An IT infrastructure security audit is a systematic assessment of an organization's security controls, configurations, and processes — the starting point for building a mature security posture. Without knowledge of the current state of the environment, it is impossible to prioritize security investments effectively or demonstrate progress to management. This guide describes step by step how to prepare and conduct an IT infrastructure security audit — both for administrators planning an internal audit and for IT managers commissioning an external one.
What Is an IT Infrastructure Security Audit
An IT infrastructure security audit is a systematic review of the technical and procedural security controls in an organization. Its objective is to answer the question: are the existing security controls properly configured, do they cover all critical assets, and are they effective against current threats?
It is worth distinguishing a security audit from related but different activities. A penetration test (pentest) is an active attempt to break into a system to find exploitable vulnerabilities — a simulation of an attacker. A security audit is broader and more systematic: it includes review of configurations, processes, documentation, and architecture, not just technically exploitable vulnerabilities. A risk assessment identifies and quantifies business risks — an audit provides input to a risk assessment but is itself an evaluation of controls, not risks.
Several types of IT infrastructure security audits exist: an internal audit — conducted by the organization's own IT or security team, typically as a regular element of the security programme; an external audit — conducted by an independent consulting firm, providing objectivity and specialist expertise; a compliance audit — assessing conformance with regulatory requirements (NIS2, ISO 27001, KNF, HIPAA). In practice, organizations use all three types depending on the objective and context.
Audit Preparation
Proper preparation determines the quality and efficiency of an audit. A poorly prepared audit consumes time without producing a complete picture.
Asset inventory is the foundation of every audit — you cannot assess the security of assets you do not know exist. The inventory should cover: servers (physical and virtual, on-premises and cloud), workstations and mobile devices, network devices (switches, routers, firewalls, access points), cloud resources (Azure/AWS/GCP subscriptions, SaaS services), and OT/ICS systems if connected to the IT network. Automated inventory tools (Lansweeper, Azure Arc, Microsoft Intune) significantly accelerate this process.
Documentation — gather before the audit: network diagrams (topology, VLANs, firewall zones, external connections), Active Directory structure (domains, forests, trust relationships, organizational units), data flows for critical systems (ERP, CRM, financial systems), and existing security policies (password policy, acceptable use, incident response). Absence of documentation is itself an audit finding — it indicates problems with infrastructure governance.
Stakeholder alignment — before the audit, set expectations with key parties: IT (technical scope, testing windows, points of contact), management (business objectives of the audit, format of the final report), and HR and legal (rules for accessing personal data during the audit, procedures if evidence of breaches is found). A well-conducted pre-audit briefing eliminates misunderstandings and accelerates the work.
Key Audit Areas
A comprehensive IT infrastructure security audit covers several key domains. When time or budget is limited, prioritize areas based on the risk level for your organization.
Identity and access — Active Directory health assessment using Ping Castle (health score and issue list), privileged account inventory (how many users have Domain Admin? Are there service accounts with excessive permissions?), MFA coverage (what percentage of users have MFA enabled? Do administrative accounts have FIDO2?), stale account analysis (accounts of departed employees; test accounts; temporary accounts). BloodHound will supplement Ping Castle with a graphical attack path map in AD.
Network security — firewall rule review (identifying unused, overly broad, or "temporary" rules), network segmentation verification (are workstations separated from servers? Is OT/ICS isolated?), open port and service scanning from inside and outside the network (nmap), identification of services exposed to the internet without justification.
Endpoint security — EDR coverage (what percentage of devices have an active EDR solution installed?), patch level (what is the average age of security patches on workstations and servers?), disk encryption (BitLocker on workstations and laptops), Group Policy (GPO) configuration from a security perspective.
Backup and recovery — backup coverage (do all critical systems have backups? What is the schedule?), restore test results (when was the last restore test conducted? What was the RTO?), ransomware protection (is there an offline or immutable copy? Is backup isolated from the production network?).
Policies and procedures — assessment of security process documentation: a documented Incident Response Plan, Acceptable Use Policy, employee onboarding and offboarding procedures (especially access removal upon departure), and Change Management policy.
Audit Tools
A professional security audit requires appropriate tooling. Below is an overview of the most important tools — both free and commercial.
Ping Castle (free) — without question the most important free Active Directory audit tool available. Generates an HTML report with an AD health score (0-100) and a prioritized list of security issues. Run directly on a domain controller or a workstation with AD access. A score below 50 indicates serious issues requiring immediate attention; above 85 is a solid result for most organizations.
BloodHound (free) — a graphical tool for mapping attack paths in Active Directory. Collects data through SharpHound (collector), then visualizes relationships between AD objects and paths leading to Domain Admin. Invaluable for identifying non-obvious privilege escalation paths. Available in Community (free) and Enterprise (commercial) editions.
Nmap (free) — the standard tool for network scanning and identification of open ports and services. Used to build a map of active hosts, identify exposed services, and detect unauthorized devices in the network. Internal scanning with elevated privileges provides an accurate picture of service exposure on the internal network.
Nessus (Tenable) / OpenVAS (free equivalent) — vulnerability scanners that automatically identify missing updates, misconfigurations, and known CVE vulnerabilities on hosts in the network. Nessus Essentials is available free for scanning up to 16 IP addresses. OpenVAS (Greenbone Community Edition) is fully free and sufficient for small and medium environments.
Microsoft Secure Score (free for M365) — a built-in tool in the Microsoft 365 Defender portal that assesses the security posture of the Microsoft environment. For each area (identity, devices, applications, data) it identifies specific actions that improve the score with an estimated impact. An ideal starting point for organizations using M365.
Additional tools: Lynis (Linux/Unix system security audit), CIS-CAT (CIS benchmark compliance assessment), PEASS-ng/WinPEAS (privilege enumeration and escalation paths — only in a test environment with authorization).
After the Audit: Remediation Plan
An audit without a remediation plan is merely a list of problems. The value of an audit is realized only when findings lead to concrete, measurable remediation actions.
Prioritizing findings — every audit finding should be classified by risk: Critical (immediate action required, risk of full system takeover or loss of critical data), High (action within 7-30 days, significant risk), Medium (action within 90 days), Low (schedule in the next cycle). Priority should consider both the likelihood of exploitation and the potential business impact.
Assigning owners — every finding must have a named person responsible for remediation and a specific deadline. Without an owner and deadline, audit recommendations accumulate in an unread PDF document. A RACI matrix (Responsible, Accountable, Consulted, Informed) helps with clear assignment of accountability.
Retesting — after remediation actions are implemented, verify that they actually resolved the issue. For critical and high findings, retests should be conducted by the same auditor or an independent party. Ping Castle should be re-run after AD issue remediation to confirm score improvement.
Report to management — audit findings must be communicated to management in business language, not technical jargon. The executive summary should include: an overall assessment of the organization's risk level, three to five most serious findings and their potential business impact (data loss, operational downtime, regulatory fines), and recommended security investment priorities with estimated costs. Management does not need to understand what Kerberoasting is — they need to understand that "unsecured service accounts allow an attacker to take full control of the infrastructure within hours, potentially resulting in production downtime lasting multiple days."
How ExColo Can Help
ExColo conducts comprehensive IT infrastructure security audits — from security architecture assessment through in-depth Active Directory audit using Ping Castle and BloodHound, to network segmentation review and backup status evaluation. Every audit concludes with a prioritized remediation plan with concrete steps and effort estimates.
We offer comprehensive security architecture assessments that serve as an excellent foundation for an IT security audit. If you need an objective assessment of your infrastructure's security posture — whether as a starting point for a security improvement programme or in preparation for a NIS2 or ISO 27001 compliance audit — review our security services or contact us directly.
