Active Directory Audit

commissum's AD Structural Audit can optimise your Active Directory and Microsoft security tools.

commissum's Active Directory Structural Audit is a higher-level audit than the Permissions Audit, but in terms of issue resolution it is of vital importance. The Permissions Audit focuses on which users can access which objects from a current and historical perspective. 

The Structural Audit, on the other hand, ensures that the fundamental AD structure does not contain loopholes in the permissions set-up. Such loopholes might be exploited by users to create new objects which can be used as "stepping stones" to access data that the users are not authorised to access. A Permissions Audit alone is not sufficient to prevent this, and so an Active Directory Structural Audit is needed in addition.

The AD Structural Audit focuses on the business fitness of your Active Directory set-up, rather than individual permissions. It will determine whether individual permissions, objects and policies can be used to circumvent one another (as is often the case). It is measured in terms of security and stability as well as regulatory and best practice compliance. While the Permissions Audit can address short-term issues, the Structural Audit will prevent problems occurring in the future. Both audit types are essential to a comprehensive review, with robust recommendations to address future situations.

The AD Structural Audit has no impact on your infrastructure. The consultant will spend a day on-site evaluating the structures within your AD. During that day, he/she will need three to four hours, ideally with the senior AD administrator, to ask questions about why certain structures are used and how some requirements are fulfilled.

If the senior AD administrator is unavailable, then the consultant will work with someone who can grant administrative access to a domain controller. While no changes are made to your systems, we usually expect that the consultant has access to a local employee that he/she can question, in order to get the most out of the engagement.

At the end of this consultancy day, we hold an informal meeting for an hour, which both the senior administrator and the CIO/IT manager should attend. At this meeting, we discuss the overall audit findings, their impact on the business, and what actions could be taken to optimise the Active Directory.

You will be able to ask any questions you might have. The extra depth of explanation that this meeting provides will make our report more meaningful when you receive it.

The final stage of the AD Structural Audit is the writing of the full report, including metrics taken from the audit observations. Once the report is complete, we can return to deliver the report in person, or we can discuss it remotely by conference call.

• Technology Selection
• Secure Integration
• Technology Project Assurance
• Active Directory Permissions
• Active Directory Structural Audit
• Microsoft Security Licenses
• Mobility and Secure Access