Auditing is a fairly old concept and has been utilized for quite some time in the computer world. Auditing in security is fairly recent and has increased greatly over the last ten years. There are plenty of manual techniques as well as tools available to assist in auditing the security of different hardware and software components inside a network.
Auditing Windows systems is a big task and having helpful tools would surely make a difference to the speed and accuracy of the necessary audits. Once such tool available to auditors is the active directory security called PowerShell. The concept of continuous auditing comes into play here and it can be defined as asking for the security settings of a system in real time.
There is also another way of defining continuous auditing and it is defined as the gathering of information about systems without the need of the administrator or administrative privileges along with the capability of obtaining reports on the various security aspects of a component. Windows PowerShell is one such tool that can be used to audit Windows active directory security without the need for domain level administrative rights.
Windows PowerShell is available and supports Windows XP SP3, Windows Vista SP1, Windows Server 2003, Windows Server 2008, and Windows 7. The latest version available is version 2 and it can be downloaded from here. Once the PowerShell is installed onto the system, there are some additional tasks that need to be performed to run the cmdlets (short for Commandlets).
Windows PowerShell comes with its own security and we need to loosen it a bit to be able to execute the necessary cmdlets. To do that, execute Windows PowerShell on the system as the local administrator. In the prompt, type set-executionpolicy
Once that is done, you shall be prompted for the next entry. Type in remotesigned
As a result of these commands, now you can run the cmdlets without any errors.
The next step is to get the cmdlet for AD.
This cmdlet will allow us to issue commands and will provide us output which will prove useful in the security auditing of AD. The cmdlet for AD can be obtained from here.
- Considering the code in the first URL, copy the content in the highlighted area and paste it into a notepad.
- Save the notepad file as .ps1. The extension has to be .ps1 and make sure that you get rid of the standard .txt extension while saving the notepad file.
Once that is done, open the cmd prompt and navigate to the folder containing the cmdlet.
cd z:\cmdlets
The above command assumes that the cmdlet is in the z drive under the cmdlets directory. Make sure you change the directory and the drive according to the location of your .ps1 file.
Once you have navigated to the correct directory, execute the following command
.\.ps1
To execute the cmdlets, do not forget the .\ as it is required to execute the cmdlets.
This will produce the necessary information and print it out on the screen. Some other commands that can be run are:
.\.ps1 -Domain -User administrator
.\ .ps1 -Domain -ToCsv C:\MyFolder\MyFile.csv
.\ .ps1 -Domain -Group "Domain Admins"