Académique Documents
Professionnel Documents
Culture Documents
Deployment Information
• Verify that all servers acting as Active Directory or Global Catalog Servers are
documented and authorized
• Verify that the location of the FSMO masters is well documented
o Verify that a plan exists to ensure that FSMO roles are transferred should a FSMO
master be decommissioned
• Verify that all Active Directory peers are replicating successfully and that replication
schedules, if necessary, are appropriate
Security Settings
• Password Policies
o Verify that password complexity requirements are correct
o Verify that password history policies are correct
o Verify that password aging requirements are correct
o Verify that LM and NTLMv1 are refused by Active Directory and member
servers according to Group Policy
• Transport Level Encryption
o Ensure data encryption policies match organizational encryption requirements
Is data compartmentalized based on sensitivity?
Is data of different classification levels residing on the same physical
server?
Are Group Policies being enforced to ensure sensitive data is properly
encrypted while in transport?
o Verify that message signing is enabled for all systems in the domain
• Verify that remote access to servers is restricted to appropriate groups
• Ensure that groups are being used to assign file permissions
• Ensure that Group Policy is being used to assign all rights and to manage critical group
membership
Audit Logging
• Verify that audit logging is enabled
• Verify that the local storage size of the logs is appropriate
• Verify that a mechanism exists to aggregate event logs to a centralized location
• Verify that audit logs are reviewed daily for security and stability incidents
• Verify that all remote access mechanisms have appropriate audit logging enabled
Physical Security
• Verify that all servers are in a physically secured limited access facility
• Verify that an access log exists to track physical to servers
• Verify that the physical access log can not be accessed/modified by individuals with
access to the server facility
• Verify that, where appropriate, servers are physically secured within the facility (direct
access to the physical server is limited through a locked rack, etc.)
• Verify that consoles are locked or otherwise disabled when not in use
Miscellaneous
• Verify that the time within the domain is synchronized to a stratum 1 or stratum 2 time
service
• Verify that Active Directory servers are dedicated to that purpose, implementing the
principles of separation of duties and economy of mechanism
• Verify that all services configured for startup are necessary for the purpose of the servers
examined
• Verify that all appropriate patches have been applied in a reasonable amount of time from
release
• Verify that, where appropriate, DACLs and SACLs have been configured on critical or
otherwise sensitive directory objects
• Verify that the Schema Administrators group has no members
o Inquire as to the process followed when a schema change is required
o Is the process reasonable?
o Does the process protect the Active Directory Schema Master from unauthorized
change?
o Does the process protect the Active Directory Schema Master from corruption?
• Verify any cross domain trust relationships are appropriate, documented and authorized
• Verify that the Active Directory is functioning at the highest functional level permitted
by deployed systems
• Verify that all service accounts have sufficiently long and complex passwords that they
need not be changed
o Verify that the service account passwords are not known
• Verify that Administrators are using differentiated accounts with administrative rights
rather than a single “Administrator” account
o Verify that administrators have separate accounts for day to day activities versus
administrative activities
o Verify that the administrative accounts are being used only for administrative
functions
• Verify that there are no undocumented, unused or inactive accounts in the Active
Directory
• Verify that all accounts in the Active Directory are for Service Accounts or current active
users in the environment