An organization's Directory Services provide the literal "keys to the kingdom," and as such, any directory vulnerabilities can instantly denigrate the security of the entire organization, as once sufficient privilege is acquired, a malicious user can control access to every information and IT asset protected by the directory.
Key activities include:
- Conducting a design and/or compliance review of those directory attributes deemed essential to the ongoing achievement of critical security objectives:
- Enterprise Design Review;
- Security Configuration Review;
- Content Security Review;
- Administrative Model Review; and,
- Management Practices, Procedures and Policies.
- Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include: root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
The predominant benefits realized by an Active Directory Review are:
- Provides assurance that the Directory controls are in place, aligned with prevailing good practice, and operating as intended; and,
- Provides a measure of assurance that those external systems that are reliant upon the Directory are secure in accordance with their expectation.
Active Directory reviews are best used:
- As part of a compliance management program as a means to demonstrate compliance with relevant laws and regulations over an extended period of time; and,
- As a compensating control where Separation of Duties is not practical or possible.