Lessons Learned from Offline Assessment of Security-Critical Systems: The Case of Microsoft Active Directory

• Author(s): Olasunkanmi Oluwasanjo Ladapo; Adetomiwa A. Dosunmu; Demilade Jooda; Toyosi O Abolaji
• Paper ID: 1717205
• Page: 277-299
• Published Date: 30-11-2019
• Published In: Iconic Research And Engineering Journals
• Publisher: IRE Journals
• e-ISSN: 2456-8880
• Volume/Issue: Volume 2 Issue 6 December-2018

Abstract

Security evaluation of enterprise-level identity and access management infrastructure has emerged as a central imperative within contemporary information security governance and practice. Centralised directory services occupy a foundational position in enterprise computing environments, governing authentication, authorisation, and privilege assignment across complex networked architectures. As such, they represent high-value targets for both external adversaries and malicious insider actors whose exploitation of these systems can yield catastrophic consequences for organisational confidentiality, integrity, and availability. This study presents a comprehensive scholarly review of non-intrusive evaluation methodologies applied to such identity management platforms, integrating conceptual frameworks, practitioner literature, and documented field experiences to derive generalisable lessons applicable across diverse organisational and jurisdictional contexts. The investigation critically examines the theoretical foundations of non-intrusive evaluation within identity management paradigms, analyses architectural vulnerability characteristics inherent to enterprise directory environments, and evaluates the methodological and tooling dimensions encountered in structured security audits. Empirical observations are drawn from assessment experiences spanning multiple operational settings, including developing-economy contexts in Africa and elsewhere, where security governance maturity may diverge substantially from global benchmarks. A structured threat modelling perspective contextualises identified vulnerabilities within the contemporary adversarial landscape, whilst targeted remediation and hardening strategies are articulated in alignment with internationally recognised security principles and established control frameworks. Policy and governance implications arising from assessment outcomes are examined through the lens of authoritative standards frameworks and evolving regulatory expectations. Future scholarly directions are proposed with attention to automated analysis capabilities, cross-domain standardisation, and governance alignment in resource-constrained organisational environments. Through rigorous synthesis and critical analysis, this study contributes substantially to academic and professional discourse on enterprise security evaluation, offering actionable insights for practitioners and policymakers responsible for the protection of critical identity infrastructure.

Keywords

Identity And Access Management; Offline Security Assessment; Privilege Escalation; Directory Service Vulnerabilities; Threat Modelling; Security Governance

Citations

IRE Journals:
Olasunkanmi Oluwasanjo Ladapo, Adetomiwa A. Dosunmu, Demilade Jooda, Toyosi O Abolaji "Lessons Learned from Offline Assessment of Security-Critical Systems: The Case of Microsoft Active Directory" Iconic Research And Engineering Journals Volume 2 Issue 6 2018 Page 277-299 https://doi.org/10.64388/IREV2I6-1717205

IEEE:
Olasunkanmi Oluwasanjo Ladapo, Adetomiwa A. Dosunmu, Demilade Jooda, Toyosi O Abolaji "Lessons Learned from Offline Assessment of Security-Critical Systems: The Case of Microsoft Active Directory" Iconic Research And Engineering Journals, 2(6) https://doi.org/10.64388/IREV2I6-1717205