Windows Active Directory Audit/Assurance Program

The audit/assurance program is a tool and template to be used as a road map for the completion of a specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use by IT audit and assurance professionals with the requisite knowledge of the subject matter under review, as described in ITAF section 2200 - General Standards. The audit/assurance programs are part of ITAF section 4000 - IT Assurance Tools and Techniques.

Objective - The Active Directory audit/assurance review will:

• Provide management with an evaluation of the Active Directory implementation and management security design effectiveness
• Provide management with an independent assessment of the operating effectiveness of the security controls

Scope - Windows server implementations operate with various functions and software. This review evaluates the necessary secure Active Directory infrastructure to support the servers and workstations within the enterprise. The review will focus on the configuration controls relating to:

• Active Directory management
• Secure Active Directory boundaries
• Secure domain controllers
• Physical security of the domain controllers
• Secure domain and domain controller configuration settings
• Secure administrative practices

The scope excludes:

• Windows server configurations
• Workstation configurations
• User access and identity management
• Domain Name Service (DNS) management

It is recommended that:

• Windows server configuration assessments be performed using an audit/assurance program specifically designed for the server's function (web, e-mail, file/print, etc.)
• Workstation configuration assessments be performed using audit/assurance programs designed for the operating system and function (desktop, laptop, special applications, etc.)
• User access and identity management use the ISACA Identity Management Audit/Assurance Program
• DNS management be approached as part of a network assessment

IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional holds the Certified Information Systems Auditor (CISA) designation, or has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the CISA designation and/or necessary subject matter expertise to adequately review the work performed.