l +1 262-553-6510

QPC podcasts have moved

Please forgive our old content here while we reorganize and redo our old website.

All new QPC podcasts are hosted on a more convenient platform for all of us.

Please visit where you can use the Podbean mobile app, stream directly from the site, and sign up for the RSS feed.

Breakfast Bytes - Auditing Windows Infrastructure


2/21/2015, 3/7/2015, 3/21/2015

Auditing Windows Infrastructure - 3 part series
  • I find the same common errors in Windows infrastructures that I audit all the time.
  • I do 2 - 3 audits per month.
  • Many items are very easy and quick to fix.
  • Many items you will never find unless you look for them.
  • Don't assume that just because things don't appear to be broken that they are not. I have seen Windows infrastructure work for years despite major issues like AD replication problems and defunct Windows Time infrastructure.
  • How to prevent issues with SQL servers and fix them is fully explored in a previous podcast.

The first part of the 2/21/2015 show talks about: is sending personal data to dozens of tracking sites

The second half of the 2/21/2015 show is the starter for auditing Windows infrastructure.

Internal DNS
  • Is scavenging turned on both at the server level and at the zone level? For each server?
  • Are the name servers correct?
  • Root hints?
  • Are the SOA settings correct?
  • Are the forwarders correct?
  • Do PTR zones exist?
  • Are all the SRV records for Active Directory to work properly appearing correctly? AD does not function without DNS working properly.
  • How DNS Support for Active Directory Works

External DNS
  • Is there a wildcard record setup for the domain? If so, get rid of it. They cause nothing but problems.
  • If internal and external DNS zone names are the same, this can cause major issues.

Active Directory
  • Are all subnets in the network defined in sites and services?
  • Are the sites properly mapped to subnets?
  • Are the IP Site links correctly constructed with proper replication costs and intervals?
  • Does the topology created by the IP site links convey a mesh topology or a hub-and-spoke topology, and does that match with the network design?
  • Run repadmin /replsum and check out the results.
  • Also, run the Active Directory Replication Status Tool on each domain controller.
  • Is autosite coverage turned on?
  • Is bridge all site links turned on?
  • Are all domain controllers global catalog servers?
  • How are the FSMO roles distributed?
  • What does the OU structure look like?
  • Are there computer accounts in the Computers container?
  • Is there an OU for service accounts?
  • Does the OU structure facilitate proper GPO segmentation between user and computer configs per site?
  • Are admin accounts excluded from most policies?
  • Do native-mode system state backups exist for each domain controller?
  • Is AD Recycle Bin enabled?
  • Does the IT manager know the DS Restore mode password for all domain controllers?
Group Policies
  • Do the policies follow best practices regarding being either computer or user policies, but not both in the same policy?
  • Are the policies efficiently setup? There is no point in leaving a user config section on a policy enabled when it is not setup for user config.
  • Is the Default Domain Policy correctly constructed?
  • Are the account lockout, password policies, and domain-level security settings properly in place?
  • Are global event log and auditing policies specified?
  • Do any abandoned SIDs appear in the Default Domain or Default Domain Controllers policies?
Default Domain Controller Policy
  • Do any abandoned SIDs appear in the policy?
  • Is user config disabled?
  • Are there settings to enforce proper Windows Time Infrastructure?
  • Is there a proper configuration for the Windows Firewall Policy for domain controllers?
  • Is autosite coverage turned on?
Manual Domain Controllers Audit
  • What is the primary and secondary DNS server for all TCP/IP connections on each domain controller?
  • Should be centralized DC as primary and secondary should be itself.
  • Is the append domain suffix setting unchecked? It should be because with that weird suffix appends can happen in DNS.
  • Try using Best Practices Analyzer
  • Is DHCP being properly backed up on each DHCP server?
  • Has the IT manager tested DHCP restore?
  • How many DHCP servers are there?
  • Are Scope and Server options properly specified? The only things that should be in scope options are things that have to be there. Otherwise, the options should be specified at the server level.
  • If you are hosting a DHCP pool for a guest network on your trusted network DHCP server, you have a seriously fundamental problem going on.
  • Are the DHCP endpoints at each site being delivered the proper DNS servers per scope? Should be their closest DNS server, seconded by a centralized DNS server. Possibly add a tertiary and quaternary externals of OpenDNS IF there is no DNS proxy at the perimeter.
  • Are all of the Exchange servers fully patched?
  • What exists in the default SMTP email address naming policy?
  • Does your Exchange server pass the Remote Connectivity Analyzer test?

  • Are your certificates setup correctly?
  • Exchange backups?

  • 1-to-1 NAT egress for all mailbox servers? Do they all have the same wildcard or SAN cert?


Refer to:

  • Backups
  • Maint plans
  • Trans log truncation
  • File placement