Air-Gapped Network Security Audit: How to Review Isolated Environments Without False Confidence
An air-gapped network security audit should start by proving what the environment actually is, not by assuming that "no internet" means "no reachable attack path." In practice, many enterprise environments described as air-gapped are only logically isolated, tightly segmented, or dependent on controlled transfer paths. That distinction changes what you can collect, how you validate findings, and what kinds of residual risk remain inside the boundary.
This article stays in the scope of isolated enterprise networks, not OT or ICS safety programs. If your main question is still Active Directory-specific review inside an isolated forest, use How to Audit Active Directory in an Air-Gapped Environment as the deep dive. The goal here is broader: how to review the identity, host, network, logging, and transfer controls that still matter when the environment cannot rely on internet-connected tooling or cloud-native visibility.
What Counts as an Air-Gapped Network for Audit Purposes?
CISA's BOD 23-01 implementation guidance is useful because it draws a hard line between environments that are physically air-gapped and environments that are only logically isolated. That matters for audit work because the moment you still have a management bridge, a transfer broker, a vendor tunnel, or a system that is connected to another system touching the isolated environment, your review has to include that path.
| Isolation model | Practical meaning for an audit | Audit consequence |
|---|---|---|
| No internet | No direct outbound internet access, but internal routing and management paths still exist. | A local audit is usually straightforward, but cloud-dependent workflows may be unusable. |
| Logically isolated | Access is constrained through bastions, brokers, jump hosts, firewalls, or controlled transfer paths. | Boundary scoping and transfer controls are part of the audit, not background context. |
| Segmented | The environment is routable but restricted by ACLs, VLANs, or firewall policy. | Treat it as connected for privilege, protocol, and lateral movement risk. |
| Physically air-gapped | No network path exists to the internet or to the broader operating environment. | Collection, review, export, and remediation proof all need a fully local workflow. |
The point is not to win a taxonomy argument. The point is to avoid false confidence. An isolated environment can still have privilege drift, stale admins, unmanaged jump hosts, weak local admin password practices, unsafe protocol settings, poor log retention, or a transfer path that bypasses the controls people think they have.
What an Air-Gapped Network Security Audit Must Actually Prove
A useful air-gapped network security audit does not stop at "the network is hard to reach." NIST SP 800-115 frames security assessment as planning, collecting evidence, analyzing findings, and developing mitigation strategies. In isolated environments, that means the audit has to prove at least five things:
| Audit question | What you need to prove locally |
|---|---|
| What is the real boundary? | Which systems are inside, which systems can administer them, and which transfer or maintenance paths still cross the boundary |
| Who holds effective power? | Which accounts, groups, service principals, local admins, and delegated roles can change identity, policy, logging, or update state |
| What can still move laterally? | Which protocols, shares, relay paths, and administration routes remain available between hosts or segments |
| What evidence survives offline? | Which logs, subscriptions, retention settings, and export procedures actually preserve useful telemetry inside the boundary |
| Can fixes be revalidated? | Whether the same local collection method can be rerun after remediation to prove that the risky condition is gone |
A minimum evidence pack for this kind of review should include:
| Evidence class | Why it matters |
|---|---|
| Current network boundary and routing documentation | You cannot test isolation claims against an outdated diagram |
| Jump host, bastion, broker, and transfer-path inventory | These are often the real bridges across the "air gap" |
| Privileged account and admin path inventory | Identity risk stays local even when internet exposure does not |
| Local logging, WEF/WEC, and retention configuration | Offline does not help if evidence rolls over before review |
| Patch, signature, and catalog import process | Update freshness is an operational process, not an assumption |
| Before-and-after rerun metadata | Remediation claims are weak if the scope or collector changed between runs |
Scope the Boundary, Transfer Paths, and Admin Paths First
The first scoping mistake in isolated environments is to audit only the servers that are clearly "inside" the zone and ignore the systems that can administer them. If a jump server, credential broker, removable media process, or staging host can push content or changes into the isolated environment, it belongs in scope.
Start by mapping four path types:
- Administration paths: jump hosts, privileged workstations, break-glass accounts, vendor maintenance paths, and any domain or forest trust relationship that still reaches the isolated zone.
- Transfer paths: removable media workflows, file brokers, one-way transfer stations, package mirrors, and manual export paths for logs or reports.
- Control paths: systems that can push GPOs, scripts, certificates, software, or update catalogs into the environment.
- Observation paths: WEC servers, local collectors, log export hosts, and any system used to review findings outside the isolated network.
This is where many "air-gapped" reviews fail. The core risk is not always a public attack surface. It is often a quiet management dependency that no one documented because it does not look like internet access.
If the isolated environment is AD-backed, this scoping step should line up with the deeper review sequence in How to Audit Active Directory Security and the repeatability model in Recurring AD Audit Workflow: Why Annual Audits Drift and How Continuous Posture Monitoring Works. Isolation does not remove the need to map who can actually change policy, membership, ACLs, logging, or certificate issuance.
What You Can Still Audit Without Internet Access
Internet access is not a prerequisite for most of the evidence that matters in a Windows-heavy isolated network. Microsoft Open Specifications for Active Directory and Group Policy make the key point explicit: directory data, policy metadata, and file-backed policy content are local protocols and local stores, not cloud dependencies.
A serious offline review can still measure:
- identity and privilege structure: privileged groups, nested groups, delegated rights, stale admins, service accounts, trusts, and admin paths
- Group Policy and SYSVOL state: GPO metadata, file-backed policy content, scripts, preference artifacts, and path integrity
- host posture: local admin password rotation, SMB signing, LDAP signing, NTLM fallback, Windows firewall posture, and relevant hardening baselines
- network exposure inside the boundary: management paths, allowed protocols, relay-relevant surfaces, and jump-host reachability
- log visibility: event generation, forwarding, collector coverage, retention, and export procedure
- certificate services, if present: enrollment surfaces, template exposure, and certificate-based admin paths
That is why the broader network audit should link to, not replace, the AD-specific pillar How to Audit Active Directory in an Air-Gapped Environment. The deeper identity mechanics still matter; this article just widens the scope to the surrounding boundary, transfer, logging, and operational constraints.
Data Sources and Tools That Still Work Offline
The strongest isolated-network audits use multiple local evidence sources because no single system tells you the full story.
| Data source or workflow | What it proves | Key limitation |
|---|---|---|
| LDAP or LDAPS queries | Users, groups, computers, delegation, trusts, directory configuration, and many privilege-relevant attributes | Directory data alone does not show file-backed GPO content or every host setting |
| SYSVOL over SMB | Scripts, Group Policy template files, policy-backed artifacts, and some password or preference exposure | Must be correlated with the GPO metadata stored in AD |
| Local event logs plus WEF/WEC | What was actually generated, forwarded, retained, and centralized inside the boundary | WEF is passive; it does not enable audit policy, resize logs, or turn on disabled channels for you |
| Local PowerShell and read-only host inventory | Protocol settings, local admin posture, software state, and selected hardening evidence | Scope and permissions must be documented so reruns stay comparable |
Offline Microsoft update scan using WUA and Wsusscn2.cab | Whether Microsoft security updates are missing on scanned Windows systems without live internet access | It covers security-related update metadata, not the update payloads themselves and not full connected telemetry |
| Controlled export package | What evidence can leave the boundary, under which approvals, and in what format | Export convenience is not the same thing as defensible chain of custody |
Two Microsoft-specific caveats matter here.
First, Group Policy is not only an AD problem. Microsoft documents that GPOs have logical components in Active Directory and physical components in the Group Policy template stored in SYSVOL. If you inspect only LDAP data, you under-review the policy surface.
Second, WEF is helpful but limited. Microsoft states that WEF reads existing operational or administrative events and forwards selected events to a WEC server, but it remains passive with respect to event generation. It cannot change event log size, enable disabled event channels, change channel permissions, or adjust security audit policy. In other words, forwarding incomplete logs more efficiently is still incomplete logging.
In domain settings, Microsoft also notes that WEF traffic is encrypted with Kerberos by default even when HTTP is selected, with HTTPS mainly needed when certificate-based authentication replaces Kerberos. That makes WEF/WEC realistic inside many isolated Windows estates, but only if the event sources are already generating the right evidence.
Review Identity, Host, Network, and Logging Controls Together
Isolated environments are easy to audit badly when each control family is reviewed in isolation. The more defensible approach is to correlate identity, host, network, and logging controls in the same pass.
Identity and privilege
Start with who can change the environment, not who merely belongs to it. That means domain and local admins, break-glass accounts, service accounts, delegated rights, and the operators of jump hosts or transfer servers. For AD-heavy environments, use How to Audit Active Directory Security for the detailed identity review sequence and Windows LAPS Not Deployed: Why Shared Local Admin Passwords Still Matter where shared local administrator credentials still exist across isolated Windows hosts.
Host and protocol posture
Protocol weaknesses do not stop mattering just because they are inside the perimeter. SMB signing, NTLM exposure, LDAP signing, outdated local admin practices, and relay-relevant paths are still local lateral-movement problems. If the network uses Windows authentication heavily, SMB Signing Disabled: Why It Still Enables NTLM Relay is still directly relevant, as is certificate path review through ADCS Attack Paths Explained: How Certificate Misconfigurations Become Active Directory Escalation Paths where AD CS exists.
Network and transfer paths
Review which systems can talk to which systems for administration, update import, log export, and package transfer. A bastion host that can reach domain controllers, package mirrors, and file brokers is a high-value control point even if it never browses the public internet. If removable media is part of the workflow, audit the approval, scanning, staging, and import process as a control surface rather than as an operational footnote.
Logging and retention
Local visibility has to be engineered. Review event generation on the systems that matter, forwarding configuration where WEF/WEC is used, collector health, retention, backlog behavior, and export procedure. If the team needs an event-by-event map for AD activity, use Active Directory Monitoring: Security Event IDs That Matter as the deeper reference, but the broader isolated-network audit should first answer whether the environment can preserve enough local evidence to support its own security claims.
Update, Signature, and Vulnerability Intelligence Constraints
This is where isolated-network reviews often become too optimistic.
Microsoft documents that Windows Update Agent can scan offline systems for security updates using a locally provided Wsusscn2.cab package. That is useful, but it is not the same thing as fully connected patch intelligence. The catalog contains security-related update metadata and helps you answer "which Microsoft security updates appear to be missing?" It does not include the updates themselves, and it does not solve non-Microsoft software, drivers, appliance firmware, or the operational lag introduced by manual import processes.
A good audit therefore checks the process, not just the last scan result:
- How are Microsoft security catalogs imported and how often?
- How are third-party signatures, EDR content, or vulnerability data mirrored into the environment, if at all?
- How long does it take for a newly required package or signature to cross the boundary?
- Which assets are intentionally excluded because no reliable offline method exists?
- Who approves exceptions when connected guidance cannot be applied directly inside the boundary?
If the answers are informal, the environment is relying on people remembering how to keep it current. That is not an auditable control.
Validation After Remediation
Remediation in isolated networks should be validated the same way it was discovered: with the same local scope, from the same side of the boundary, using the same evidence classes.
A practical validation sequence looks like this:
- Freeze the rerun scope: same segments, same domains, same collectors, same jump-path assumptions.
- Re-measure the risky condition: privileges, host settings, logging, transfer paths, or update state.
- Confirm that the change did not break local visibility: logging, WEF/WEC forwarding, or export procedures should still work after hardening.
- Record remaining exceptions with an owner and review date, especially where legacy compatibility still blocks a clean fix.
- Preserve before-and-after evidence with collection dates, boundary assumptions, and known blind spots.
Warning: an exportable PDF is not proof by itself. In isolated environments, proof comes from repeatable local collection plus a stable rerun method.
How EtcSec Supports Audits in Isolated Enterprise Networks
For this use case, the important product boundary is simple. EtcSec's official collector materials describe a read-only collector that can run in a fully local standalone mode, keep data local in that mode, and collect Active Directory evidence through LDAP/LDAPS and SYSVOL. That deployment model is materially more relevant in an isolated enterprise network than any claim about dashboards or cloud convenience.
In practice, that means a team can keep the collector inside the same trust boundary as the systems being reviewed, rerun the audit locally after remediation, and keep the evidence model consistent between review cycles. If you need the product detail rather than the process guidance, use ETC Collector for the deployment model and AD Audit Tool Comparison: How to Compare PingCastle, Purple Knight, and Repeatable Audit Workflows for where a repeatable local workflow changes the decision.
The value here is not that isolated networks need a magic offline tool. The value is that they need read-only local collection, stable reruns, and findings that stay usable after the first cleanup wave.
Primary References
- CISA: BOD 23-01 Implementation Guidance
- NIST SP 800-115: Technical Guide to Information Security Testing and Assessment
- Microsoft Learn: Use Windows Event Forwarding to help with intrusion detection
- Microsoft Learn: Using WUA to Scan for Updates Offline
- Microsoft Open Specifications: MS-ADOD
- Microsoft Open Specifications: MS-GPOD Group Policy Structure
- ANSSI: Recommandations pour l'administration securisee des SI reposant sur AD
Continue Reading
Kerberos RC4 Fallback in Active Directory: How to Detect It, Why It Still Happens, and How to Remove It
CVE-2026-31431 (Copy Fail): What the Linux Kernel Vulnerability Affects and How to Mitigate It
