Getting Started with Active Directory Security On-Demand Assessment
The Active Directory Security assessment is designed to provide you specific actionable guidance to mitigate security risks to your Active Directory and your organization. This solution also provides you with status on your progress relative to Microsoft’s recommended roadmap for Securing Privilege Access (SPA), of which Active Directory is a critical component.
The Active Directory Security Assessment focuses on several key pillars, including:
- Review of operational processes
- Review of the privileged accounts/groups membership as well as regular account hygiene
- Review of the forest and domain trusts
- Review operating system configuration, security patch, and update levels
- Review of domain and domain controller configuration compared to Microsoft recommended guidance
- Review of key Active Directory object permission delegation
Running the Active Directory Security Assessment
Prerequisites
In order to take full advantage of the On-Demand Assessments available through Services Hub, you must:
- Have linked an active Azure Subscription to Services Hub and added the AD Security Assessment. For more information, see Getting Started with On-Demand Assessments or watch the how to link video.
- A domain account (User or Managed Service Account) with the following rights:
- Enterprise Administrator group membership OR
- Built-in Administrator group membership to every domain in the forest.
- Membership in Local Administrators group on the Data Collection machine.
- Administrative access to all Microsoft Domain Name System (DNS) servers that the domain controllers participate with.
- Review the Pre-Requisites document for the AD Security Assessment. This document explains the detailed technical documentation of the AD Security Assessment and the server preparation needed to run the assessment. It also documents the different types of data collected by the assessment.
Note: On average, it takes two hours to initially configure your environment to run an On-Demand Assessment. After you run an assessment you can review the data in Azure Log Analytics. This will provide you with a prioritized list of recommendations, categorized across six focus areas. This allows you and your team to quickly understand risk levels, the health of your environments, act to decrease risk, and improve your overall IT health.
Setup the AD Security Assessment
Note: You will only be able to successfully set up the assessment once you have linked your Azure Subscription to Services Hub and added the AD Security Assessment from IT Health -> On-Demand Assessments in Services Hub.
On the data collection machine create the following folder:
C:\OMS\ADS
(or any other folder besidesC:\ODA
which is reserved by the system).Open regular Powershell (not ISE) in Administrator mode and run the below cmdlet:
Add-ADSecurityAssessmentTask -WorkingDirectory <workingdirectorypath> command,
WorkingDirectory
is a path to an existing directory used to store the files created while collecting and analyzing the data from the environment.Workspace Id
– provide id for the Log Analytics workspace that will be used to store the uploaded data.Provide the required user account credentials that satisfy the requirements mentioned in this article earlier.
Data collection is triggered by the scheduled task named ADSecurityAssessment within an hour of running the previous script and then every 7 days. The task can be modified to run on a different date/time or even forced to run immediately from the task scheduler library -> Microsoft -> Operations Management Suite > AOI*** > Assessments > ADSecurityAssessment.
During collection and analysis, data is temporarily stored under the Working Directory folder that was configured during setup.
After a few hours, your assessment results will be available on your Log Analytics and Services Hub Dashboard. You can navigate to see the results by going into Services Hub > Health > Assessments and then clicking on View all recommendations against the active assessment.
If you wish to get a Microsoft Accredited Engineer to go over the issues about your AD Environment with you, you can contact your Microsoft Representative and ask them about the Remote or Onsite CE Led Delivery.
agreement | Remote Engineer | Onsite Engineer |
---|---|---|
Premier | ADS Remote Datasheet | ADS Onsite Datasheet |
Unified | ADS Remote Datasheet | ADS Onsite Datasheet |