ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

More documents

Recommendations

Info

Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency This page intentionally blank. UNCLASSIFIED C-6
Active Directory Checklist, V1R1.2 Field Security Operations 22 September 2006 Defense Information Systems Agency APPENDIX D: <strong>DIRECTORY</strong> INFORMATION GATHERING This appendix of the Checklist describes tools and methods that could be used to gather directory information. This is certainly not an exhaustive list. It is intended to point out some of the simpler and less invasive tools that are available. Although multiple tools are described, the emphasis is on the simplest command line tools and methods. D.1 Active Directory The tools and processes in this section are used to gather information about Active Directory implementations. SAs may consider compiling some of these tools into batch scripts that could be used to automate information gathering for their specific environment. Note: Some of the procedures described here require that the user performing the actions is a member of the Domain Admins security group. Note: Some of the tools described here require specific Windows releases or the installation of additional programs: - Methods that are identified with “Windows Server 2003” use programs that are present on domain controllers that are running that release or later. - Methods that are identified with “Windows Support Tools” use programs that are installed with the Windows Support Tools optional component. Although present on the OS server installation CD, these programs are not installed by default. - Methods that are identified with “Script” use the Windows Script Host (WSH) to execute scripts written in the Microsoft Visual Basic Scripting Edition (VBScript) language. The scripts invoke the Active Directory Service Interfaces (ADSI) components to get information from AD. These components are present on all Windows 2000 and later releases, but it is possible that the execution of VBScript scripts is restricted or disabled on individual machines. D.1.1 Identifying Domain Controllers The following are methods to get a list of all the domain controllers in a domain. Method 1: Microsoft Management Console a. Start the Active Directory Users and Computers console (“Start”, “Run…”, “dsa.msc”). b. Select and expand the left pane item that matches the name of the domain being reviewed. c. Select the Domain Controllers OU. d. Each domain controller is represented as an object in this OU. Notes: This method assumes that domain controller computers are members of the Domain Controllers OU. This is the default AD configuration and Microsoft recommends strongly against changing it. UNCLASSIFIED D-1
Page 1 and 2:
ACTIVE DIRECTORY SECURITY CHECKLIST
Page 3 and 4:
Active Directory Checklist, V1R1.2
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80: Active Directory Checklist, V1R1.2
Page 129: Active Directory Checklist, V1R1.2
show all

ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?