AdvancedADDCSecurityChecks.ps1.README.md

AdvancedADDCSecurityChecks.ps1

Purpose

Performs advanced security assessments of Active Directory Domain Controllers, providing comprehensive analysis of security configurations, vulnerabilities, and compliance with industry best practices and security standards.

Features

• DC security assessment
• Service configuration audit
• Security policy validation
• Replication health check
• FSMO roles verification
• DNS security analysis
• Certificate services audit
• Group Policy assessment
• Trust relationship validation

Requirements

• Windows Server 2016 or later
• PowerShell 5.1 or later
• Domain Controller role
• Administrative privileges
• AD PowerShell module
• DNS Server tools
• Group Policy tools
• Certificate Services tools

Usage

.\AdvancedADDCSecurityChecks.ps1 [-DC <name>] [-Scope <scope>] [-Report]

Parameters:
  -DC           Domain Controller name
  -Scope        Assessment scope (Full/Security/Services/Replication)
  -Report       Generate detailed report

Security Operations

1. Core DC Security

   • Service configurations
   • Security policies
   • System hardening
   • Patch compliance
   • Event log settings
   • Backup validation
   • Recovery readiness

2. Directory Services

   • NTDS settings
   • Database integrity
   • Replication health
   • FSMO roles
   • Schema updates
   • Tombstone lifetime
   • Backup status

3. Authentication Security

   • Kerberos settings
   • LDAP security
   • NTLM policies
   • Password policies
   • Account policies
   • Trust relationships
   • Protocol security

4. Infrastructure Services

   • DNS security
   • Certificate services
   • Group Policy
   • Site replication
   • Time synchronization
   • Network services
   • Backup services

Configuration

The script uses a JSON configuration file:

{
    "SecurityChecks": {
        "ValidateServices": true,
        "CheckReplication": true,
        "AuditPolicies": true,
        "ValidateTrusts": true
    },
    "Assessment": {
        "DCDiagTests": true,
        "ReplicationTests": true,
        "SecurityTests": true,
        "PerformanceTests": true
    },
    "Reporting": {
        "OutputPath": "C:\\DCReports",
        "Format": "HTML",
        "IncludeCharts": true,
        "SendEmail": true
    }
}

Assessment Features

• Real-time scanning
• Policy validation
• Service verification
• Security assessment
• Performance analysis
• Health monitoring
• Compliance checking

Error Handling

• Service failures
• Replication errors
• Policy conflicts
• Trust issues
• Access problems
• Database errors
• Recovery procedures

Log Files

The script maintains logs in:

• Main log: C:\Windows\Logs\ADDCSecurityCheck.log
• Report file: C:\DCReports\<timestamp>_SecurityReport.html
• Error log: C:\Windows\Logs\DCErrors.log

Report Sections

Generated reports include:

• Executive Summary
• Security Status
• Service Health
• Replication Status
• Policy Compliance
• Trust Analysis
• Recommendations
• Critical Issues

Best Practices

• Regular assessments
• Policy reviews
• Service monitoring
• Security updates
• Trust validation
• Backup verification
• Event monitoring
• Performance tracking
• Documentation
• Change control
• Incident response
• Recovery testing

Integration Options

• SIEM systems
• Monitoring tools
• Backup systems
• Compliance tools
• Reporting platforms
• Ticketing systems
• Automation tools

Security Standards

Supports checking against:

• Microsoft Security Baseline
• CIS Benchmarks
• NIST Guidelines
• PCI DSS Requirements
• HIPAA Standards
• SOX Requirements
• Custom policies

Assessment Areas

• Directory Services
• Authentication Services
• Certificate Services
• DNS Services
• File Services
• Replication Services
• Group Policy
• Backup Services
• Recovery Services
• Time Services
• Network Services
• Management Services