Enhance your Active Directory security with regular health checks
Threats caused by the internet are increasing daily and are becoming more sophisticated and complex. Many IT departments face the challenge of maintaining overall IT infrastructure security, particularly in the Active Directory (AD) environment, which serves as a central service. Over time, user management grows, legal issues and outdate configurations accumulate, and it’s nearly impossible to manually review all the settings. On top of it all, there is often uncertainty regarding whether security policies and protocols even comply with current standards.
Here's the solution: The Active Directory and Entra ID Security Assessment by conova
In order to evaluate local Active Directory as well as Entra ID settings and identify security vulnerabilities, conova offers its customers a Security Assessment Service.
Beyond standard evaluations, we generate comprehensive and detailed strength-weakness reports (Maturity Level and MITRE ATT&CK framework representation) to uncover security issues. Following the generation and analysis of the reports, conova specialists discuss the results with you in great detail in the form of a personalized consultation and provide targeted optimization suggestions and recommendations.
Best Practice – Customer Testimonial
„Our account manager recommended reviewing our Active Directory as part of our IT migration to conova. We were impressed at how deeply the tool delves into the AD, uncovering outdated settings as a result. Without it, these configurations and vulnerabilities would have been extremely difficult, if not impossible, to detect. “, one of our customer shares. „The results and reports proved the value of establishing a type of ‘routine check-up’. That’s why we decided to implement regular health checks for our Active Directory, with help from our professional consultant at conova, “, they explain further. „The monthly reports highlight areas with optimization potential, helping us to maintain a high level of security within the company.”
Our customers appreciate that the Active Directory Health Check and Microsoft Entra ID Health Check scan the entire configuration and review password policies. This includes, for example, passwords embedded in Group Policy Objects (GPOs), settings applied to domain admins that can still be modified by standard users (non-domain admins), as well as defined roles and functions.
In practice, we have found that inactive objects, outdated protocols, and other security vulnerabilities are often identified, such as:
NNTLM v1 is enabled. NTLM (Windows New Technology LAN Manager) is a Microsoft security protocol.
WARNING: Version 1 is outdated and no longer in use.
RECOMMENDATION: Upgrade to a newer protocol version.
Print Spooler is activated: The Print Spooler is used to virtually expand a printer’s memory.
WARNING: This may allow attackers to gain access to the server (known as the “Print Nightmare” vulnerability).
RECOMMENDATION: Disable this default setting.
Non-admins can add computers to the domain. Standard settings allow users without admin rights to silently add up to 10 computers to the domain.
WARNING: Adding computers must be restricted to admin rights only.
RECOMMENDATION: Disable this default setting.
More Than Just a Report
The generated report alone isn’t enough. Implementing all the recommendations that come out of the Active Directory analysis would likely make day-to-day operations impractical. That’s why we review the recommendations systematically with our customers, taking the entire infrastructure into account. In the case of managed infrastructure, we have a deep understanding of the interconnections between individual IT services. This allows us to minimize any potential negative impact resulting from configuration changes.
We give clear feedback regarding what we (conova) recommend implementing and which adjustments are unadvisable. As soon as the AD configuration has been updated, we perform a second scan. Afterward there is another discussion with the customer to talk about the differences to the initial scan.
Balancing Must-Have and Nice-to-Have Adjustments
The extensive experience that conova’s employees have demonstrates the importance of a nuanced approach to creating the right balance between essential adjustments and configurations that may negatively impact the IT infrastructure’s functionality.
For example, one of our customers used specialized printers that were incompatible with newer security protocols. In such cases, it is necessary to weigh whether the risks of using older versions can be tolerated or if hardware changes are required.
Regular Health Checks
The tools we use are continuously being updated and going through adaptation processes to address emerging threats. Simultaneously, users, devices and their permissions within the company evolve over time. That is why we recommend conducting the Security Assessment regularly in order to continuously improve the security baseline, keep user management up to date and address legal issues.
conova offers the strength-weakness reports as a one-time service as well as a monthly subscription.