2 Days Left to Save $200 on SANS Salt Lake City 2016

Community SANS

Dallas, TX | Mon Feb 25 - Wed Feb 27, 2013

This event is now sold out with a waitlist available. If you are interested

in attending this class in other cities, we invite you to consider SANS 2013 or email

community@sans.org to request this class in your Community.


AUD444: Auditing Security and Controls of Active Directory and Windows

Auditors need to be able to understand how Active Directory operates and the key business risks that are present. This course was written to teach auditors how to identify and assess those business risks. Active Directory and Windows systems are typically well known and utilized within organizational infrastructures. However, they can be difficult to audit since there are a large number of settings on the end system. This course provides the tools and techniques to effectively conduct an Active Directory and Windows audit, and while doing so identify key business process controls that may be missing. Students have the opportunity to look at the business process controls and then how those can be verified by looking at Active Directory and the Windows systems that exist. Plus, students are taught how to add additional value to their audits by being able to identify the technology risks that may have been overlooked. The hands-on exercises reinforce the topics discussed in order to give students the opportunity to conduct an audit on their own Windows systems, as well as understand the different security options that Windows provides.

Course Syllabus
Course Contents InstructorsSchedule
  AUD444.1: Day 1 Tanya BaccamBryan Simon Mon Feb 25th, 2013
9:00 AM - 5:00 PM

In order to properly audit Active Directory, auditors have to have an understanding of the Active Directory architecture and the role AD plays for an organization. These foundations are more are covered in provide a solid foundation to build rom throughout the course.

CPE/CMU Credits: 6


Windows Foundational Concepts

  • Workgroups versus Domains
  • Common protocols
  • Querying registry data

Active Directory Concepts

  • Conducting an inventory of systems
  • Active Directory Design and Topology
  • Scoping considerations for an Active Directory and Windows Audit
  • Active Directory Responsibilities
  • Auditing the authentication process
  • Trusts
  • Domain Controllers Audit Steps
  • Active Directory Audit Steps
  • Group Policy
  • GPO application
  • Organizational Units
  • Global Catalog Best Practices Audit Steps
  • Schema Master Audit Steps
  • Operation Master Audit Steps
  • RODC
  • Domains and Forests
  • Delegation of Authority
  • Tools designed to query data from AD such as csvde, dsquery and more

Physical, Environment and Availability Controls

  • Facility controls
  • Data center controls
  • Physical Security Audit Steps for DCs
  • Fault Tolerance Audit Steps
  • Cabling Physical Security Controls
  • Backup controls

  AUD444.2: Day 2 Tanya BaccamBryan Simon Tue Feb 26th, 2013
9:00 AM - 5:00 PM

During this day we will add to the foundational concepts we covered in the first day and get in to a number of the technical details for auditing including access controls, change and patch management, encryption and vulnerability management. We also discuss key services such as DNS, IIS, SQL Server and RDS.

CPE/CMU Credits: 6


Network controls

  • Ports, Services and Protocol Stacks
  • IPv6 considerations
  • Network Segmentation Audit Steps
  • IDS and IPS considerations
  • Network Access Protection
  • Wireless best practices for Windows

Application controls

  • Controlling Software
  • Software Restriction Policies
  • AppLocker or Application Control Policies
  • Auditor Service Tips
  • DNS Audit Steps for AD
  • IE Security considerations
  • Remote Desktop Services

Change Control, Patching & Vulnerabilities

  • Managing and Auditing for IT vulnerabilities
  • Configuration Controls
  • Change Management
  • Patch Management
  • Vulnerability Management Audit Steps
  • Signs of Poor Vulnerability Management Processes
  • MBSA
  • Nmap Scripting Engine
  • Microsoft Support Lifecycle

Access Controls

  • Job Roles and Responsibilities
  • SOD Considerations
  • User Management Controls
  • Required Policies/Processes for Users and Groups
  • Account Recommendations for Administrators
  • Permissions
  • Ownership
  • Mandatory Integrity Control
  • User Account Control
  • High Risk Groups and Users
  • User, accounts and group management
  • Anti-virus and Malware Controls
  • Password Controls
  • Using tools to extract audit data for users and groups
  • Password Cracking and Audits
  • Authentication Alternatives
  • Kerberos and NTLM
  • Governance Controls

  AUD444.3: Day 3 Tanya BaccamBryan Simon Wed Feb 27th, 2013
9:00 AM - 5:00 PM

The final day of the course covers the last steps to include in an Active Directory and Windows effective audit program. Topics such as enabling successful auditing on the system, reviewing privileges, availability considerations, application control and service auditing are discussed.

CPE/CMU Credits: 6


Access Controls

  • Encryption Controls
  • Cryptography
  • Encrypting File System (EFS)
  • BitLocker
  • Hard Drive Encryption
  • Syskey
  • IPSec Best Practices
  • Shares
  • Identifying Changes
  • File Integrity Controls
  • Security Options and which ones are important to auditors
  • Security Option Audit Recommendations


  • Categorizing Privileges according to risk
  • High Risk Right Recommendations
  • Audit Recommendations for Remaining Rights

Logging and Monitoring

  • Logging on the end system
  • Windows Logs
  • Centralized Logging
  • Signs of an Intrusion
  • Key Audit Event IDs
  • Logging for Availability Considerations
  • Recommended Logging Controls
  • Logging for Domain Controllers
  • Continuous Auditing

System Configuration, Continuous Auditing & Tools

  • System configuration audit checklist items
  • Using wmic for audit purposes
  • Security Configuration and Analysis
  • Using templates for auditing
  • Administrative Templates GPOs

Additional Information
  Laptop Required

Students need to bring a laptop computer with an Ethernet network card and a CD-ROM drive. Students should use Windows 7 professional or later, and need to have Administrative access, including the capability to disable security features such as anti-virus software. Home or similar editions will not have the features needed. Students will also need to install RSAT before class as the dsquery and csvde tools are needed for class. You can find the instructions for installation here.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  Who Should Attend
  • Internal Auditors
  • IT Specialist Auditors
  • IT Auditors
  • IT Audit Managers
  • Information System Auditors
  • Information Technology Auditors
  • Information Security Officers

  Other Courses People Have Taken

Other Courses People Have Taken

Any of the other audit courses.

  What You Will Receive

The course CD includes audit scripts and tools that will assist in conducting an Active Directory and Windows audit.


Author Statement

As an auditor, Active Directory is one of the key systems that I audit regularly. Many other organizational systems rely on Active Directory and the security settings and controls it enforces to properly mitigate the risks to those systems. Therefore, auditors need an indepth understanding of Active Directory and the controls it provides. During this course, we give the student the knowledge and tools to audit Active Directory and Windows, and be able to identify key business and process risks. Plus, we also provide the student will information to add additional value to organizations by being able to understand and make recommendations as it relates to these risks.. -Tanya Baccam

Venue Information

Reservation Information

A block of rooms has been reserved for SANS attendees at a special rate of $95. Reservations must be made directly with the the hotel via telephone at 972-370-7732 by February 5. All reservations after this date are subject to rate and space availability.

We also encourage you to check rates online.