Active Directory Audit Checklist: 5 Planning Considerations

By Tim Harvey on June, 29 2020
Back to main Blog
Tim Harvey

Risk Advisory Services Consultant

Freed Maxick Blog Audit

When planning an Active Directory audit, there are 5 areas the auditor should consider that are most important to understand the overall picture of the Active Directory environment.

1.) Active Directory Governance – In planning an Active Directory audit, the auditor should consider the way the organization’s control environment is established and maintained. Control environments are established and maintained through documented policies and procedures. These policies and procedures should be reviewed and updated at least on an annual basis. The auditor should also consider the technical competence of the individuals who have oversight of Active Directory, as well as, those they report to.

2.) Active Directory Design – When planning an Active Directory audit, the design of Active Directory structure should be considered. The following aspects should be addressed when planning the audit:

  • The organization’s Active Directory structure
  • The segregation of duties related to Active Directory, such as:
    • Administering
    • Monitoring
    • Making Changes
    • The servers utilized for Domain Controllers.
    • The configuration of the forest trust and the authorization required to establish trusts between forests.
3.) Active Directory Security – Given the pervasiveness of Active Directory throughout an organization, how an organization protects itself from cyber-attacks is a major consideration in any Active Directory audit. One important aspect of the security of the network is to make sure the Domain Controllers have proper security configurations. Domain Controllers are used to authenticate users, store user account information, and enforces security policy for a domain. Proper configurations will deny any unauthorized users from accessing and performing unauthorized actions on the organization’s network. Auditors should also inspect the organization’s password parameters and antivirus software. These security issues associated with Domain Controllers should be researched by the auditor for the security portion of the audit.

Learn more: Active Directory Cybersecurity: 5 Best Practices

4.) Active Directory Logging and Audit – When planning to audit Active Directory, it is important to make sure events are being logged in the Domain Controller audit logs. An audit log is a document that shows the user that performed the activity, what activity was performed, when the activity was performed, and how the system behaved during the activity. When considering the audit log, the auditor should have controls that make sure the configurations are set to properly record events. The configuration settings can be compared to the settings within the User Rights Assignment policy. The auditor would also want to make sure the logs are being properly aggregated and reviewed. The auditor should ask if the organization uses a Security Information and Event Management (SIEM) software solution to aggregate and analyze activity across the IT infrastructure. The SIEM provides real-time analysis of security alerts, so the auditor should inquire of IT management how appropriate personnel are notified of the alerts.

5.) Active Directory Administrator Access – The personnel with administrator access should be appropriate based on the job duties that come with their job title. The auditor of an organization’s Active Directory should plan to interview the personnel with administrator access. Administrative access gives an account significant power within the organization’s network and must be secured and closely monitored. Therefore, auditors should be very diligent when planning the testing procedures to investigate who has administrator access to confirm access is appropriate.

If you need assistance planning your Active Directory audit, please reach out to Tim Harvey, Risk Advisory Services Consultant by email at Timothy.Harvey@freedmaxick.com.

Stay up to date