Microsoft Active Directory is a widely used base technology that provides authentication and authorization services for business applications and networked resources. The Windows Server feature ships with tools to manage entire aspects of an Active Directory environment, but the default range of tools available out of the box are not capable of identifying impending system failures, security risks, and issues that might cause an Active Directory environment to go down. For example, Active Directory installation doesn’t provide any tool or utility that can be used to check permissions applied on all critical Active Directory objects and other objects such as security groups and users. Similarly, no tools or utilities are available to examine how many accounts are getting locked out every day to avoid security risks.
An Active Directory environment traverses through several changes in a day. It is important to know what changes were done and by whom to mitigate the risks. There are many uses cases and every tool that we see in the market today has been designed for some purpose. For example, to examine account lockouts in an Active Directory domain, NetWrix’s Account Lockout Examiner is quite useful. Similarly, to perform a complete health and risk assessment of an Active Directory Forest, Ossisto 365’s Active Directory Health Profiler is a powerful product.
While there are many Active Directory security tools in the market today, not all tools carry all the security functions you need. As an example, how do you ensure that Active Directory Administrative Security Groups contain only members from an authorized list of users? You could use the Active Directory Administrative Security Groups Membership Checker tool to ensure that only authorized users are part of the security groups in a given Active Directory domain. Another issue when evaluating an Active Directory Security product is to make sure the tool follows compliance standards such as SOX, PCI-DSS, HIPPA and GDPR?and offers adequate reporting capabilities.
While you might have an enterprise Active Directory security product that could help you identify some of the security risks, remember that not every tool and product in the market provides the same functions. That’s where our top Active Directory Security tools list can help. Our list of top Active Directory security tools range from permissions, lockout and change monitors to broad risk and security assessment tools.
- SolarWinds Permissions Analyzer
- Active Directory Health Profiler
- Netwrix Auditor for Active Directory
- Account Lockout Examiner
- Semperis DS Protector
- Active Directory Last Logon Checker
- Administrative Security Groups Checker Tool
- SekChek Security Auditing
- Quest Change Auditor for Active Directory
It’s the permissions on Active Directory objects that let you access the Active Directory environment. SolarWinds Permissions Analyzer is an effective tool for checking permissions assigned on Active Directory objects. You may want to check how a user’s permission is inherited or browse permissions by a group or user, or perhaps analyze user permissions based on group membership and permissions. The SolarWind Permissions Analyzer is also a very effective tool for analyzing permissions in a multi-domain Active Directory Forest. It can help you mitigate security risks by quickly identifying which members of your team have access to sensitive data and Active Directory objects. And best of all, SolarWinds Permissions Analyzer is absolutely free for use with Active Directory forests.
Ossisto’s Active Directory Health Profiler is a robust execution subsystem that is designed to do a complete risk and security assessment of Active Directory Forests. AD Health Profiler can find security risks and help avoid disruptions in service.?AD Health Profiler?ships with 74 PowerShell-based Microsoft Active Directory Dynamic Packs to perform health checks of multiple Active Directory Forests. All of the Microsoft Active Directory Dynamic Packs follow Microsoft recommendations for Active Directory best practices. Though the product is expensive, it might pay for itself by uncovering hidden security issues.
Netwrix Auditor for Active Directory provides visibility into what’s happening inside your domain by tracking logons and changes to Active Directory users, groups, organizational units, Group Policy Object (GPO) settings and more. Daily reports detail every change and logon that’s happened in the last 24 hours, including the before and after values for each modification. A basic free edition of Netwrix Auditor for Active Directory is available, but the standard edition includes significantly greater functionality.
Read user reviews of Netwrix
Netwrix also offers the free Account Lockout Examiner, which deserves its own spot on the list. It provides alerts on account lockouts and helps you troubleshoot each event and determine the root cause so you can quickly restore vital services. Accounts can be unlocked from the Netwrix Account Lockout Examiner console or from your mobile device.
Semperis DS Protector is a change tracking tool for Active Directory. Semperis DSP leverages two separate data sources via Active Directory replication APIs to overcome shortcomings of traditional change tracking. Semperis DSP database usage eliminates the need for a lengthy restoration process while providing high data integrity. Semperis DSP can capture all changes to Active Directory even if native security logging is turned off, logs are deleted, agents are disabled, or agents stop working. It can also notify designated personnel when changes are made to sensitive security groups, privileged users, and so on. You can quickly see who made each change, find all changes made by a particular user, and undo unwanted changes, all from a single console. GPO, DNS, Configuration, and Schema Changes extend real-time change tracking and rollback (where applicable) to Group Policy and additional components of Active Directory.
Ossisto also makes our list multiple times. When you have a large number of users created in your Active Directory, it becomes important to get a report on user logins to ensure that only authorized users are logging onto your network. Ossisto 365 offers a freeware tool that can be used to get last logon details for all users in your domain. Active Directory Last Logon Reporter is capable of pulling reports in CSV format for reporting purposes.
Another one from Ossisto. Administrative Groups Checker tool?is designed to check members of Active Directory Security Groups that you specify and notify you via email if any changes in the membership occur. This is one of the tools that every Active Directory administrator should have handy to ensure that only authorized members from a list are part of administrative security groups. The tool can collect and verify each member of the Security Group, with the members defined in a Health Set, which, in turn, helps you maintain the Group Members from an authorized list. If any changes occur to the group membership, the tool can notify you via email.
An Active Directory administrator knows the importance of auditing. To be in compliance with SOX and HIPAA, you need to have an auditing system in place. SekCheck Security Auditing tool can help with auditing Active Directory environments and generating reports. The reports can then be measured against industry standards and best practices and assigned a rating.
If you are looking for a hybrid environment change auditing tool for Active Directory, Quest’s Change Auditor for Active Directory can help. You can get a single and correlated view of all changes happening in both on-premises Active Directory and Azure Active Directory. Apart from reporting on key configuration changes in the Active Directory environment, Quest Change Auditor can also protect against changes to the critical objects of Active Directory, such as preventing accidentally deleted organizational units and modified group policy settings.
Read user reviews of Quest Change Auditor
Nirmal Sharma is a MCSEx3, MCITP, and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he enjoys helping others and sharing some of his knowledge by writing tips and articles on Microsoft technologies.