Train at Home with Top Cybersecurity Experts - SANS OnDemand

Cyber Defense Initiative® 2013

Washington, DC | Thu, Dec 12 - Thu, Dec 19, 2013
This event is over,
but there are more training opportunities.

AUD444: Auditing Security and Controls of Active Directory and Windows

Thu, December 12 - Sat, December 14, 2013

Auditors need to be able to understand how Active Directory operates and the key business risks that are present. This course was written to teach auditors how to identify and assess those business risks. Active Directory and Windows systems are typically well known and utilized within organizational infrastructures. However, they can be difficult to audit since there are a large number of settings on the end system. This course provides the tools and techniques to effectively conduct an Active Directory and Windows audit, and while doing so identify key business process controls that may be missing. Students have the opportunity to look at the business process controls and then how those can be verified by looking at Active Directory and the Windows systems that exist. Plus, students are taught how to add additional value to their audits by being able to identify the technology risks that may have been overlooked. The hands-on exercises reinforce the topics discussed in order to give students the opportunity to conduct an audit on their own Windows systems, as well as understand the different security options that Windows provides.

Course Syllabus

Tanya Baccam
Thu Dec 12th, 2013
9:00 AM - 5:00 PM


In order to properly audit Active Directory, auditors have to have an understanding of the Active Directory architecture and the role AD plays for an organization. These foundations are more are covered in provide a solid foundation to build rom throughout the course.

CPE/CMU Credits: 6


Windows Foundational Concepts

  • Workgroups versus Domains
  • Common protocols
  • Querying registry data

Active Directory Concepts

  • Conducting an inventory of systems
  • Active Directory Design and Topology
  • Scoping considerations for an Active Directory and Windows Audit
  • Active Directory Responsibilities
  • Auditing the authentication process
  • Trusts
  • Domain Controllers Audit Steps
  • Active Directory Audit Steps
  • Group Policy
  • GPO application
  • Organizational Units
  • Global Catalog Best Practices Audit Steps
  • Schema Master Audit Steps
  • Operation Master Audit Steps
  • RODC
  • Domains and Forests
  • Delegation of Authority
  • Tools designed to query data from AD such as csvde, dsquery and more

Physical, Environment and Availability Controls

  • Facility controls
  • Data center controls
  • Physical Security Audit Steps for DCs
  • Fault Tolerance Audit Steps
  • Cabling Physical Security Controls
  • Backup controls

Tanya Baccam
Fri Dec 13th, 2013
9:00 AM - 5:00 PM


During this day we will add to the foundational concepts we covered in the first day and get in to a number of the technical details for auditing including access controls, change and patch management, encryption and vulnerability management. We also discuss key services such as DNS, IIS, SQL Server and RDS.

CPE/CMU Credits: 6


Network controls

  • Ports, Services and Protocol Stacks
  • IPv6 considerations
  • Network Segmentation Audit Steps
  • IDS and IPS considerations
  • Network Access Protection
  • Wireless best practices for Windows

Application controls

  • Controlling Software
  • Software Restriction Policies
  • AppLocker or Application Control Policies
  • Auditor Service Tips
  • DNS Audit Steps for AD
  • IE Security considerations
  • Remote Desktop Services

Change Control, Patching & Vulnerabilities

  • Managing and Auditing for IT vulnerabilities
  • Configuration Controls
  • Change Management
  • Patch Management
  • Vulnerability Management Audit Steps
  • Signs of Poor Vulnerability Management Processes
  • MBSA
  • Nmap Scripting Engine
  • Microsoft Support Lifecycle

Access Controls

  • Job Roles and Responsibilities
  • SOD Considerations
  • User Management Controls
  • Required Policies/Processes for Users and Groups
  • Account Recommendations for Administrators
  • Permissions
  • Ownership
  • Mandatory Integrity Control
  • User Account Control
  • High Risk Groups and Users
  • User, accounts and group management
  • Anti-virus and Malware Controls
  • Password Controls
  • Using tools to extract audit data for users and groups
  • Password Cracking and Audits
  • Authentication Alternatives
  • Kerberos and NTLM
  • Governance Controls

Tanya Baccam
Sat Dec 14th, 2013
9:00 AM - 5:00 PM


The final day of the course covers the last steps to include in an Active Directory and Windows effective audit program. Topics such as enabling successful auditing on the system, reviewing privileges, availability considerations, application control and service auditing are discussed.

CPE/CMU Credits: 6


Access Controls

  • Encryption Controls
  • Cryptography
  • Encrypting File System (EFS)
  • BitLocker
  • Hard Drive Encryption
  • Syskey
  • IPSec Best Practices
  • Shares
  • Identifying Changes
  • File Integrity Controls
  • Security Options and which ones are important to auditors
  • Security Option Audit Recommendations


  • Categorizing Privileges according to risk
  • High Risk Right Recommendations
  • Audit Recommendations for Remaining Rights

Logging and Monitoring

  • Logging on the end system
  • Windows Logs
  • Centralized Logging
  • Signs of an Intrusion
  • Key Audit Event IDs
  • Logging for Availability Considerations
  • Recommended Logging Controls
  • Logging for Domain Controllers
  • Continuous Auditing

System Configuration, Continuous Auditing & Tools

  • System configuration audit checklist items
  • Using wmic for audit purposes
  • Security Configuration and Analysis
  • Using templates for auditing
  • Administrative Templates GPOs

Additional Information

Students need to bring a laptop computer with an Ethernet network card and a CD-ROM drive. Students should use Windows 7 professional, and need to have Administrative access, including the capability to disable security features such as anti-virus software.

If you have additional questions about the laptop specifications, please contact

  • Internal Auditors
  • IT Specialist Auditors
  • IT Auditors
  • IT Audit Managers
  • Information System Auditors
  • Information Technology Auditors
  • Information Security Officers

Other Courses People Have Taken

Any of the other audit courses.

The course CD includes audit scripts and tools that will assist in conducting an Active Directory and Windows audit.

Author Statement

As an auditor, Active Directory is one of the key systems that I audit regularly. Many other organizational systems rely on Active Directory and the security settings and controls it enforces to properly mitigate the risks to those systems. Therefore, auditors need an indepth understanding of Active Directory and the controls it provides. During this course, we give the student the knowledge and tools to audit Active Directory and Windows, and be able to identify key business and process risks. Plus, we also provide the student will information to add additional value to organizations by being able to understand and make recommendations as it relates to these risks.. -Tanya Baccam