Auditing Windows and Active Directory

Provided by

About the course

The Windows Server family is constantly introducing new areas for the IT auditor to review,  Windows Server 2008 brought new control features such as granular audit policies and new password controls. Windows Server Core (new with the Server 2008 range) brings new challenges for the auditor - how do you audit a version of Windows that doesn't have a graphical desktop?

In this intensive practical course, you will learn how to plan and carry out an audit of a Windows Server-based installation. Each student will be provided with their own Windows workstation and a range of Windows Server software tools to use, including software intended for the use of systems administrators, and not normally provided to a Windows user. We will cover Windows 2008 with a look at Windows 2012 to ensure that you'll be fully up to date no matter what mix of systems your company's data centre may be using!

At the end of the event, you will have all the essential knowledge required to conduct a successful Windows Server audit.

Course Content

A basic Windows operating system audit
Windows versions.
Operating system roles.
Auditing Windows Services.
User rights and admin rights.

Active Directory Objects
Forests and Trees.
Domains and Sites.
OUs Groups and Users Risks of inappropriate forest/domain configuration.
Risks of trust relationships in an AD forest.

Reviewing the deployment of Active Directory
Risks of poor deployment decisions.
Replication risks.
Accidental deletion of AD objects.
Workstation/server controls in an AD environment.
Risks associated with workstation and server domain membership.

AD security and control features in Server 2008
Read-only domain controllers.
Selective replication.
Domain controller loss/theft mitigation.
AD object deletion protection.

AD User and group management
Risks of poor user account control.
Incorrect and inappropriate group membership.
Control of dormant accounts.
Risks associated with service accounts.

Account control features in Server 2008
Granular password policies.
New service account management tools.

Windows Server Core 2008
Typical Server Core roles and deployments.
Auditing Server Core installations with remote admin tools and PowerShell.

Object permissions in Active Directory and what they mean
Risks of incorrect object permissions for AD and other objects.
Risks of delegation and how to assess them.

Group Policy Objects and how they are used
Risks of poor Group Policy design, deployment and monitoring.
The Group Policy Management Console and how to use it in a GP audit.

Auditing
How the Windows auditing and event log system works.
Risks of improper audit logging configuration and monitoring.
Auditing features in Server 2008.
Granular audit policies.
Event log forwarding.
Risks of inappropriate file and directory access permissions.
How to assess permissions cost-effectively.

Useful software
DumpSec.
MBSA.
Log dumper tools.
The built-in NET commands.
Using scripts to control and audit Windows Server and AD.
Powershell and its audit uses.
The Windows and AD audit programme.

Related article

A shortage of staff and skills are negatively affecting cyber security defences, new research suggests. Almost two in three enterprise representati...