Ask yourself some questions

Hand on your heart: would you be able to change the password of every service account in your domain and on your servers without breaking anything?

How many peoples have left the company, which do know passwords of Service accounts, Administrator accounts which are still valid?

How many peoples within you organization do know the credentials of an high privileged account?

Do you have the passwords documented (Secure and Safe) of every Administrator or Service Account?

Do your IT Staff use a “standard” password for various stuff?

Do you use the same PC to surf the internet and receive emails as you are using to administer your active directory?

How much Money and effort is your company spending on securing the net? Firewalls, proxies, mail-gateways and so on – but your windows servers are left more or less naked

Do your users (and yourself) logout when you leave the pc, or do you just lock the machine? Do you really know what is going on in your windows session, when you are away (lunch, break and meeting)

Do you have a CSO (Chief Security Officer)? Does he know or care what is going on in the Windows area?

Do your IT-Staff have access to file structures contain business documents? Do they really need this?

Have you ever tested an active directory restore from backup?

Are you sure, all Business data is backed up properly and a restore is possible within reasonable time?

Is your password policy enforcing complex passwords? How many peoples in you organization are wring down their passwords? How many peoples just use iteration to comply with password rule?

e.g. Password1, Password2, Password3 and so on

How many passwords are guessable by social engineering? E.g. pets name, partners, children names Conclusion – in my Eyes, human beings are the weakest link here