase the cost of
hardware and administrative tasks.
Verify that separate Separate production, development and

production, development testing forests should be created as part
and testing forests exist. of the change management process.
These different forests give all

administrators the ability to test and
certify AD changes before they reach
the production systems.
Verify that separate domains Systems on an (Insert Company)

or forests exist for systems (Name) or third-party extranets should
that authenticate on a use separate domains with one-way
(Name) or third-party trusts from the primary AD domains. A
extranet segment. two-way trust should not be
implemented in the event that the AD
system is compromised.
Is the trust relationship Trust relationships between domains

between domains and and forests should be configured to help
forests appropriate? ensure that access to (Insert Company)
resources is limited to an approved
need-to-know basis.
AD domain and forest trust between
(Insert Company) and third-party
organizations should only exist under
very controlled circumstances.
Has a process been (Insert Company) should have a

implemented to control how standard process or method to define
organizational units (OU) are organization units within the active
created to manage active directory.
directory objects?
Has an OU been created for An OU should be used to logically

each logical subdivision of subdivide the domain into more
the domain? manageable components. The OU
should be used along with user groups
to define users’ permission.
The OU should achieve the following
goals:
• Provide a directory structure that is
logical and easy to understand and
navigate.
• Accommodate the addition of new
locations and/or customers flexibly.
• Facilitate securely delegating
authorities within the directory.
How are flexible single At least one GC should be located per

master of operations site and, in a multidomain environment,
(FSMO) and global catalog they should avoid assigning the
(GC) roles distributed across infrastructure master role to a GC
the organization? server.
Has a defined process been Policies and procedures should be

implemented that defines implemented that define how AD objects
how active directory objects are created, modified and deleted. This
(user groups mainly) are should include the change control
created, modified and processes that define the schedule,
deleted (including how and testing, backup, naming conventions
when users are added to and restoration steps for this change.
groups)?
All objects should be clearly defined and
documented with the object name and
description on purpose, permission and
scope.
Have all security global Users should be placed in global groups

groups (global groups) and for organizational purposes. Permission
security local groups (local to resources on file shares should be
groups) been clearly assigned to local groups. By placing
defined, documented and global groups into local groups,
adequately delegated permission should be indirectly assigned
authorities? to users.
Has the forest root been A forest root should be created with
created for top-level minimal user and administrator
administration purposes with accounts. This allows additional
minimal user and administrative segregation of all
administrator accounts? domains under the root forest. The few
forest root administrators would have
access to all domains.
SUPPORTING INFRASTRUCTURE

Are network diagrams kept Network diagrams and documentation

up to date and made exist and are accurately maintained.
available to the appropriate Network diagrams should include the
resources? following critical equipment traversed by
the active directory implementation:
• AD servers
• Firewalls
• WAN connections
• An intrusion detection system (IDS)
system
• A key routing infrastructure
Define responsibilities for managing the
network.
Develop or acquire the following tools for
managing the network:
• Automated monitoring
• Network diagrams
• Physical connections and logical

addresses inventory
Verify that only Communication protocols are minimized

communication protocols to those specifically required for
that serve a direct business business functions.
need are used.
• All protocols in use are required by
the business needs of the company.
• A minimal number of protocols are
used.
• The use of new protocols is
prohibited without proper approval.
Are the active directory The active directory servers should be

systems segregated and located on network segments that are
protected from the normal separate from the internal user
end-user populations? segments. Network filtering or access
control lists should be implemented to
limit user access to these systems.
Are there any active AD domain and forest trust between

directory systems that are (Insert Company) and third-party
directly available on the organizations should only exist under
internet or accessible by very controlled circumstances.
third parties?
Have AD components been (Name) services are often separated

moved to separate into a separate system than the rest of
dedicated systems or the AD implementation. Additional
platforms? components of the active directory can
be separated to provide more
redundancy that system failures might
cause.
Have host or network-based Host and network-based systems enable

systems been implemented real-time detection of malicious activities
to monitor for malicious that might be intended to compromise
traffic to and from the active the AD system.
directory systems?
FAILOVER/AVAILABILITY

Verify that critical sites and The active directory implementation

points of authentication should include redundant systems,
contain redundant AD including:
systems.
• Hard drives in servers
• The number of AD servers at every
site as economically feasible

• The number of AD servers at every
major site
• The number of AD servers for every
exchange server
• The number of global catalog domain
controllers at each site
Sites that do not have their domain
controllers and, at least, the number of
global catalogs are dependent on other
sites for directory information and can be
less efficient.
Does redundancy around The redundancy of critical paths exists in

critical network paths to the network, and acceptance levels of
reduce potential single network performance are documented.
points of failure exist?
• Network paths to support critical
business functions are identified and
documented.
• Redundant paths are provided within
the network architecture.
• Service-level agreements with
communication providers are used.
Are mechanisms in place to Procedures are defined for gathering,

gather resource utilization analyzing and reporting utilization
statistics at each of these statistics across the active directory
levels? implementation to ensure that system
efficiencies are maximized.
• Database/application
Additional monitoring at all levels within
• Platform
the active directory implementation is
• Network necessary to facilitate accurate software
and hardware growth forecasts.
Are supporting infrastructure A policy exists and defines necessary

change control processes check-offs/team approvals required
integrated into active before introducing or updating
directory management to technology in the active directory
help ensure availability? implementation.
All proposed changes to the
environment are discussed with and
approved by the appropriate teams (e.g.,
network team, database team, etc.).
Have active directory Periodic tests should be performed to

automatic failover tests been confirm the automatic failover and
performed to validate that redundancy in the active directory
system redundancy is fully implementation. These tests can be
functional? performed during regular maintenance
on one of the systems. Results from the
automatic failover should be logged.
ACTIVE DIRECTORY AUDIT WORK PROGRAM:
INFRASTRUCTURE
Planning
Fieldwork
The complete active directory work program covers the following areas:
− General
− General
• Replication
− General
• Infrastructure
− General
This is Section 4: Infrastructure.
GENERAL

Has a system re- Management should establish a
accreditation process been framework of adequate preventative and

implemented to periodically detective control measures to evaluate
evaluate the security the security of the active directory
configuration of the active infrastructure.
directory infrastructure?
Re-accreditation should be performed
through security assessments, including
penetration reviews, server assessments,
configurations checks, etc.
Has an incident response An incident-response procedure should

procedure been developed be implemented to define activities that
to handle possible system should be performed in the event of a
compromises? security breach. This procedure should
include the following items:
• Has an emergency response plan,
including team members, been
defined?
• Are IS/IT personnel aware of the
content of this plan?
• Is this plan updated periodically?
• Does this plan cover what to do and
what not to do?
Have business continuity The AD implementation/devices should

plans (BCP) and disaster be included in formal BCP and DR plans.
recovery plans been defined Additionally, periodic tests should be
and implemented to cover performed to help ensure that the
the active directory systems can be redeployed if necessary.
implementation/devices?
Does the AD implementation (Insert Company) has defined the types of

integrate into (Insert data that exist within the company, the
Company)’s data protection that must be afforded to each
classification efforts? data type and the associate procedures
for controlling access based on data type.
Roles have been defined within the
company that identify the groups
permitted to access each category of
data.
Does the AD implementation (Insert Company) transmits process and

integrate into the (Insert stores private customer data. The
Company)’s privacy company has a responsibility to protect
management efforts? this data from unauthorized disclosure
and misuse. (Insert Company) is aware of
the applicable privacy laws and
regulations and has taken proactive
measures to protect data under its
control.
PLATFORM CONFIGURATION

Has a standard been Policies are created to ensure that

implemented that defines standardized server configurations are
the specific configuration of used throughout the organization.
active directory systems Additionally, these policies ensure that
throughout the (Insert servers are built in a way that provides a
Company) environment? high level of security for the machine
and the (Insert Company) environment.
Periodically, these configuration
standards should be reviewed and
updated with the latest security
techniques.
Have the necessary auditing Reviews confirm that the following

and logging capabilities events are recorded in security audit
been enabled on the active logs:
directory implementation?
• Successful or unsuccessful
Has policy documentation
authentication attempts
planning been created to
determine and explain the • Successful accesses of security-
reasoning for audit levels as critical resources
applied?
• Creation, modification or deletion of
critical/sensitive files or database
information
• Changes to users’ security
information
• Changes to system security
configurations
• Program executions of highly
sensitive and critical applications
Request a list of all services All services running on the servers have
running on each of the been approved for use, outlining the
active directory servers. majority of which follow policy.
Verify that the services
The services falling outside of policy
running have been approved
have documented business needs on
for use.
file. Additionally, the risks surrounding
• Do any of the services these services have been fully
fall outside of policy? investigated and the business owners
What actions were taken have assumed responsibility for them.
for these services to be
All services have been configured to the
approved for use?
appropriate system ports.
• Verify that all the
approved services have
been configured to the
appropriate system ports.
Has a group policy, including The domain group policy object (GPO),
security parameters, been “default domain policy,” should contain
distributed to all active high-level settings that are pervasive

directory systems? across the domain. These settings
should include:
• Password parameters
• An account lockout policy
• Warning banners
Domain controller group policies should
be applied to all domain controllers and
specify the following:
• Access control
• Authentication protocol
• File system access
• Available services
• Registry access
• Auditing and event logging
The general user policy should be
applied to all users and should include
the following:
• Internet Explorer
• Screensaver protection
Workstation security policy settings
should be applied to all workstations.
These settings should include:
• Account policies
• User rights
• Security options
• Registry access
General security policies should be
applied to all servers and include the
following:
• Auditing and event logging
• Disabling system services
• Enforcing password and account
policies
Are all systems built off a All systems should contain file systems
secure file system that that are configured to use (Name). Other
allows access controls? file systems do not allow server file
permissions to be implemented.
Has an anti-virus solution Management should establish a

been implemented on all AD framework of adequate preventative and
systems? detective control measures related to
computer viruses. The anti-virus solution
should be fully implemented and

monitored on all systems.
Has a host-based IDS Intrusion detection systems (IDS) are

system been implemented to implemented to help secure the
detect unauthorized environment and identify unauthorized
activities? activities.
PLATFORM SECURITY

Verify that audit logs are Management should ensure that

maintained and regularly violation and security activity is reported,
reviewed. Additionally, verify reviewed and appropriately escalated
that unauthorized access regularly to identify and resolve incidents
attempts are investigated. involving unauthorized activity.
Unauthorized system access attempts
are investigated. Incident management
responsibilities and procedures should
be established to ensure an appropriate,
effective and orderly response to
security incidents.
Audit logs must be accessible and
retained in their original format for a
minimum of six months and reviewed
weekly.
Has a process been defined System patches and updates should be

for the testing and tested before deployment into
installation of system production. All updates should be done
patches and updates? per (Insert Company)’s change
management policy and patch
management policies.
All appropriate patches and/or system
upgrades are applied once they have
been tested and verified as safe for the
production environment.
Operations personnel receive key
security advisories, including information
on new vulnerabilities and patches, from
industry-recognized security groups and
vendors (e.g., list vendors, etc.).
Are mechanisms in place to Procedures are defined for gathering,

gather resource-utilization analyzing and reporting utilization
statistics? statistics across the active directory
systems to ensure that system
efficiencies are maximized.
AD monitoring should include a
processor, disk utilization and network

load.
Has a process been Full and incremental backups should be

implemented for the backup performed on all active directory critical
and recovery of all components. This process and schedule
significant components of should be clearly defined and
the active directory documented. Additionally, periodic full
infrastructure? restoration of backups should be tested
to verify that the process works.
Are all significant active Appropriate physical security and

directory devices physically access control measures should be
stored in a secure area? established for information services
function facilities in conformance with
the general security policy. Access
should be restricted to individuals who
have been authorized to gain such
access.
• Environmental factor protection
• Uninterrupted power supply
• Data center structural integrity
• Data center location
Active directory equipment is stored in a
secure, environmentally controlled area,
which may include:
• Adequate fire suppression methods
• Raised flooring
• Keycard entry systems
For maximum security, are On the most critical servers of the active
server administration tasks directory implementation, administration
carried out from the server tasks should only be allowed from the
console? server console. Remote administration
should not be permitted.
ACTIVE DIRECTORY AUDIT WORK PROGRAM: USER
MANAGEMENT/ADMINISTRATION AND ACCESS
REQUEST PROCEDURES
Planning
Fieldwork
− General
− General
• Replication
− General
• Infrastructure
− General
This is Section 1e: User Management/Administration and Access Request Procedures.

Are documented procedures Policies and procedures should define a

implemented that define how centralized method to provide user
user access is granted? access. This process should also define

a documented user request form that is
archived after access has been verified,
authorized and implemented.
Has a documented approval Formal approval of the business or data

tree been defined to approve owners (or designee) of each resource
and take responsibility for all should be required before access is
access? granted.
Are documented user User access should be granted to a new

templates used for all levels user by basing access off the standard
of access in each forest and user template and not the access
domain? granted to a similar user.
Defined user templates should be
defined for each user role or job title.
New users should be added to a
particular user role as needed.
What additional controls Account expirations should be used for

have been implemented temporary users (e.g., consultants and
around contractor or vendors) according to their estimated
temporary user access? termination date.
Contractor or temporary user accounts
should be easily identifiable and
enumerated.
ACTIVE DIRECTORY WORK PROGRAM: USER
MANAGEMENT/ADMINISTRATION – GENERAL
Planning
Fieldwork
− General
− General
• Replication
− General
• Infrastructure
− General
This is Section 1: User Management/Administration – General.

Request and review policies Policies are detailed in nature and cover
regarding user management all relevant areas of concern, including
and administration. security and access controls.
• Are the policies complete Policies are reviewed regularly to ensure

and detailed? their accuracy and relevance.
• How often are the
policies reviewed for
accuracy?
Have the policies been All affected individuals and groups have
accepted by the affected adopted the stated policies and conduct
individuals and/or groups? their business according to them.
• Are these individuals Periodic checks with the affected
and/or groups adhering members help ensure the relevancy and
to the policies? acceptance of the policies.
Does a formal information A formal security policy has been

security policy exist? created and made available to all (Insert
Company) personnel.
A security training and awareness
program exists for all end users.
• A formalized security training process
for all new users is in place.
• Corporate information security
policies are periodically distributed to
all users.
Policies include:
• Responsibilities for information
security that include policy design,
managing deployment, monitoring
security and implementing technical
infrastructure
• Enforcement mechanisms
Are user maintenance Formal documented procedures for

procedures defined to granting and maintaining user access to
ensure that user accounts production resources exist.
are provisioned and
Management techniques could include:
terminated promptly and that
users have access rights per • Use the help desk or HR as a central
business functions (need-to- point of contact.
know)?
• Enhance request forms that include
the specific user access required.
• Identify business unit owners with the
authority to submit access request
forms.
Tools for automating and managing the
process of granting access to multiple
resources based on job profiles are
used.
Enterprise management software
packages could be used to:

• Provide single-sign-on across all
platforms.
• Manage user IDs and password
security.
• Provide real-time access monitoring.
• Group users and resources locally by
job function to facilitate
administration.
A communication process between the
business unit managers and security
administration is used to verify whether
user-access levels are in place.
Administrators receive regularly updated
termination reports from human
resources.
• Periodic automatic comparisons of
the human resources or payroll
system are performed to identify any
discrepancies.
Maintenance procedures include
reviewing the following items:
• User status (e.g., active, inactive,
locked, etc.)
• User access levels to production
resources
Responsibilities for communicating all
contractor employment activities are
assigned. Business unit managers are
identified as being responsible for
determining user access.
Have the user management Polices are distributed to all affected

policies been distributed to individuals and groups and are also
all affected individuals easily accessible on (Insert Company)’s
and/or groups? intranet.
• When changes are made When critical changes are made to the
to the policies, how are policies, the policies are redistributed.
the policies redistributed? Fewer changes are communicated to all
affected parties with copies of the
policies readily available via the
company intranet.
Discuss the authentication Temporary passwords for new accounts

controls and account must be changed immediately.
restrictions for users.
The following audit controls are set for
• What is the minimum and administrators:
maximum password
• Minimum password length of X
length? characters
• How often do passwords • Passwords must use characters from
expire? at least X of the following categories:
• Can passwords match − Uppercase letters
usernames? − Lowercase letters
• Can users repeat − Numbers
passwords and how − Nonalphanumeric symbols
many generations of
password history are • All passwords used on the same
maintained? system in the past year must be
significantly different.
• How many invalid login
attempts does it take an • Force user password changes every
account to become X days.
disabled? • Force administrator password
• Do passwords require changes every X days.
alphanumeric • Passwords cannot be changed more
characters? frequently than every X days unless a
• Are there current policies password compromise is suspected.
and procedures to • Disable accounts after X invalid login
monitor event logs for attempts for X minutes.
failed logins or other
security breaches?
• Is there a procedure to
alert management if a
user gets locked out of
the system a certain
number of times (e.g.,
after several failed logins,
a user is locked out and
must call the help desk to
become re-enabled)?
• Are passwords case
sensitive?
• Are new users prompted
to change temporary
passwords upon logging
in for the first time?
• Do the password controls
apply to all accounts,
including all administrator
accounts?
Are appropriate rules and Standards should be implemented for

standards defined for the the consistent naming of user,
following items? temporary and powerful administrator
accounts.
• User ID naming
conventions
• Temporary employee
naming conventions
• Administrator ID naming
conventions
Are all sources of new, Human resources processes should be

modified or terminated tied into IT processes to identify and
employees, contractors and inform ID administrators that users have
temporary employee been hired, terminated or have changed
processes adequately tied job titles.
into user management
Contractor or temporary user access
processes?
should have additional processes
implemented to maintain that access is
necessary.
Do all system resources Every (Insert Company) business

have a data/business owner application or resource should have a
who is ultimately responsible defined data or business owner who is
for security decisions? responsible for protecting the data
contained within the resource.
MANAGEMENT/ADMINISTRATION AND POWERFUL USER
RIGHTS
Planning
Fieldwork
− General
− General
• Replication
− General
• Infrastructure
− General
This is Section 1: User Management/Administration and Powerful User Rights.

Determine how powerful Powerful access should be granted after

access is granted. Verify additional approvals have been received
that extra controls have from additional management and

been implemented to limit business owners with a strict business
the ability to create a need. Administrative access should be
powerful account. granular and ensure segregation of
duties.
Verify that user accounts Verify that a limited number of users

with powerful rights can be have been designated as having
easily identified and administrator privileges. Domain
enumerated. Identify all administrators and schema
powerful user accounts that administrators should be the most
contain the following rights: controlled accounts in the environment.
• Schema administrators
• Enterprise administrators
• Domain administrators
• Active directory server
administrators.
Review users with powerful Permissions should be configured to

user rights to the active only provide the minimum rights
directory implementation necessary to complete business-
and verify that permissions designated tasks.
are appropriately based on
job requirements and
employment status.
Has a process been Administrator rights should be reviewed

implemented to periodically semiannually and after any role
review users with powerful changes. Authorizations for
user rights to determine if special/privileged access rights are
their access rights are still reviewed quarterly.
required to complete
business objectives?
Verify that appropriate Administrative access should be

segregation of duties exists granular and ensure segregation of
for active directory duties. Administrator roles should be
administrators. limited to specific servers or specific
tasks (an administrator should only have
access to the servers and the
management tasks).
Have the out-of-the-box The following tasks should be performed

(default) administrator on default administrator accounts on all
accounts been secured? AD systems:
• Administrator accounts have been
renamed to something not obvious.
• A new account called “Administrator”
has been created with no privileges,
regular auditing and investigation.
• The administrator account name and
password are kept in a sealed

envelope and a fireproof box.
Determine if administrators Administrators should use several

used several separate separate user accounts; a number of
accounts – a number for accounts should be used for normal
powerful administrative use daily activities, and a number of
and a number for day-to-day accounts should be used for all powerful
activities. administration tasks. Administrators
should use the “run as” program to
perform powerful tasks.
MANAGEMENT/ADMINISTRATION AND USER ID
CREATION
Planning
Fieldwork
− General
− General
• Replication
− General
• Infrastructure
− General
This is Section 1: User Management/Administration and User ID Creation.

Are the (Insert Company) (Insert Company) employees should

user security principles agree to and sign an “acceptable use of
communicated to users technology resources” document where

before they are permitted they agree to comply with the following
access to the system? items:
• Access will be subject to monitoring.
• Employees must comply with all
(Insert Company) IT policies and
procedures.
• Employees will not share usernames
or passwords.
The integrity of the signature should be
maintained, and the original document
should be archived.
Has user access been Users should be given no more access

restricted to the minimum and be required to fulfill their business
set of privileges needed to functions.
carry out their duties on a
“need-to-know” or “need-to-
do” basis?
Have users been organized All access should only be granted to

into sensible and well- specific group objects. User accounts
structured groups for control should then be added to or removed
and management purposes? from various group objects to provide
access.
User access should never be granted to
specific users but a group of users. This
allows the reuse of common permissions
between different populations of users.
Group objects should be clearly defined
and organized.
Are all users granted unique All users should have a unique user
user accounts? account that is used to perform all tasks.
The use of group or shared accounts
should be banned to help ensure
accountability for all actions.
How are passwords Temporary passwords for new accounts

generated and distributed for should be created using a random
new user accounts? algorithm and distributed using secure
means to the new users.
The first time the user authenticates the
account, the user should be forced to
change the temporary password.
MANAGEMENT/ADMINISTRATION – USER ID
MAINTENANCE
Planning
Fieldwork
− General
− General
• Replication
− General
• Infrastructure
− General
This is section 1: User Management/Administration – User ID Maintenance.
Preferred Controls/Goal State Intent/Status of

for Production Designed Control
Are all user accounts periodically Automated tools should be

reviewed to identify inactive implemented to automatically
accounts or accounts with disable inactive or dormant user

unnecessary access? accounts after X days of
inactivity.
All accounts should be reviewed
to identify accounts that are not
authorized or necessary. User
accounts and groups should also
be reviewed to identify possible
conflicts of interest.
How are position/role changes A documented change request

and user account changes form should exist for any user ID
accomplished? maintenance or account change.
This document should be
archived after the change is
implemented.
Any change requests should
include the appropriate level of
approval, including the business
and/or data owner of the
resource requested.
Position changes should ensure
that the removal of no longer
required access is also included
as part of this process.
Are user rights, permissions and Periodic reviews (quarterly or

privileges frequently reviewed semiannually) should be
and authorized by the performed on user access to
data/business owner for the ensure that access is granted
resource? based on business needs.
The data/business owner should
review all users that have access
to the resource to validate that
the access is still necessary.
Determine how user password A central group, separate from

resets are managed. Who has those who create new user
access to reset a user’s accounts, should manage
password? password resets. Account
passwords should only be reset
after users successfully prove
their identity. Powerful account
users should have additional
verification performed before
their accounts are reset.
Are users required to periodically Users should be required to

sign an “acceptable use of periodically sign the current
technology resources” version of an “acceptable use of
document? technology resources” document.
The integrity of the signature
should be maintained and the

original document should be
archived.
Are reviews performed on all Annual reconciliations of

account passwords to validate password parameters for the
compliance with (Insert (Insert Company) active directory
Company) defined standards? implementation should be
performed to identify passwords
that do not comply with (Insert
Company) defined policies and
procedures.
Are tools used to monitor unused Additionally, tools should be

group permissions and remove implemented to help security
unnecessary access? administrators create more
granular group permissions.
These tools should identify group
permissions that are not currently
being used, and disable the
unnecessary access.
MANAGEMENT/ADMINISTRATION AND USER ID
TERMINATION
Planning
Fieldwork
− General
− General
• Replication
− General
• Infrastructure
− General
This is Section 1: User Management/Administration and User ID Termination.

Verify that specific controls A defined process should be followed for

and procedures have been all user access when employment is
implemented for dismissing terminated. Additional controls should be

users, especially users with implemented for users with powerful
powerful access. access, including immediately escorting
the user from the property.
Are user accounts User account access should be disabled

immediately deleted or concurrently with a termination notice.
disabled when an employee
is terminated?
How long are dormant Dormant (disabled) terminated user

(disabled) terminated user accounts should be disabled after
accounts retained before several days from the time the account
they are deleted? was disabled.

Active Directory Audit Work Program

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Active Directory Audit Work Program

Uploaded by

Copyright:

Available Formats

Table of Contents

ACTIVE DIRECTORY AUDIT WORK PROGRAM: ARCHITECTURE/DESIGN...........................................................................3

PROJECT TEAM (LIST MEMBERS):

Project Timing Date Comments

Report Issuance (Local)

Report Issuance (Worldwide)

This is Section 2: Architecture/Design.

Preferred Controls/Goal State for Intent/Status of

What level of system The backwards-compatible features of

compatibility is used in the active directory implementations enable

Has a standard naming A standard naming convention for all AD

Preferred Controls/Goal State for Intent/Status of

Verify that the domain The active directory domain structure

Verify that an overall domain Overall AD domain structure

Verify that separate Separate production, development and

These different forests give all

Verify that separate domains Systems on an (Insert Company)

Is the trust relationship Trust relationships between domains

Has a process been (Insert Company) should have a

Has an OU been created for An OU should be used to logically

How are flexible single At least one GC should be located per

Has a defined process been Policies and procedures should be

Have all security global Users should be placed in global groups

Preferred Controls/Goal State for Intent/Status of

Are network diagrams kept Network diagrams and documentation

• Physical connections and logical

Verify that only Communication protocols are minimized

Are the active directory The active directory servers should be

Are there any active AD domain and forest trust between

Have AD components been (Name) services are often separated

Have host or network-based Host and network-based systems enable

Preferred Controls/Goal State for Intent/Status of

Verify that critical sites and The active directory implementation

site as economically feasible

Does redundancy around The redundancy of critical paths exists in

Are mechanisms in place to Procedures are defined for gathering,

Are supporting infrastructure A policy exists and defines necessary

Have active directory Periodic tests should be performed to

automatic failover should be logged.

PROJECT TEAM (LIST MEMBERS):

Project Timing Date Comments

Report Issuance (Local)

Report Issuance (Worldwide)

This is Section 4: Infrastructure.

Preferred Controls/Goal State for Intent/Status of

Has a system re- Management should establish a

accreditation process been framework of adequate preventative and

Has an incident response An incident-response procedure should

Have business continuity The AD implementation/devices should

Does the AD implementation (Insert Company) has defined the types of

Does the AD implementation (Insert Company) transmits process and

Preferred Controls/Goal State for Intent/Status of

Has a standard been Policies are created to ensure that

Have the necessary auditing Reviews confirm that the following

distributed to all active high-level settings that are pervasive

Has an anti-virus solution Management should establish a

should be fully implemented and

Has a host-based IDS Intrusion detection systems (IDS) are

Preferred Controls/Goal State for Intent/Status of

Verify that audit logs are Management should ensure that

Has a process been defined System patches and updates should be

Are mechanisms in place to Procedures are defined for gathering,

processor, disk utilization and network