Active Directory Security

출처:http://it-audit.sans.org/community/checklists/active-directory-security

• Verify that all servers acting as Active Directory or Global Catalog Servers are documented and authorized
• Verify that the location of the FSMO masters is well documented
  • Verify that a plan exists to ensure that FSMO roles are transferred should a FSMO master be decommissioned
• Verify that all Active Directory peers are replicating successfully and that replication schedules, if necessary, are appropriate

• Password Policies
  • Verify that password complexity requirements are correct
  • Verify that password history policies are correct
  • Verify that password aging requirements are correct
  • Verify that LM and NTLMv1 are refused by Active Directory and member servers according to Group Policy
• Transport Level Encryption
  • Ensure data encryption policies match organizational encryption requirements
    • Is data compartmentalized based on sensitivity?
    • Is data of different classification levels residing on the same physical server?
    • Are Group Policies being enforced to ensure sensitive data is properly encrypted while in transport?
  • Verify that message signing is enabled for all systems in the domain
• Verify that remote access to servers is restricted to appropriate groups
• Ensure that groups are being used to assign file permissions
• Ensure that Group Policy is being used to assign all rights and to manage critical group membership

• Verify that audit logging is enabled
• Verify that the local storage size of the logs is appropriate
• Verify that a mechanism exists to aggregate event logs to a centralized location
• Verify that audit logs are reviewed daily for security and stability incidents
• Verify that all remote access mechanisms have appropriate audit logging enabled

• Verify that all servers are in a physically secured limited access facility
• Verify that an access log exists to track physical to servers
• Verify that the physical access log can not be accessed/modified by individuals with access to the server facility
• Verify that, where appropriate, servers are physically secured within the facility (direct access to the physical server is limited through a locked rack, etc.)
• Verify that consoles are locked or otherwise disabled when not in use

• Verify that the time within the domain is synchronized to a stratum 1 or stratum 2 time service
• Verify that Active Directory servers are dedicated to that purpose, implementing the principles of separation of duties and economy of mechanism
• Verify that all services configured for startup are necessary for the purpose of the servers examined
• Verify that all appropriate patches have been applied in a reasonable amount of time from release
• Verify that, where appropriate, DACLs and SACLs have been configured on critical or otherwise sensitive directory objects
• Verify that the Schema Administrators group has no members
  • Inquire as to the process followed when a schema change is required
  • Is the process reasonable?
  • Does the process protect the Active Directory Schema Master from unauthorized change?
  • Does the process protect the Active Directory Schema Master from corruption?
• Verify any cross domain trust relationships are appropriate, documented and authorized
• Verify that the Active Directory is functioning at the highest functional level permitted by deployed systems
• Verify that all service accounts have sufficiently long and complex passwords that they need not be changed
  • Verify that the service account passwords are not known
• Verify that Administrators are using differentiated accounts with administrative rights rather than a single “Administrator” account
  • Verify that administrators have separate accounts for day to day activities versus administrative activities
  • Verify that the administrative accounts are being used only for administrative functions
• Verify that there are no undocumented, unused or inactive accounts in the Active Directory
• Verify that all accounts in the Active Directory are for Service Accounts or current active users in the environment