Risk Advisory Services Consultant
When planning an Active Directory audit, there are 5 areas the auditor should consider that are most important to understand the overall picture of the Active Directory environment.
1.) Active Directory Governance – In planning an Active Directory audit, the auditor should consider the way the organization’s control environment is established and maintained. Control environments are established and maintained through documented policies and procedures. These policies and procedures should be reviewed and updated at least on an annual basis. The auditor should also consider the technical competence of the individuals who have oversight of Active Directory, as well as, those they report to.
2.) Active Directory Design – When planning an Active Directory audit, the design of Active Directory structure should be considered. The following aspects should be addressed when planning the audit:
- The organization’s Active Directory structure
- The segregation of duties related to Active Directory, such as:
- Making Changes
- The servers utilized for Domain Controllers.
- The configuration of the forest trust and the authorization required to establish trusts between forests.
Learn more: Active Directory Cybersecurity: 5 Best Practices
4.) Active Directory Logging and Audit – When planning to audit Active Directory, it is important to make sure events are being logged in the Domain Controller audit logs. An audit log is a document that shows the user that performed the activity, what activity was performed, when the activity was performed, and how the system behaved during the activity. When considering the audit log, the auditor should have controls that make sure the configurations are set to properly record events. The configuration settings can be compared to the settings within the User Rights Assignment policy. The auditor would also want to make sure the logs are being properly aggregated and reviewed. The auditor should ask if the organization uses a Security Information and Event Management (SIEM) software solution to aggregate and analyze activity across the IT infrastructure. The SIEM provides real-time analysis of security alerts, so the auditor should inquire of IT management how appropriate personnel are notified of the alerts.
5.) Active Directory Administrator Access – The personnel with administrator access should be appropriate based on the job duties that come with their job title. The auditor of an organization’s Active Directory should plan to interview the personnel with administrator access. Administrative access gives an account significant power within the organization’s network and must be secured and closely monitored. Therefore, auditors should be very diligent when planning the testing procedures to investigate who has administrator access to confirm access is appropriate.