Active Directory Security Checklist

Deployment Information
• Verify that all servers acting as Active Directory or Global Catalog Servers are
documented and authorized
• Verify that the location of the FSMO masters is well documented
o Verify that a plan exists to ensure that FSMO roles are transferred should a FSMO
master be decommissioned
• Verify that all Active Directory peers are replicating successfully and that replication
schedules, if necessary, are appropriate

Security Settings
• Password Policies
o Verify that password complexity requirements are correct
o Verify that password history policies are correct
o Verify that password aging requirements are correct
o Verify that LM and NTLMv1 are refused by Active Directory and member
servers according to Group Policy
• Transport Level Encryption
o Ensure data encryption policies match organizational encryption requirements
 Is data compartmentalized based on sensitivity?
 Is data of different classification levels residing on the same physical
server?
 Are Group Policies being enforced to ensure sensitive data is properly
encrypted while in transport?
o Verify that message signing is enabled for all systems in the domain
• Verify that remote access to servers is restricted to appropriate groups
• Ensure that groups are being used to assign file permissions
• Ensure that Group Policy is being used to assign all rights and to manage critical group
membership

Audit Logging
• Verify that audit logging is enabled
• Verify that the local storage size of the logs is appropriate
• Verify that a mechanism exists to aggregate event logs to a centralized location
• Verify that audit logs are reviewed daily for security and stability incidents
• Verify that all remote access mechanisms have appropriate audit logging enabled

Physical Security
• Verify that all servers are in a physically secured limited access facility
 • Verify that an access log exists to track physical to servers
• Verify that the physical access log can not be accessed/modified by individuals with
access to the server facility
• Verify that, where appropriate, servers are physically secured within the facility (direct
access to the physical server is limited through a locked rack, etc.)
• Verify that consoles are locked or otherwise disabled when not in use

Miscellaneous
• Verify that the time within the domain is synchronized to a stratum 1 or stratum 2 time
service
• Verify that Active Directory servers are dedicated to that purpose, implementing the
principles of separation of duties and economy of mechanism
• Verify that all services configured for startup are necessary for the purpose of the servers
examined
• Verify that all appropriate patches have been applied in a reasonable amount of time from
release
• Verify that, where appropriate, DACLs and SACLs have been configured on critical or
otherwise sensitive directory objects
• Verify that the Schema Administrators group has no members
o Inquire as to the process followed when a schema change is required
o Is the process reasonable?
o Does the process protect the Active Directory Schema Master from unauthorized
change?
o Does the process protect the Active Directory Schema Master from corruption?
• Verify any cross domain trust relationships are appropriate, documented and authorized
• Verify that the Active Directory is functioning at the highest functional level permitted
by deployed systems
• Verify that all service accounts have sufficiently long and complex passwords that they
need not be changed
o Verify that the service account passwords are not known
• Verify that Administrators are using differentiated accounts with administrative rights
rather than a single “Administrator” account
o Verify that administrators have separate accounts for day to day activities versus
administrative activities
o Verify that the administrative accounts are being used only for administrative
functions
• Verify that there are no undocumented, unused or inactive accounts in the Active
Directory
• Verify that all accounts in the Active Directory are for Service Accounts or current active
users in the environment