Getting Started with Active Directory Security On-Demand Assessment
Article
The Active Directory Security assessment is designed to provide you specific actionable guidance to mitigate security risks to your Active Directory and your organization. This solution also provides you with status on your progress relative to Microsoft’s recommended roadmap for Securing Privilege Access (SPA), of which Active Directory is a critical component.
The Active Directory Security Assessment focuses on several key pillars, including:
Review of operational processes
Review of the privileged accounts/groups membership as well as regular account hygiene
Review of the forest and domain trusts
Review operating system configuration, security patch, and update levels
Review of domain and domain controller configuration compared to Microsoft recommended guidance
Review of key Active Directory object permission delegation
Running the Active Directory Security Assessment
Prerequisites
In order to take full advantage of the On-Demand Assessments available through Services Hub, you must:
Built-in Administrator group membership to every domain in the forest.
Membership in Local Administrators group on the Data Collection machine.
Administrative access to all Microsoft Domain Name System (DNS) servers that the domain controllers participate with.
Review the Pre-Requisites document for the AD Security Assessment. This document explains the detailed technical documentation of the AD Security Assessment and the server preparation needed to run the assessment. It also documents the different types of data collected by the assessment.
Note: On average, it takes two hours to initially configure your environment to run an On-Demand Assessment. After you run an assessment you can review the data in Azure Log Analytics. This will provide you with a prioritized list of recommendations, categorized across six focus areas. This allows you and your team to quickly understand risk levels, the health of your environments, act to decrease risk, and improve your overall IT health.
Setup the AD Security Assessment
Note: You will only be able to successfully setup the assessment once you have linked your Azure Subscription to Services Hub and added the AD Security Assessment from IT Health -> On-Demand Assessments in Services Hub.
On the data collection machine create the following folder: C:\OMS\ADS (or any other folder besides C:\ODA which is reserved by the system).
Open regular PowerShell (not ISE) in Administrator mode and run the below cmdlet:
WorkingDirectory is a path to an existing directory used to store the files created while collecting and analyzing the data from the environment.
Workspace Id – provide id for the Log Analytics workspace that will be used to store the uploaded data.
Provide the required user account credentials that satisfy the requirements mentioned in this article earlier.
Data collection is triggered by the scheduled task named ADSecurityAssessment within an hour of running the previous script and then every 7 days. The task can be modified to run on a different date/time or even forced to run immediately from the task scheduler library -> Microsoft -> Operations Management Suite > AOI*** > Assessments > ADSecurityAssessment.
During collection and analysis, data is temporarily stored under the Working Directory folder that was configured during setup.
After a few hours, your assessment results will be available on your Log Analytics and Services Hub Dashboard. You can navigate to see the results by going into Services Hub > Health > Assessments and then clicking on View all recommendations against the active assessment.
If you wish to get a Microsoft Accredited Engineer to go over the issues about your AD Environment with you, you can contact your Microsoft Representative and ask them about the Remote or Onsite CE Led Delivery.
This guided project helps prepare you to manage Active Directory Domain services, including creating and deploying domains, configuring group policy objects, establishing and enforcing passwords, and maintaining security of Active Directory.