What is DSEvaluate?

DSEvaluate is an audit that delivers a comprehensive assessment of the current state of an Active Directory implementation. The DSEvaluate process (the “evaluation”) can audit an Active Directory of any size or configuration, producing accurate and quantifiable results that are commonly used to:

  • Help an organisation get its Active Directory under control
  • Assist the directory administrators in understanding what was built, though not documented, by their predecessor
  • Ensure that managers understand the true state of their internal security and, if appropriate, formulate a quantifiable remediation path
  • Prepare for a compliance audit.  The evaluation assesses risk inherent in the current directory implementation at a much deeper level than an actual compliance audit
  • Support the creation of a business case for optimisation and upgrade of the Active Directory
  • Lay the foundation for a successful optimisation and upgrade project by clearly documenting the intricacies and interdependencies within the current implementation.

The end product of the evaluation is a report, which:

  • highlights areas of concern and will recommend appropriate remediation
  • grades the severity of each evaluation point, indicating which can be remediated by point fixes and which require re-engineering
  • offers a baseline from which to create a business case for remediation
  • is multi-audience targeted. The findings are clearly explained so that understanding the report does not require significant technical skill.

How does DSEvaluate work?

DSEvaluate is an examination of the current health and effectiveness of an Active Directory, with emphasis on how effectively the directory is serving the needs of the business. It is a proven, comprehensive and non-invasive process that measures the architectural security, stability and regulatory and Best Practice compliance. The consultant performing the evaluation (the “Evaluator”) will:

  • Configure and run the DSEvaluate information-gathering module
  • Review the internal architecture of the Active Directory
  • Review the physical representations within the Active Directory
  • Review Group Policy architecture and critical settings
  • Review the core authority utilisation and any existing role-based authority implementation
  • Review documentation and Best Practice compliance markers

On request, the Evaluator can report on additional aspects of the physical health of the Active Directory software and the resistance of the domain controllers to malicious attack. In this case the Evaluator will also:

  • Configure and run Best Practice analysers
  • Investigate and document issues arising from the analysis
  • Review logs and protocol settings
  • Review DNS name resolution and replication
  • Review installed Microsoft and third party Active Directory tools

The DSEvaluate process

The Evaluator will spend time assessing the structures within the Active Directory by a combination of direct observation and automated information gathering. DSEvaluate is a read-only process and has zero impact on the infrastructure.

The organisation’s senior Active Directory administrator will be consulted to arrange appropriate access to the directory. This administrator should be on hand at various times throughout the process to help answer questions that are not addressed in the available documentation.

Once the core of the information has been gathered and analysed, an informal meeting is held to discuss the overall findings, their impact on the business and any remediation. This should be attended by at least the Senior Administrator and the CIO/IT Manager. Questions can be asked of the Evaluator, and the in-depth explanations provided by this meeting will add clarity to the final report.

The evaluation is complete on the production of the report. The draft report is circulated and reviewed in advance to ensure that any further questions can be answered in detail and clarifications incorporated into the final report.

The DSEvaluate report

The evaluation report provides a comprehensive representation of the current state of the Active Directory. It will also document any additional observations made by the Evaluator on any systems connected to the directory where possible inconsistency or under-optimisation is in evidence. Where appropriate, advice will be given on the need for more detailed, technology-specific audits.

As outlined above, this report:

  • highlights areas of concern and will recommend appropriate remediation
  • grades the severity of each evaluation point, indicating which can be remediated by point fixes and which require re-engineering
    • the severity value is a combination of the potential for malicious attack and the risk of accidental administrative damage
    • should re-engineering be required, the report will provide options for the most cost-effective solutions with least impact
  • offers a baseline from which to create a business case for remediation
  • is multi-audience targeted. The findings are clearly explained so that understanding the report does not require significant technical skill.

DSEvaluate technical requirements

In order to complete the evaluation, the following should be arranged in advance:

  • One Windows 7 or 8 x64 workstation that is a member of the domain
    • .net 4 client side extensions (x64)
    • C++ 2010 redistributable components (x64)
    • Local Administrator credentials on the workstation
  • Independent access to the internet for the Evaluator’s laptop (outside the firewalls)
  • 3 to 4 hours of a Domain Administrator’s time to answer questions on the history and current use of the directory. This time will be spread over the whole evaluation period.
  • RDP access to a domain controller in each domain in the forest
  • Use of a domain admin account to run a subset of information-gathering processes. This access can be supervised if required, but this greatly increases the amount of internal administrator time required.
  • Jointly signed non-disclosure agreements
  • Signed acceptable usage policy.

DSEvaluate client time requirements

General discussions

About 90 minutes of the Domain Administrator’s time each day of the evaluation

  • 1 hour of the CIO/IT Manager’s time
  • 30 minutes with each Admin team leader
  • 15 minutes with an administrator from each team

Informal report

This is a 1- to 2-hour meeting that should be attended by:

  • Senior Administrator (required)
  • CIO/IT Manager (required)
  • Security Officer (optional)
  • Any others nominated by the CIO/IT Manager

Draft Report Meeting

This is a 1-hour meeting that should be attended by:

  • Senior Administrator (required)
  • CIO/IT Manager (required)
  • Security Officer (optional)
  • Any others nominated by the CIO/IT Manager

DSEvaluate options

DSEvaluate can be purchased as either a 3- or 5-day evaluation programme:

  • The 3-day programme includes the full DSEvaluate report on the design and architecture
  • The 5-day programme adds the review of the physical health of the directory service.

Moving Forward

DSEvaluate serves as an entry point for the DSEvolution suite of technologies, which will reliably, painlessly and cost-effectively transform any Active Directory from an under-optimised state to a fully optimised state – and then keep it there.