Beta Man

Lock Down AD

While SecurityManager won't actively fix your problems for you, it does make finding them fairly simple.

Active Directory has become a core part of many networks over the past five years, even in organizations that don't use Windows exclusively. Among its many functions, AD is the central directory for Exchange and the central security controller for Windows file and print servers in a domain environment.

Unfortunately, AD is a complex system, especially when it comes to security. It's easy for AD to grow increasingly less secure as minor changes pile up into major issues. More administrators get their fingers into the pie and consistency goes out the window. Everyone has different ideas about what's secure and what isn't, and the result is often a hodgepodge of configurations.

NetPro SecurityManager's goal is to simplify and solidify AD security through automation and analysis. It's built around Microsoft's own best practices, many of which have come out of Microsoft Consulting Services' (MCS) experience with AD deployment and management.

The tool performs a series of tests, analyzing several different AD configuration settings and security properties. It highlights known vulnerabilities like multi-forest trusts that aren't using security identifier (SID) filtering, unauthorized domain controllers on the network, unauthorized trusts or members and so on. It immediately notifies you of any problem areas. Those notifications include links to references, detailed descriptions, and other information to help you understand the problem, its security ramifications and possible solutions.

NetPro Security Manager

Version reviewed: Beta2
Current status: Final Beta/Released
Expected release:
Second half of 05

Standard Fare
With AD's numerous configuration settings, a tool that checks them all could end up being pretty hard to navigate. NetPro overcomes this with a set of security standards, which are essentially templates for configuring AD.

There are standards for legacy, enterprise and high security scenarios. You can use these out of the box or as a starting point to develop your own.

You can only have one security standard in effect at a time, but you can switch whenever you like. It wasn't clear to me from the documentation whether this is intentional or whether you should, in fact, be able to have multiple standards in effect.

Each security standard has multiple categories: Audit Policy, Event Log, General Settings, Network Settings, Security Policy, System Services and User Rights Assignment. Each category specifies multiple rules that define your AD security standards.

The security standards help you centralize configuration decisions. You simply have to correct errant configuration settings to bring them into compliance. This promotes consistency, which leads to a more secure and operationally stable environment.

Beta Man's
Routine Disclaimer:
The software described here is incomplete and still under development; expect it to change before its final release—and hope it changes for the better.

Once you've put a standard into effect, SecurityManager can review your environment for compliance. A summary screen breaks down any variances by server, which helps you focus on the most problematic areas. Select an individual machine to see a detailed list of variances, including which rule was violated, what configuration the rule specifies and what configuration is actually in effect.

Security by Policy
The world of configuration management and auditing is moving toward a policy-based model, where you create a set of abstract policies and then manage around those policies. Auditing then becomes a task of ensuring that the right policies are in place. This type of policy-based management is the core concept behind Microsoft's Dynamic Systems Initiative (DSI) and a key enabler for frameworks like IBM's OnDemand.

SecurityManager gives you a functional peek into this policy-based world, because its security standards are essentially abstract policies that you determine independent of the underlying technology. You could, for example, ratchet up your security by creating a more secure standard and then reviewing your environment for compliance.

SecurityManager could be a lifesaver for organizations grappling with HIPAA, Sarbanes-Oxley or Gramm-Leach-Bliley Act compliance. Instead of training auditors to understand AD configuration, you could use a security standard to automate the auditing process. A single screen or report would tell an auditor if everything was compliant or not. In fact, I'd like to see NetPro distribute security standard templates configured for specific legislative compliance situations like HIPAA and Sarbanes-Oxley.

One "miss" here is that SecurityManager is a notification and monitoring tool. It doesn't provide remediation. In other words, if SecurityManager discovers an incorrectly set domain controller audit policy, it should be able to correct that setting. At the very least, it should integrate with NetPro's ChangeManager for Active Directory, which provides configuration and change control. This type of end-to-end package would make SecurityManager even more valuable.

Wanted: Betas for Review
Beta Man is always on the lookout for quality products to review. If you know of a software product that is currently or soon to be in beta, contact Beta Man at Vendors are welcome, but please act early—the meticulous Beta Man needs plenty of lead time.

Beta Issues
As expected in any beta product, not everything ran perfectly. For example, the installation routine didn't add my user account to the SMADOperators or SMADAdmins user groups. As a result, the client not only refused to run but crashed outright. Another issue is the lack of reporting. NetPro is aware of these issues (as noted in readme files) and plans to address them by the time the product is shipping.

For reporting, I'd like to see a summary compliance report suitable for executive-level conversations, as well as a detailed report suitable for auditing. It should also report on specific problems and resolutions; a list that junior administrators could use as action items. Apart from those issues, installation and basic operations were smooth and reliable.

I'm pleased to see companies like NetPro jumping on the nascent policy-based management bandwagon. Securing AD shouldn't be a complicated task. While SecurityManager won't actively fix your problems for you, it does make finding them fairly simple.

Because policies—or security standards—remain fixed unless you change them, you can continuously and easily review your environment for compliance. If a branch office administrator goes nuts and starts installing unauthorized services, creating trusts and so on, you'll know about it pretty quickly.

It would be nice to see SecurityManager take the next step and automatically correct certain problems, especially if you've taken the time to define a custom security standard and know that you want those rules enforced, not just monitored. In the meantime, SecurityManager is an excellent way to simplify AD security monitoring.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at


  • Gears

    Top 10 Microsoft Tips and Analyses of 2018

    Here are the year's most popular explainers and how-to columns -- along with some plain, old "Why did Microsoft do that?" musings thrown in.

  • Sign

    2018 Microsoft Predictions Revisited

    From guessing the fate of Windows 10 S to predicting Microsoft's next big move with Linux, Brien's predictions from a year ago were on the mark more than they weren't.

  • Microsoft Recaps Delivery Optimization Bandwidth Controls for Organizations

    Microsoft expects organizations using its Delivery Optimization peer-to-peer update scheme will optimally see 60 percent to 70 percent improvements in terms of network bandwidth use.

  • Getting a Handle on Hyper-V Virtual NICs

    Hyper-V usually makes it easy to configure virtual network adapters within VMs. That is, until you need to create a VM containing multiple virtual NICs.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.