To get an overview of your exposure you basically need to map out three different areas of your infrastructure:

  1. Make an inventory of all effective security group memberships for each domain account. You must include service accounts and include nested group memberships.
  2. Make an inventory of which accounts have local admin rights on every system. You must include both servers and PC's.
  3. Get an overview of who is logging on to which systems.

First step provides data that will be consumed during the second and third step, and can be collected fairly simple.

Second bullet will map out who potential attackers are, and can also be retrieved quite easily.

Third bullet will map out who potential victims are, and this step is a bit more challenging.

Crunching the Data

When all data is collected and analyzed it is often possible to identify several paths that lead from the most innocent looking local admin and all the way up to the highest privileges in the organization. The shorter and steeper the path, the greater the risk.