AD Remediation Services Engangement

DynamicPacks Technologies possesses the expertise needed to address problems found during assessments of Azure CIS, Microsoft 365, Active Directory, and Entra ID. We take a methodical approach to making sure that none of the remediation we present as part of our remediation services experience any downtime.

AD Remediation Services Workflow

Running Assessment

Running the Active Directory Assessment and using a number of specialized tools and scripts to gather data from Active Directory is the first step in the engagement process. We follow all recommendations highlighted by ANSSI, MITRE, and Microsoft.

Defining Impact Assessment

The Assessment Summary Sheet containing all issues (exported as part of SmartProfiler Reporter) will be discussed with the Client IT Team in order to define Impact Assessment and whether to include test in the Remediation or not.

Storing Materials

Please take note that every document, including Technical Reference Sheets and other materials, will be posted and maintained on the Teams channel of the customer.

Discussion

As indicated by the accompanying diagram, this must be completed under the Collection stage. Following the completion of the assessment and data collection, the DynamicPacks Team will analyse the data and submit it to the Customer IT Team for discussion and review.

Every remediation will be carried out using a technical reference sheet, with the understanding that the customer technical team and stack holders have validated the technical reference sheet. Following completion of complete remediation, the team will put the mitigation plan into action to prevent issues from occurring in the near future and/or to promptly notify stakeholders. 

ENGANGEMENT STEPS

There are several steps required, ranging from performing a thorough assessment of Active Directory to developing and putting into place automated procedures to mitigate the problems going forward. The sections that follow highlight each of these procedures:

The SmartProfiler for Active Directory ships with 300 advanced assessment checks. We utilize SmartProfiler AD Assessment to run the security, health, and misconfiguration assessment.

The next step in the procedure is to gather information on Active Directory permissions and Group Policy settings using additional SmartProfiler for Active Directory components, such as Permissions Analyzer and GPO Analyzer. To gather rights assigned to the Active Directory Organizational Units and Tier-0 Objects, we utilize AD Permissions Analyzer which is part of SmartProfiler.

After the data collection process is complete, we use SmartProfiler’s Reporter to automatically generate reports. With SmartProfiler for Active Directory, two report types will be available: an Excel summary with a list of impacted objects and a Word report.

In this stage, we are ready to begin remediation processes based on the earlier discussion with the customer IT Team. At this stage, we have identified the items that can be resolved and need to be remediated.

Now that we have identified items to remediate, we need to follow a steady approach to ensure all items are remediated and there is no downtime while following the remediation processes. To keep these two points in mind, we create Technical Reference Sheets and items are implemented in each Technical Reference Sheet.

At the final stage we are ready to implement the mitigation plans to ensure the issues do not occur and if they occur Client IT Team gets notified about the issue. The Objective here is to implement all mitigation processes.

We prefer to create a Teams Channel from either Customer IT Side or our side. That Teams Channel stores the deliverables, scripts, documents, technical reference sheets, etc.

It is important to understand that not all issues can be resolved in Active Directory. It is because some issues might have dependencies on other issues or applications running in the environment. Known Issues Database (part of SmartProfiler) keeps track of such issues.

Once the engagement has been executed successfully, the items related to the engagement will be delivered to Customer IT Team.

Once the mitigation plan has been completed and all deliverables have been handed over to the Client, we will take a sign off from your IT Team.

1Active Directory Assessment

The first task as highlighted in the diagram above is to perform a complete and advanced assessment for Active Directory environment. The SmartProfiler for Active Directory ships with 300 advanced assessment checks that we utilize for checking every component of Active Directory, and several other tools that are used (part of SmartProfiler) to check other components such as Active Directory Permissions, Active Directory GPO Settings, Tier-0 Objects, location of critical objects and a few more that we check based on the discussion with our customer.

How many times have you assessed an Active Directory environment for a client and seen users with unrestricted delegation, trusted for delegation, DES-Encryption enabled, and pre-authentication Kerberos disabled? So, a small business running Active Directory with two to five domain controllers should be able to manage their AD infrastructure easily without the need for utilising the settings for users. Unrestricted delegation, DES-Encryption for users, and deactivating pre-authentication Kerberos for users are not actually required. You would still need to complete the tests associated to users as part of the standard checklist included in the Assessment tool to make sure everything is in order for user objects.

Perform a security, health, and configuration assessment of existing Active Directory Forest and make sure all tests are executed.

Using SmartProfiler for Active Directory Assessment Tool

ACTIVITIES
  • Run all tests from SmartProfiler against AD Forest
  • Make sure to cover all domain controllers.
  • Ensure all 300 tests are executed.
  • Cover every aspect of Active Directory
  • Generate Assessment Report

2Data Collection

The next step in the procedure is to gather information on Active Directory permissions and Group Policy settings using additional SmartProfiler for Active Directory components, such as Permissions Analyzer and GPO Analyzer. To gather rights assigned to the Active Directory Organizational Units and Tier-0 Objects, we utilize AD Permissions Analyzer which is part of SmartProfiler.

All Applications and their functions to be collected to ensure the remediation of issues, Group Policy Settings, Permissions, etc will not cause any issues to the applications and their components deployed.

  • Collect Application Servers and functions including communication, protocols, languages and authentication methods, etc.
  • There will be an application sheet that need to be filled in while discussing with the client IT Team.
  • Collecting Service accounts from all production application servers.
  • Custom Scripts to collect local server objects
  • Provide a sheet to Customer IT Team and request team to fill information about critical and non-critical servers along with their functions.
  • Discuss how remediation of each issue is going to impact current infrastructure applications deployed, if any.
  • The impact assessment to be filled in Assessment Excel Summary.
  • Activity hours and other respective columns such as change needed, etc.

 

Improving Permissions for OUs, Tier 0 Objects, Tightening/hardening AD permissions, Implementation of Tiering Model, Improving GPO settings, suggesting new settings per Microsoft, CIS and NIST Standards, and avoiding issues for production applications during remediation.

Using SmartProfiler AD Permissions Analyzer, GPO Analyzer and Custom Scripts.

ACTIVITIES
  • Collect permissions from OUs/Containers/Teir 0 Objects using scripts.
  • ManagedBy & Ownership
  • If found abusable permissions check sessions enumeration on domain controllers and domain-joined computers.
  • Collect all GPO and their settings using scripts.
  • Inconsistent and Orphaned GPOs
  • Duplicate GPO settings
  • Create an excel sheet and suggest permission model based on the findings.
  • Analyze GPO settings and create a sheet for easy understanding.

3Generate Report and Walk-through

After the data collection process is complete, we use SmartProfiler’s Reporter to automatically generate reports. With SmartProfiler for Active Directory, two report types will be available: an Excel summary with a list of impacted objects and a Word report.

We are now prepared to guide you through the data that were gathered during the Data Collection phase and the report that the SmartProfiler produced. We would like to have a meeting with your team to go over each issue that the SmartProfiler has reported. We will go over each finding individually and fill in the following columns on an Excel sheet that we create as part of the SmartProfiler Reporter:

  • Issue Owner: Who is going to fix the issue. If you require our help in fixing the issue then we will help. In most cases, the issues that can be easily resolved by your team we identify you as an owner to fix the issue.
  • Impact Assessment for each issue: This is critical as remediating an issue might cause issue with existing applications or infrastructure components. We will utilize AD Issues Fixer here to record Impact Assessment for each test.
  • Activity Hours: To be done in Change Window or normal remediation – depends on the impact and testing.
  • Applications: In-House designed applications and their functions.
  • UAT: Discussion about the UAT
  • Filtering Issues: Prioritizing Action Items.
Active Directory impact Summary in AD Issues Fixer
Add Impact Summary for each Test in AD Issues Fixer

Set expectations and filter issues for remediation.

  • Generating Report using SmartProfiler Reporter.
  • Using Excel Summary generated by SmartProfiler for discussion.
ACTIVITIES
  • Have meeting with Customer IT Team
  • Discuss each issue in detail
  • Identify Issue Owner
  • Identify Activity Hours - can be done in business hours or require a downtime

4Remediating Identified issues

We may now start the remediation processes in accordance with the previous conversation we had with the customer’s IT team. We have now determined which issues require remediation and which ones can be fixed. This step involves resolving the following kinds of issues and items:

  1. Findings by SmartProfiler
  2. Findings by GPO Assessment
  3. Findings by OUs, Container, Tier 0 Objects Permissions Assessment
  4. AD Tiering Model
  5. New GPO Implementation based on CIS/NIST Standards.
  6. Implementation of GPO to be done in phased manner ensuring no impact.
  7. All GPO settings to be tested in isolated environment.
  8. AD Enhancements based on the result provided by SmartProfiler.
  9. Create Technical Sheets for all remediation.
  10. Follow all processes before applying fixes.
  11. All of the remediation items will be fixed based on their severity level. If DynamicPacks finds that an issue needs urgent attention and fix to be applied ASAP, the Customer IT team will be notified.

Note: At this stage, we plan to use AD Issues Fixer to fix some of the issues. However, only PowerShell Scripts will be exported to fix the issues reported. The PowerShell script still needs to be reviewed by both the Technical Teams.

  • Fix identified issues
  • Implement processes for fixing
  • Export Script using AD Issues Fixer
  • Custom Scripts
ACTIVITIES
  • Have meeting with Customer IT Team
  • Discuss each issue in detail
  • Identify Issue Owner
  • Identify Activity Hours - can be done in business hours or require a downtime

5Remediation Processes

Now that the issues that need to be remedied have been identified, we must proceed steadily to guarantee that all items are remedied and that the remediation procedures are followed without disruption to the production services. We develop Technical Reference Sheets with these two considerations in mind, and each one includes the following elements:

We must make sure that every action carried out in the client’s production environment has been carefully planned with sufficient technical information, and that the client IT team has examined each Technical Reference Sheet. Included in all technical reference sheets created for this project are the following items/data:

  • Step by step technical steps for implementing identified activities.
  • ETA for activity.
  • Execution Urgency:
    • Level 1: Critical
    • Level 2: High
    • Level 3: Medium
    • Level 4: Low (can be implemented later but implement to mitigate other issues)
  • Change Window items
  • User Acceptance Testing (verification of implementation/remediation)
  • Execution Engineers name
    • From both Customer IT Team and DynamicPacks
  • Change impact (if any)
  • Backup plan
  • Reviewers
  • Approval parties and their levels

Note: Each Technical Reference Sheet will have three levels of approval — two from the Customer IT Team and one each from DynamicPacks. This makes sure that both the Client IT Team and DynamicPacks Teams are in charge of executing the technical steps outlined in the reference sheet. Based on the findings, all Technical Reference Sheets will be created for execution.

The Change Request with Technical Reference Sheet can be created automatically by using AD Issues Fixer Create Change Request Function as shown below:

 

Creating Change Request from AD Issues Fixer
Creating Change Request from AD Issues Fixer

Here is the Change Request Form that is created automatically from AD Issues Fixer:

Example of Change Request created by AD Issues Fixer
Example of Change Request created by AD Issues Fixer
  • Resolve identified issues.
  • Plan/Create Technical Reference Sheets.
  • Using AD Issues Fixer to export Script
  • Using Custom PowerShell Scripts.
  • Using Manual Steps identified in the Technical Reference Sheets
ACTIVITIES
  • Create Technical Reference Sheets
  • Define Approval Process
  • Identify Resource Owners from Customer/DynamicPacks Team
  • Decide Activity Hours

6Implementation of Mitigation Plan

At this point, we are prepared to put the mitigation measures into action in order to prevent problems from happening and to notify the client IT team of any problems that do. Here, the goal is to put all of the mitigating procedures listed below into practice:

  • Create processes and plan for mitigating issues going forward – Missing SOPs identified by SmartProfiler and how to implement them.
  • Implementation of SmartProfiler AD Real-Time Monitoring
    • Configuring required alerts
    • Configuring Email Templates
    • Configuring SLACK (Optional) – to be discussed.
  • AD Assessment Scheduler to be implemented.
  • The Mitigation plan may include following items:
    • A document explaining how to mitigate a specific item – covered in SOP.
    • Designing and implementing specific Scripts in the environment.
  • Use of SmartProfiler regularly to ensure issues are identified and remediated according to their severity level.
    • To be achieved using AD Assessment Scheduler and Real-Time Monitoring of SmartProfiler.
  • Maintaining Active Directory Environments
  • Securing from emerging threats.
  • Implementing SmartProfiler AD Real-Time Monitoring
  • Implementing SmartProfiler AD Assessment Scheduler
  • Implementing missing SOPs for maintaining the environment.
ACTIVITIES
  • Implementation of SmartProfiler components
  • Creating necessary documents and SOPs

Storing Engagement Materials to Teams Channel

We prefer to create a Teams Channel from either Customer IT Side or our side. That Teams Channel stores the following information:

  • All Change Documents.
  • All Technical References sheets.
  • Any custom script that is used to implement a change.
  • Storing Data collected during the data collection phase.
  • Assessment Reports

Storing any other deliverables and documents.

 

Engagement Deliverables

Once the engagement has been executed successfully, the following items will be delivered to Customer IT Team team for re-use:

  • Custom scripts designed for implementation, troubleshooting, etc.
  • A detailed document on Active Directory design and production environment.
  • Technical reference sheets.
  • Mitigation plan document.
  • Knowledge Transfer of findings and recommendations and how to use Real-Time and AD Assessment Scheduler.

 

Known Issues Database

It’s critical to realize that not all issues can be fixed during the remediation. This is due to the possibility that certain issues may depend on other issues or apps. For instance, if you still have Windows Server 2008 operating systems installed on domain controllers and some older apps still utilize NTLM authentication, you are unable to disable the NTLM protocol on domain controllers. If so, the Known Issues Database has to be updated with the NTLM-related tests. A Known Issues Database console that tracks known issues in the AD environment is included with SmartProfiler for Active Directory out of the box.

 

Wrapping up Engagement

We will obtain your IT Team’s approval once the mitigation strategy is finished and all deliverables have been sent to the client.

 

Copyright © DynamicPacks Technologies

Translate »

Table of Contents

Index