Active Directory-Reports dot com

Helpful Active Directory Reports Coverage for Security Audit & Regulatory Compliance

Brought to you by former Microsoft Program Manager for Active Directory Security
Home
Account Reports
Group Reports
Computer Reports
Exchange Reports
Permission Reports
Schema Reports
Trust Reports
GPO Reports
SCP Reports
OU Reports
Reporting Options
Reporting Tools

Active Directory Service Connection Point Reports

Service Connection Points are Active Directory objects that play a critical role in facilitating the search and location of vital IT services. The need to have insight into their state and security is thus also vital to organizational security, and Service Connection Point Reports provide this vital insight.

Active Directory Service Connection Point Reports

ACTIVE DIRECTORY SERVICE CONNECTION POINT REPORTS


The following is a list of the Top-10 Active Directory Service Connection Point (SCP) Reports that are vital for security and that should be included for auditing security in Active Directory as well –


I. Security State Reports –

   The following SCP reports provide vital insight into the security state of service connection points –

  1. All service connection points for mission-critical IT services
  2. All recently commissioned service connection points (i.e. created in the last few days)
  3. All service connection points for which keywords are not specified
  4. All service connection points for which DNS service names are not specified
  5. All service connection points for which service bindings are not specified


II. Delegated Administrative Access Reports –

   The following SCP reports provide mission-critical insight into who all can modify* the state of these
   service connection points, i.e. who all have sufficient privilege to modify the state of these SCPs –

* SECURITY NOTE – It is very important to understand that where all a user/group has specific permissions in Active Directory is NOT the same as who is delegated what administrative access in Active Directory. In order to correctly determine who is delegated what access, one needs to determine resultant access in Active Directory. Also, depending on the specific report, it may not be sufficient to determine resultant access on just one object.

  1. Who can create service connection points, and where?
  2. Who can delete service connection points, and which ones?
  3. Who can change a service connection point's keywords, and of which ones?
  4. Who can change a service connection point's keywords DNS-service-names, and of which ones?
  5. Who can change the security permissions on service connection points, and on which ones?

   These delegated administrative access reports are absolutely mission-critical to security because
   they reveal exactly who has the ability to change the security state of these SCPs.



How to Generate these Group Reports:

   Organizations generally have two predominant reporting options to fulfill their AD reporting needs,
   and most prefer to use reporting tools, especially to fulfill their delegated access reporting needs.

   The Microsoft-endorsed Gold Finger Active Directory reporting tool can also generate these reports.
Gold Finger - Microsoft-endorsed, Active Directory Resultant Access/Security Auditing/Reporting Tool
Copyright ActiveDir-Reports.Com 2010. All Rights Reserved
Active Directory Security Community Active Directory Reporting Tools Active Directory Security Reference Identity, Security & Access Blog