BACKGROUND AND KEY RISKS: Microsoft Windows is one of the most widely used Operating Systems ever. Effectively securing Windows systems requires a variety of safeguards to be in place at the server and workstation levels. Microsoft’s Active Directory service, which runs on Windows server operating systems, is crucial to secure. It represents the keys to the kingdom; it stores information about a variety of objects in the network such as user accounts, computer accounts, groups, software applications, and services running on the entire network.

IT Audit typically evaluates common Windows security ‘problem areas’ that result in compromise of a network (e.g., gaps in antivirus and antimalware deployments, incomplete patching, outdated applications and operating systems, misconfiguration, excessive access privileges). The team also evaluates the effectiveness of logging and monitoring controls in place that could be used to detect inappropriate activity.


There are numerous configuration settings and controls administrators can set within Windows and the Active Directory service. Several notable recommendations are provided below. However, to navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines. They can be downloaded from the Microsoft Download Center:

  • Ensure effective patch management processes and controls are in place (see “Patch Management” section)
  • Enforce multi-factor authentication for administrator access at the server level
  • Review remote access methods (such as Remote Desktop Protocol, or RDP) for appropriateness. Verify that systems running remote access methods are not directly accessible via the Internet, are protected by multi-factor authentication, and individuals with remote access capabilities are appropriate and limited
  • Review members of the Enterprise Administrators Group and Domain Administrators Group to ensure they are limited to only those individuals who require it to perform their job duties
  • Verify that the built-in local Administrator Account is secured. Ensure that it is disabled or renamed
  • Leverage Microsoft’s Local Administrator Password Solution (LAPS) tool, which allows administrators to randomize and manage Local Administrator passwords across the domain