Active Directory Security

Assessment

Premier Support

Overview
An Active Directory Security Active Directory provides mission-critical authentication, authorization and
Assessment helps an configuration capabilities to manage users, computers, servers and applications
organization to identify, throughout an organization’s IT infrastructure. As Active Directory provides
quantify and reduce the risks broad and deep control of environments in which it is deployed, proper
configuration and use of an Active Directory infrastructure is critical to secure an
affecting the security of one of
organization’s systems and applications.
the most critical infrastructure
components in most IT How the Offering Works
environments. ADSAs are performed via a series of activities on both technical and non-
technical fronts. The technical component of the ADSA leverages automated
information-gathering scripts, custom and standard system analysis tools to
Significant cost savings can be gather in-depth information about the configuration of the directory, privileged
realized by leveraging accounts, security settings, domain controller configurations and even
prioritized, actionable inappropriate use of privileged accounts. In addition to the information
guidance to secure existing gathering activities, interviews with key teams involved in the various aspects of
investments rather than Active Directory and supporting infrastructures, are performed to identify gaps
increasing cost and complexity in process or governance that may also expose the directory to risk.
by adding additional security
Why Perform an ADSA?
components that may be As organizations’ implementations of Active Directory evolve, configuration
unnecessary in the presence of settings may not be properly maintained, security enhancements may not be
a secure AD implementation. implemented and vulnerabilities may begin to appear in an AD installation. An
ADSA provides a holistic assessment of the security of an Active Directory
installation, not only at a technical level but also at process and governance
Risk Prioritization levels. On completion of an ADSA, the customer is presented with a
An ADSA provides prioritized, comprehensive analysis of both technical and non-technical risks. In addition, it
structured remediation advice, presents a prescriptive guidance and prioritization to provide an organization a
allowing an organization to easily roadmap to a more secure directory. ADSAs may be repeated on an annual or
identify where efforts should be even a semi-annual basis in order to provide a comprehensive, audit-ready
focused. record of the security of an AD installation over its lifetime.
 Assess your Enterprise Directory
Services environment security today
Key Benefits Deliverables
• Domain Controllers Security The PFE-ADSA deliverables consists of three detailed reports containing
information about an organization’s domain controller’s security configurations,
ADSA provides a detailed
privileged account and group memberships, and an operational and technical
baseline of your environment
review. Risks are identified, prioritized, and remediation approaches are
with a comparative review based provided, giving the customer actionable guidance that can be used to harden
on official Microsoft and secure this mission-critical service. Supplemental files containing the full
recommendations. ADSA details of each risk are also provided as reference material that is useful to target
analyses security settings of your remediation efforts.
Domain Controllers based on
the Microsoft security guidance Higher Security for Systems and Applications
found in the Security All computers and applications that are joined to or authenticate with Active
Compliance Manager (SCM) Directory have critical security dependencies upon Active Directory. By
implementing the guidance provided in the ADSA deliverables, the level of
tool.
security across these complex dependencies is increased. Thus, the overall
• Administrative Memberships security status of an organization is significantly improved.
ADSA provides a detailed
inventory of administrative and Maximize Existing Investments in Active Directory
privileged memberships. Rather than purchasing additional devices or software to increase security,
simple changes to Active Directory and the systems it controls can provide
• Operational Excellence greater incremental security improvements for reduced cost, risk and less effort
Is a top priority for all from administrative staff.
organizations. ADSA will go
beyond technology and look at Engagement Sizing for Active Directory
process as well as governance. The ADSA delivery* is sized appropriately to the complexity of your
environment during a scoping call. Factors such as the number of domains,
• Knowledge Transfer domain controllers and network topology are considered. These are examples
of typical delivery times:

Tier Number of DCs per forest Typical Assessment Time

1 1-30 5 days

2 31-75 6 days

3 76-150 7 days

4 151+ Custom

5 Custom 20+ days

Tier 5 deliveries provide an in-depth assessment which focuses on additional

For more information about Consulting and Support solutions from Microsoft, contact your
Microsoft Services representative or visit www.microsoft.com/services