Checklists: Active Directory Security


Deployment Information

  • Verify that all servers acting as Active Directory or Global Catalog Servers are documented and authorized
  • Verify that the location of the FSMO masters is well documented
    • Verify that a plan exists to ensure that FSMO roles are transferred should a FSMO master be decommissioned
  • Verify that all Active Directory peers are replicating successfully and that replication schedules, if necessary, are appropriate

Security Settings

  • Password Policies
    • Verify that password complexity requirements are correct
    • Verify that password history policies are correct
    • Verify that password aging requirements are correct
    • Verify that LM and NTLMv1 are refused by Active Directory and member servers according to Group Policy
  • Transport Level Encryption
    • Ensure data encryption policies match organizational encryption requirements
      • Is data compartmentalized based on sensitivity?
      • Is data of different classification levels residing on the same physical server?
      • Are Group Policies being enforced to ensure sensitive data is properly encrypted while in transport?
    • Verify that message signing is enabled for all systems in the domain
  • Verify that remote access to servers is restricted to appropriate groups
  • Ensure that groups are being used to assign file permissions
  • Ensure that Group Policy is being used to assign all rights and to manage critical group membership

Audit Logging

  • Verify that audit logging is enabled
  • Verify that the local storage size of the logs is appropriate
  • Verify that a mechanism exists to aggregate event logs to a centralized location
  • Verify that audit logs are reviewed daily for security and stability incidents
  • Verify that all remote access mechanisms have appropriate audit logging enabled

Physical Security

  • Verify that all servers are in a physically secured limited access facility
  • Verify that an access log exists to track physical to servers
  • Verify that the physical access log can not be accessed/modified by individuals with access to the server facility
  • Verify that, where appropriate, servers are physically secured within the facility (direct access to the physical server is limited through a locked rack, etc.)
  • Verify that consoles are locked or otherwise disabled when not in use


  • Verify that the time within the domain is synchronized to a stratum 1 or stratum 2 time service
  • Verify that Active Directory servers are dedicated to that purpose, implementing the principles of separation of duties and economy of mechanism
  • Verify that all services configured for startup are necessary for the purpose of the servers examined
  • Verify that all appropriate patches have been applied in a reasonable amount of time from release
  • Verify that, where appropriate, DACLs and SACLs have been configured on critical or otherwise sensitive directory objects
  • Verify that the Schema Administrators group has no members
    • Inquire as to the process followed when a schema change is required
    • Is the process reasonable?
    • Does the process protect the Active Directory Schema Master from unauthorized change?
    • Does the process protect the Active Directory Schema Master from corruption?
  • Verify any cross domain trust relationships are appropriate, documented and authorized
  • Verify that the Active Directory is functioning at the highest functional level permitted by deployed systems
  • Verify that all service accounts have sufficiently long and complex passwords that they need not be changed
    • Verify that the service account passwords are not known
  • Verify that Administrators are using differentiated accounts with administrative rights rather than a single "Administrator" account
    • Verify that administrators have separate accounts for day to day activities versus administrative activities
    • Verify that the administrative accounts are being used only for administrative functions
  • Verify that there are no undocumented, unused or inactive accounts in the Active Directory
  • Verify that all accounts in the Active Directory are for Service Accounts or current active users in the environment