Create Active Directory Security Reports with PowerShell . Firstly, securing an Active Directory (AD) environment is essential for several reasons. First and foremost, Active Directory is a central component of many organizations’ networks and contains a wealth of sensitive information about users, computers, and other network resources. If this information were to fall into the wrong hands, they could use it to compromise the entire network’s security.
This article discusses different ways to secure our Active Directory environment with PowerShell.
Create Active Directory Security Reports with PowerShell
Prerequisites
Some of the commands in this article will use Active Directory commands. So, in this article, we’ll need to install the prerequired components:
- Domain functional level – Windows Server 2016.
- Remote Server Administration Tools (RSAT) for Active Directory installed on your domain-joined workstation.
- The latest PowerShell version, or at least PowerShell 5. x and above, is required to execute the scripts.
Before we start, ensure that we have the above prerequisites and import the Active Directory module using the snippet below.
Install-Module ActiveDirectory
Import-Module ActiveDirectory
Different Methods in Securing the Active Directory
There are multiple ways on how to secure our Active Directory environment. In the next section, we discuss a few ways on how to secure our Active Directory infrastructure.
Applying Fine-Grained Password and Account Lockout Policies
All in all, Active Directory includes a password policy by default. However, administrators also set stricter password policies and account lockout policies. This process allows us to place more secure passwords and account lock-out settings for privileged accounts.
Use the following PowerShell lines to create a fine-grained password and account lock-out policy on a system with the AD Module for Windows PowerShell installed and imported.
Lockout Policy Script:
New-ADFineGrainedPasswordPolicy PolicyName -ComplexityEnabled $true -LockoutThreshold "3" -MaxPasswordAge "30.00:00:00" -MinPasswordLength "14" -PasswordHistoryCount "20" -Precedence "1" -ReversibleEncryptionEnabled $false -ProtectedFromAccidentalDeletion $true
Fine-Grained Password Policy Script:
Add-ADFineGrainedPasswordPolicySubject PolicyName -Subjects GroupName
Look at the user account’s msDS-ResultantPSO attribute to determine which fine grained password and account lock-out policy applies. In addition, it reveals the password policy reference that is involved. For this, we can also use the Get-ADUserResultantPasswordPolicy PowerShell cmdlet.
Managing Active Directory Snapshots
Snapshots for Active Directory may be helpful in scenarios where the organization needs to compare information from a specific time (the time we took the snapshot) with data from another point in time.
A functional Active Directory VSS Writer and the Volume Shadow Copy functionality are required to create an Active Directory snapshot. These features come standard with Windows Server.
Log in to a Domain Controller (DC) with a user account that belongs to the Domain Admins or Backup Operators groups to work with snapshots. After signing in, Open the Command Prompt and try the following steps.
To create an Active Directory snapshot using PowerShell, we can use the Export-DSSnapshot cmdlet:
Export-DSSnapshot -Path
After that, if you wish to view all Active Directory snapshots using PowerShell, we can use the Get-DSSnapshot cmdlet:
Get-DSSnapshot -Path
Then, to mount an Active Directory snapshot using PowerShell, we use the Mount-DSSnapshot cmdlet. For example, the command below will mount the snapshot with the specified ID from the specified location:
Mount-DSSnapshot -Path -Identity
The above PowerShell cmdlet will output the location where the database is mounted. To expose it as an LDAP Store, run this command:
dsamain.exe -dpbath "" -LDAPport
Keep this command running as long as we want the LDAP Server to be operational. To look up information, use the AD Module for Windows PowerShell cmdlets. Enter the -Server parameter and the server’s hostname and port number, separated by a semicolon, as follows:
Get-ADComputer -Identity * -Server Localhost:PortNumber
Alternatively, we use additional Active Directory tools like ldifde.exe and csvde.exe to transfer information between snapshots and Active Directory. Unfortunately, no native tooling is available to perform these types of operations.
Improve your Active Directory Security & Azure AD with Sec Reports
Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.
Managing Deleted Active Directory Objects
Altogether, the Active Directory tombstoning process allows the Domain Controller to replicate the deletion. When the AD Recycle Bin is enabled, the DC replicates the deleted objects before being tombstoned.
In this state, we can see the deleted objects in the Deleted Objects container. Basically, we restore objects from this container, including their group memberships and other attributes, to their original location or a different container.
On a system with the AD Module for Windows PowerShell installed, use the following PowerShell commands to view the deleted AD objects for a domain:
Get-ADObject -IncludeDeletedObjects -Filter *
Besides, to restore a deleted AD object, use the following PowerShell cmdlets on a system with the AD Windows PowerShell Module installed:
Get-ADObject -Filter { displayName -eq "" } - IncludeDeletedObjects |
Restore-ADObject
Resetting the Kerberos Service Account Password in AD
Each Active Directory domain has its KRBTGT account in a multi-domain environment, which all fully writable domain controllers use. In addition, we individually assign KRBTGT accounts to each read-only domain controller.
Compromising the Kerberos Service Account results in a loss of Kerberos security and audit logging.
Certainly, if you wish to reset the password for the service account, log in to a DC with Domain Admin rights and run the following:
Set-ADAccountPassword -Identity (Get-ADUser krbtgt).DistinguishedName -Reset -NewPassword (ConvertTo-SecureString "" -AsPlainText -Force)
Other Ways of Securing the AD Environment
There are many other ways to secure an Active Directory, and we mentioned a few of them. However, it will take a few more articles to explain them all, so here’s a list of concepts on what we can do to secure your Active Directory environment:
- Backup and Restore GPOs and AD Database (NTDS)
- Manage the Directory Services Restore Mode (DSRM) passwords on DC.
- Implement a Local Administrator Password Solution (LAPS)
- Work with group Managed Service Accounts (gMSA).
- Use Security Configuration Wizard (SCW) to secure DC.
- Manage and monitor the Protected Users group.
- Put Authentication policies and authentication policy silos to good use Configure Extranet Smart Lockout.
- and more
Now let’s move on to the next section, where we discuss exporting Security and Audit reports using PowerShell.
Creating Active Directory Security Audit Reports Using PowerShell
Microsoft introduced the advanced security audit policy in AD a few iterations ago. This feature extends auditing options into ten categories:
- Global Object Access Auditing.
- Account Logon.
- Account Management.Â
- Detailed Tracking.Â
- Directory Service Access.Â
- Logon/Logoff.Â
- Object Access.Â
- Policy Change .
- Privilege Use.
- and System Use.
There are several auditing options for each of these categories. Furthermore, the policy adds entries to the Event Viewer with the source Microsoft Windows security auditing when enabled.
To configure the advanced security audit policy, follow these steps:
- Open the Group Policy Management Console.
- Navigate to the Domain Controllers node for the domain where you want to configure the policy.
- Right-click the Default Domain Controllers Policy and click Edit from the menu.
- Expand the Computer Configuration, click on Policies, click Windows Settings, click Security Settings, click Advanced Audit Policy Configuration, click Audit Policies, and then DS Access.
5. Double-click the Audit Directory Service, Changes setting.
6. Check the box to configure the auditing events and select Success and Failure audit events.
7. Save the settings and close the Properties screen.
8. Close the Group Policy Management Editor window.
With PowerShell, the Get-WinEvent Cmdlet allows system auditors to customize advanced filtering options. For example, the following simple one-line command will query all the Security Logs and export them into a CSV file as a generated report.Â
Get-WinEvent -FilterHashtable @{LogName="Security"} | Export-Csv -Path .\Security.csv -NoTypeInformation
The CSV file should look like the following:
Copying auditing events from the domain controller’s event viewer logs to a centralized Security Incident and Event Management (SIEM) solution is a recommended practice.
Thank you for reading Create Active Directory Security Reports with PowerShell. We shall conclude this article now.Â
Create Active Directory Security Reports with PowerShell Conclusion
In addition to the above security concerns, compliance and regulatory issues can arise if an Active Directory environment is not adequately secured. For example, many organizations must meet particular data security and privacy standards. Failing to secure an Active Directory can put them at risk of non-compliance and potential fines.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free
- Free 15-Days Trial
- Easy Setup
- Full Access to Enterprise Plan
Related posts:
- Windows Server Patch Management: How to Keep Windows Server Secure & Up-to-Date
- Using Group Policy to Enhance Active Directory Security
- Automate Security Tasks and Workflows in Your Azure Environment
- How to Enable Password Writeback on Azure AD Connect
- How to Install and Setup Azure AD Connect (Step by Step)