ACTIVE DIRECTORY WORK PROGRAM: USER

MANAGEMENT/ADMINISTRATION, POWERFUL USER

RIGHTS

PROJECT TEAM (LIST MEMBERS):

Project Timing Date Comments
Planning

Fieldwork

Report Issuance (Local)

Report Issuance (Worldwide)

The complete active directory work program covers the following areas:

User Management/Administration
General
User ID Creation
User ID Maintenance
User ID Termination
Access Request Procedures
Powerful User Rights
Architecture/Design
General
Domain Structure
Supporting Infrastructure
Failover/Availability
Replication
General
Database Maintenance
Replication Management
Infrastructure
General
Platform Configuration
Platform Security

This is Section 1: User Management/Administration, Powerful User Rights.

Source: www.knowledgeleader.com 1
 Key Control
Question(s)
Determine how powerful
access is granted. Verify
that extra controls have
been implemented to limit
the ability to create a
powerful account.
Verify that user accounts
with powerful rights can be
easily identified and
enumerated. Identify all
powerful user accounts that
contain the following rights:
Schema administrators
Enterprise
administrators
Domain administrators
Active directory server
administrators
Review users with powerful
user rights to the active
directory implementation
and verify that permissions
are appropriately based on
job requirements and
employment status.
Has a process been
implemented to periodically
review users with powerful
user rights to determine if
their access rights are still
required to complete
business objectives?
Verify that appropriate
segregation of duties exist
for active directory
administrators.
Source: www.knowledgeleader.com
Preferred Controls/Goal State for Intent/Status of
Owner(s)
Production Designed Control
Powerful access should be granted
after additional approvals have been
received from additional management
and business owners, with a strict
business need. Administrative access
should be granular and ensure a
segregation of duties.
Verify that a limited number of users
have been designated as having
administrator privileges. Domain
administrators and schema
administrators should be the most
controlled accounts in the
environment.
Permissions should be configured to
only provide the minimum rights
necessary to complete business-
designated tasks.
Administrator rights should be
reviewed semi-annually and after any
role changes. Authorizations for
special/privileged access rights are
reviewed quarterly.
Administrative access should be
granular and ensure a segregation of
duties. Administrator roles should be
limited to specific servers or specific
tasks (an administrator should only
have access to the servers and the
management tasks).
2
 Key Control
Question(s)
Have the out-of-the-box
(default) administrator
accounts been secured?
Determine if administrators
used # separate accounts
# for powerful
administrative use and # for
day-to-day activities.
Source: www.knowledgeleader.com
Preferred Controls/Goal State for Intent/Status of
Owner(s)
Production Designed Control
The following tasks should be
performed on default administrator
accounts on all AD systems:
Administrator accounts have been
renamed to something not
obvious.
A new account called
Administrator has been created
with no privileges, regular auditing
and investigation.
The administrator account name
and password are kept in a sealed
envelope and in a fireproof box.
Administrators should use # separate
user accounts; # accounts should be
used for normal daily activities, and #
for all powerful administration tasks.
Administrators should use the run as
program to perform powerful tasks.
3