Active Directory forms the security foundation of most Windows networks. It is the mechanism that establishes domain and forest boundaries, and it is where all of the user accounts reside. Given everything that it does, keeping Active Directory healthy is a critical part of keeping an organization secure. An important component of making sure that happens is on-demand assessments of Active Directory security.
There are, of course, numerous well-established security best practices for Active Directory, and there are any number of third-party security validation tools available. What you might not realize, however, is that Microsoft provides a tool that can generate on-demand assessments for Active Directory security.
If the On-Demand Assessments tool isn’t familiar to you, it is probably because it’s not the sort of thing that you can deploy and begin using on your own--you’ll need a little bit of help from Microsoft.
The On-Demand Assessments tool requires an Azure subscription, but that alone isn’t enough. Organizations that want to use On-Demand Assessments must contact their Microsoft Technical Account Manager (or TAM, as Microsoft likes to call them) and request access to the Azure Service Hub. The TAM will then send the Azure account owner the necessary invitation.
This, of course, raises the question of how an organization can perform on-demand assessments of their Active Directory environment if they do not have a Microsoft Technical Account Manager at their disposal. In those situations, the organization will need to contact Microsoft’s Services Hub Team.
Once you have been given access to the Services Hub, the next step in the process is to link your Azure subscription and the Azure Log Analytics workspace to the Service Hub. To do this, log into the Services Hub using the link given to you by Microsoft, and then click on the Pre-Configure Assessments link. This will launch a three-step pre-configuration process that will prepare your environment so that you will be able to perform Active Directory security assessments.
- The first step in the process is to provide the details for your Azure subscription. It is worth noting that to do this you will need to either be the account owner, or be designated as an Azure Contributor or a Log Analytics Contributor.
- The second step is to select an Azure log analytics workspace. If you have already created a log analytics workspace within Azure, you can simply select it from the list. Otherwise, the console contains a link that you can use to create a new workspace on the fly. (You can also go back and create a workspace through Azure.)
- The third step in the process is to configure your assessments. You will need to click the View Assessments button, and then choose the Active Directory option from the list of assessments.
Before you can perform any on-demand assessments, you will need to provide your users and the Microsoft TAM with access to the Azure Log Analytics workspace. This usually means granting these users the Log Analytics Reader Role. The specific steps will vary from one organization to the next, but you can find instructions for the process here.
With the Azure infrastructure in place, you can prepare to create on-demand Active Directory assessments. You will need to deploy a data collector machine that collects data from the Microsoft Monitoring Agent (which you will also have to deploy). Additionally, you will need to set everything up using an Enterprise Admin account that has access to every domain controller in the forest, the data collector machine and your DNS servers.
Once the prerequisites have been met, all you need to do is create a working directory on the data collection server, and use PowerShell’s Add-ADAssessmentTask cmdlet to designate the folder that you have created as a working directory. After doing so, the data collection process will begin, with data typically available within a few hours. You can find the full documentation here.