The administration, bypassing the main administrator, ordered to audit the local network and its security(network based on windows server AD + DS)
1) find unclosed local users
2) open ports and forwarding
3) exclude the left output of information
4) that only domain users have rights

How can I check all this? The main thing for which the authorities are afraid is to drain the information, since it is a very large construction company.
  • Options to merge information in full It will be difficult to foresee all possible. – Demonic Frisbee Sep 7 '18 at 09:49

6 Answers 6

In general, I support those who responded earlier - if there is no knowledge, it is better not to take responsibility for yourself.

bypass...admin....audit of the local network and its security(network based on windows server AD + DS)

What rights are there? Do you have admin domains?

1) find unclosed local users

You can even collect local accounts with a PS script.If there are admin rights again.

2) open ports and forwarding

Forwarding is more difficult(you will need access), and you can listen to open ports than before.
Note that probing may not work through some devices(specifically, the switch may well cut the leftist, for example)
3) exclude the left output of information

Essentially unreal.
The most common is to chop off flash drives and prohibit extra network resources.Software for this dofig, you can do if you have rights and scripts.
File sharing is a pain, and not an easy one.Well, let's say you have a chance to update the block lists and have a subscription to them...But in some cases it does not help - specifically with Google and Yandex for sure.

===
The approach is completely wrong.Quite.
Now there is some kind of copanin under a sysadmin.This is wrong because it is not constructive.If you trust him - no need to hide the audit.If they do not trust, they must be expelled right away, because no matter how you twist the powers of the admin, on their part, they will let him do anything.

How to:
1.Agree on guidelines with principles.Well, here - access only to domain members.OK.
Talk about printing, mailing, flash drives and personal phones(prohibit connecting to computers), the policy of shared network resources.
2.Think about how you will monitor changes on file resources.Many options, convenient paid, free uncomfortable.
3.Consider who should be given what rights and how to monitor them.
4.Consider what software and how to monitor it.
5.Do you close any network resources? How to monitor.

(this is the first time)
All this is then carefully described in the strategy"to be", accompanied by a list of the necessary for...

In most cases, if the user has access to the file, he can easily copy it and transfer it to someone.And I advise you not to be too brutal with regard to prohibitions, but to direct efforts towards external connections(in order not to connect from the outside and"suck out") and monitoring.
Oh, the wrong approach to your bosses.All your audit, alas, can be thrown into the trash!
1) For the questions you ask, you simply do not have the competence for this work.
2) Even if you completely chew everything, then most likely you will get the wrong results.
3) Even getting the right results, they still need to be interpreted somehow, which is also doubtful.

You would not do this, from the word - in general, it is an audit, because for its results all dogs will be hanged on you!

But if you are interested in security for yourself, then start with port scanning(nmap), entering the domain, connecting to the network, and wifi access points.Next - scan the network from the user.Next - we look at the connection to the Internet and traffic filtering.Next - connect flash drives and all CD-YUSB devices.Then - everywhere.
To the issue:
3) exclude the left output of information

A simple user can upload the necessary documents to all sorts of Google there, Yandex drives.
How can I check all this?

Invite a qualified auditor.

If you want \ are forced to do amateur activities - smoke methodologies:
ITAF, COBIT, IPPF, SSAE No.sixteen
If the question is asked in principle to bypass the main admin, then they suspect it.If the main admin is really involved - you can put a cross on the audit.You simply will not find anything, or in the course of an audit, they will get stuck and there will be interesting consequences.
Wikipedia has a starting point: Preventing information leaks