What Is AD Security Compliance?
Security compliance frameworks โ NIS2, ISO 27001, SOC 2, CIS Controls, ANSSI โ define baseline security requirements for identity infrastructure. For organizations running Active Directory or Azure Entra ID, these frameworks translate into concrete technical controls: password policies, privileged access management, audit logging, MFA enforcement, and vulnerability management.
The challenge is that compliance requirements are often vague while the technical controls needed to meet them are specific. "Implement strong authentication" in a NIS2 requirement maps to a concrete list of AD and Azure settings. This article bridges that gap โ mapping the most common compliance requirements to the specific Active Directory and Azure controls that satisfy them.
โน๏ธ Note: Compliance is not the same as security. A compliant environment can still be compromised. But the controls required for compliance โ when properly implemented โ significantly reduce the attack surface covered throughout this blog.
How It Works
Compliance audits evaluate your environment against a defined control set. For identity infrastructure, auditors typically examine:
- Password and authentication policies โ minimum length, complexity, MFA enforcement
- Privileged access controls โ who has admin rights, how access is granted and reviewed
- Audit and monitoring โ what events are logged, how long they are retained, who reviews them
- Vulnerability management โ how quickly known vulnerabilities are remediated
- Access lifecycle management โ how user access is provisioned, reviewed, and revoked
Each control maps to specific AD and Azure settings โ and each setting is something EtcSec audits automatically.
Compliance Framework Mapping
NIS2 Directive (EU, 2024)
NIS2 requires essential and important entities to implement appropriate technical measures for identity security. Key requirements:
| NIS2 Requirement | AD/Azure Control | EtcSec Check |
|---|---|---|
| Multi-factor authentication | MFA for all privileged accounts | CA_NO_MFA_REQUIREMENT, PA_GLOBAL_ADMIN_NOT_MFA |
| Access control policies | Least privilege, privileged access management | EXCESSIVE_PRIVILEGED_ACCOUNTS, PA_PIM_NOT_ENABLED |
| Password policies | Minimum length, complexity, rotation | PASSWORD_POLICY_WEAK, PASSWORD_NEVER_EXPIRES |
| Incident detection | Audit logging, SIEM integration | Monitoring category checks |
| Supply chain security | Third-party and guest access controls | GUEST_INVITATION_UNRESTRICTED, B2B_CROSS_TENANT_OPEN |
CIS Controls v8
The CIS Controls provide prioritized security actions. Identity-related controls:
| CIS Control | Requirement | AD Implementation |
|---|---|---|
| CIS 5 | Account Management | Disable stale accounts, enforce account lifecycle |
| CIS 6 | Access Control Management | Least privilege, privileged access workstations |
| CIS 12 | Network Infrastructure Management | Kerberos encryption, NTLM restrictions |
| CIS 17 | Incident Response Management | Audit policy, log retention, SIEM |
ISO 27001:2022
ISO 27001 Annex A controls relevant to AD:
| Control | Description | AD Mapping |
|---|---|---|
| A.5.15 | Access control | RBAC implementation, group membership governance |
| A.5.16 | Identity management | Account lifecycle, offboarding procedures |
| A.5.17 | Authentication information | Password policy, MFA |
| A.5.18 | Access rights | Privileged access review, least privilege |
| A.8.2 | Privileged access rights | PAW, PIM, DA account governance |
| A.8.5 | Secure authentication | MFA, Kerberos AES, NTLMv2 only |
ANSSI Recommendations (France)
ANSSI's AD hardening guide defines specific technical requirements:
# ANSSI recommends: AES-only Kerberos encryption
Set-ADDefaultDomainPasswordPolicy -Identity corp.local -KerberosEncryptionType AES128,AES256
# ANSSI recommends: Disable RC4 fallback
Set-ADUser krbtgt -Replace @{msDS-SupportedEncryptionTypes=24}
# ANSSI recommends: Enable Protected Users for all admins
Add-ADGroupMember -Identity "Protected Users" -Members (Get-ADGroupMember "Domain Admins")
The Compliance Gap Assessment
Step 1 - Baseline Your Current State
# Quick compliance baseline โ password policy
Get-ADDefaultDomainPasswordPolicy | Select-Object MinPasswordLength, ComplexityEnabled, MaxPasswordAge
# MFA status (Azure โ requires Graph API)
Connect-MgGraph -Scopes "Policy.Read.All"
Get-MgIdentityConditionalAccessPolicy | Where-Object {$_.State -eq "enabled"} |
Select-Object DisplayName, State
# Audit policy status
auditpol /get /category:"Account Logon","DS Access","Account Management" | Select-String "Success|Failure"
Step 2 - Map Gaps to Framework Controls
# Generate a compliance gap report
$checks = @{
"Min password length >= 12" = (Get-ADDefaultDomainPasswordPolicy).MinPasswordLength -ge 12
"Password complexity enabled" = (Get-ADDefaultDomainPasswordPolicy).ComplexityEnabled
"Max password age <= 90 days" = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days -le 90
"DS Changes audit enabled" = (auditpol /get /subcategory:"Directory Service Changes") -match "Success"
"Kerberos audit enabled" = (auditpol /get /subcategory:"Kerberos Authentication Service") -match "Success"
}
$checks.GetEnumerator() | ForEach-Object {
[PSCustomObject]@{
Control = $_.Key
Status = if ($_.Value) { "PASS" } else { "FAIL" }
}
} | Format-Table -AutoSize
Step 3 - Prioritize and Remediate
Prioritize by risk impact, not by compliance checkbox:
- Critical: MFA not enforced, DCSync capable accounts, unconstrained delegation
- High: Weak password policy, no audit logging, excessive privileged accounts
- Medium: Stale accounts, missing LAPS, no fine-grained password policies
- Low: Administrative naming conventions, documentation gaps
Detection
Compliance monitoring requires continuous assessment, not point-in-time audits.
Continuous Compliance Checks
# Schedule weekly: check for new DA members added without approval
$cutoff = (Get-Date).AddDays(-7)
Get-ADGroup "Domain Admins" -Properties Members, whenChanged |
Where-Object {$_.whenChanged -gt $cutoff} |
Select-Object Name, whenChanged
# Monthly: accounts with no activity in 90 days
Get-ADUser -Filter {Enabled -eq $true -and LastLogonDate -lt (Get-Date).AddDays(-90)} |
Select-Object SamAccountName, LastLogonDate | Measure-Object | Select-Object Count
Remediation
๐ก Quick Win: Run a CIS benchmark self-assessment using the free CIS-CAT Lite tool against your Domain Controllers. It produces a scored report with specific remediation steps.
Priority Remediation Sequence
- Enable MFA for all privileged accounts (Azure: Conditional Access; AD: use smart cards or FIDO2)
- Enable audit logging โ Advanced Audit Policy on all DCs
- Fix password policy โ minimum 14 chars, complexity, 90-day max age
- Remove excessive DA members โ audit and reduce to minimum
- Deploy LAPS โ eliminate shared local admin passwords
- Disable stale accounts โ automate with a weekly scheduled task
- Enable AES-only Kerberos โ disable RC4 fallback
How EtcSec Detects This
EtcSec maps its 426 vulnerability checks directly to compliance framework requirements. Every finding in an EtcSec report includes:
- The specific misconfiguration detected
- The risk level (Critical/High/Medium/Low)
- The compliance frameworks affected (NIS2, CIS, ISO 27001, ANSSI)
- Step-by-step remediation guidance
The Compliance category in EtcSec reports aggregates findings by framework, allowing you to generate a compliance gap report directly from your AD audit โ without a separate assessment tool.
โน๏ธ Note: EtcSec maps all findings to compliance frameworks automatically. Run a free audit to see your compliance posture across NIS2, CIS Controls, and ISO 27001.
Related articles: AD Security Monitoring | Active Directory Password Security
