Copyright Quest Software, Inc All rights reserved. DISCLAIMER TRADEMARKS

Transcription

1 2.6 User Guide

2 Copyright Quest Software, Inc All rights reserved. This guide contains proprietary information, which is protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. DISCLAIMER The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. TRADEMARKS InTrust for Active Directory is a trademark of Quest Software, Inc. Other trademarks and registered trademarks used in this guide are property of their respective owners. World Headquarters 5 Polaris Way Aliso Viejo, CA info@quest.com Please refer to our Web site for regional and international office information. InTrust for Active Directory Updated November 10, 2006 Software version 2.6

3 CONTENTS ABOUT THIS GUIDE... 3 CHAPTER 1 OVERVIEW... 4 CONVENTIONS... 4 ABOUT QUEST SOFTWARE, INC... 5 CONTACTING QUEST SOFTWARE... 5 CONTACTING QUEST SUPPORT... 5 INTRODUCING INTRUST FOR ACTIVE DIRECTORY... 7 CHAPTER 2 OVERVIEW... 8 INTRUST FOR ACTIVE DIRECTORY FEATURES... 9 AUDITING CHANGES TO ACTIVE DIRECTORY OBJECTS AND GPOS... 9 PROTECTION OF CRITICAL ACTIVE DIRECTORY OBJECTS AND GPOS...10 REAL-TIME MONITORING OF ACTIVE DIRECTORY AND GPO CHANGES...10 CENTRALIZED REPORTING ON CHANGE INFORMATION...11 ANOMALY ANALYSIS...11 INTEROPERATION...12 CHANGE AUDITING AND PROTECTION...12 REPORTING AND REAL-TIME MONITORING...13 MOM INTEGRATION...15 ANOMALY DETECTION...15 WORKING WITH INTRUST FOR ACTIVE DIRECTORY AUDITING AND REPORTING ON CHANGES TO ACTIVE DIRECTORY...18 ADVANCED AUDITING AND REPORTING: JOBS AND TASKS...19 CREATING REPORTS...20 REAL-TIME MONITORING OF INTRUST FOR ACTIVE DIRECTORY EVENTS.23 CONFIGURING OBJECT PROTECTION...24 HOW OBJECT PROTECTION WORKS...26 UNPREVENTABLE INDIRECT CHANGES...26 i

4 SETTING PROTECTION ON GPOS...27 SETTING THE LEVEL OF PROTECTION...28 SETTING ADDITIONAL SECURITY ON PROTECTED OBJECTS...28 OVERRIDING PROTECTION...29 CONTROLLING PROTECTION THROUGH API...29 ANOMALY DETECTION...30 APPENDIX A. OBJECTS RELATED TO INTRUST FOR ACTIVE DIRECTORY.31 INTRUST FOR ACTIVE DIRECTORY REPORT PACK...31 SUMMARY...31 ACTIVE DIRECTORY CHANGES...31 GROUP POLICY CHANGES...33 INTRUST FOR ACTIVE DIRECTORY SERVICE DISCOVERY...33 INTRUST FOR ACTIVE DIRECTORY CONFIGURATION CHANGES...33 ACTIVEROLES SERVER/INTRUST FOR ACTIVE DIRECTORY CHANGE MANAGEMENT...33 RULES...34 CHANGE ATTEMPTS TRACKING...34 SERVICE DISCOVERY AND AVAILABILITY...34 SUCCESSFUL CHANGE TRACKING...34 SITES...35 TASKS...35 DATA SOURCES...35 GATHERING POLICIES...35 MISCELLANEOUS...36 APPENDIX B. REGISTRY SETTINGS LOGGING...37 LOGON ATTRIBUTES...38 SYSVOL FILE CHANGES...38 GENERAL AUDITING AND PROTECTION...39 HOW VALUES ARE INTERPRETED...40 BIT VALUE MEANING...41 ii

5 About This Guide Overview Conventions About Quest Software Contacting Quest Software Contacting Quest Support 3

6 InTrust for Active Directory Overview This document is intended to help system administrators understand the concepts, features and workflow of Quest InTrust for Active Directory. Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references. ELEMENT CONVENTION Select Bolded text Italic text Bold Italic text This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest products, such as menus and commands. Used for comments. Introduces a series of procedures. Blue text Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care. + A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence. 4

7 About This Guide About Quest Software, Inc. Quest Software, Inc. delivers innovative products that help organizations get more performance and productivity from their applications, databases and Windows infrastructure. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 18,000 customers worldwide meet higher expectations for enterprise IT. Quest s Windows Management solutions simplify, automate and secure Active Directory, Exchange and Windows, as well as integrate Unix and Linux into the managed environment. Quest Software can be found in offices around the globe and at Contacting Quest Software Mail: Web site: info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA USA Refer to our Web site for regional and international office information. Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at From SupportLink, you can do the following: Quickly find thousands of solutions (Knowledgebase articles/documents). Download patches and upgrades. Seek help from a Support engineer. Log and update your case, and check its status. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: Support Guide.pdf 5

8

9 1 Introducing InTrust for Active Directory Overview InTrust for Active Directory Features Interoperation 7

10 InTrust for Active Directory Overview Active Directory is the most important infrastructure component within the Windows environment today. Unwanted changes to Active Directory can cause considerable problems, including business interruption, directory unavailability, and system downtime. Staying on top of change in Active Directory is a challenging task, and tracking every change that occurs to critical Active Directory components is often impossible. While unexpected changes will always happen, it is necessary to ensure that undesired changes are caught early, and fixed, before they become an issue. Active Directory objects are the focus of the InTrust for Active Directory solution. InTrust for Active Directory performs a variety of tasks related to these objects, as follows: Auditing of successful and failed changes to Active Directory objects and GPOs Prevention of changes to specified important Active Directory objects and GPOs Reporting on change attempts Real-time monitoring of change attempts Analysis of event logs in order to detect unusual activity involving critical Active Directory objects InTrust for Active Directory achieves these tasks by using the InTrust framework and interoperating with other InTrust components. The features are described in detail in the following section. The Interoperation section explains where InTrust for Active Directory stands in the InTrust framework. 8

11 Introducing InTrust for Active Directory InTrust for Active Directory Features Auditing Changes to Active Directory Objects and GPOs Active Directory Objects InTrust for Active Directory audits changes to all critical areas of Active Directory, including service accounts, administrative groups, schema, and configuration. Group Policy Objects Unlike other solutions, InTrust for Active Directory not only tracks changes to Group Policy objects, but also to individual Group Policy settings, ensuring that you know if changes that could affect thousands of users have been made. The auditing engine can track the following changes: Deletion Creation Moving Renaming Modification Information about the changes goes to the InTrust for Active Directory event log. The following data is audited: What object was changed When and how it was changed (for example, a user account was added to/deleted from an administrative group) Who initiated the change Object information before and after the change (for example, Group Policy settings or user account control options) Where the change was made (the computer from which the change was requested) These changes are tracked on all domain controllers where the changes occur. 9

12 InTrust for Active Directory Protection of Critical Active Directory Objects and GPOs InTrust for Active Directory allows you to configure objects that cannot be changed under any circumstances. You can protect the following Active Directory objects from unwanted changes: Domains OUs Computers Users Groups Extended schema objects Object protection prevents the following actions: Creation (for parent container objects) Deletion Moving Renaming Modification Critical objects such as Group Policy objects (GPOs) can also be protected. Object protection is described in detail in the Configuring InTrust for Active Directory section of this document. Real-Time Monitoring of Active Directory and GPO Changes Using the real-time monitoring feature of InTrust, you can monitor for changes and attempts to modify Active Directory and Group Policy objects. The realtime monitoring engine watches the InTrust for Active Directory log, and, as soon as a change or a change attempt is discovered, a monitoring rule is triggered. As a result, a corresponding alert is issued, and the personnel in charge get a notification message. Authorized users can work with alerts using the web-based Monitoring Console. In addition to Active Directory and GPO changes, you can monitor availability and operation of InTrust for Active Directory. A full list of monitoring rules related to InTrust for Active Directory is provided in Appendix A. For details on the real-time monitoring feature, refer to Quest InTrust documentation. 10

13 Introducing InTrust for Active Directory Centralized Reporting on Change Information For advanced auditing and reporting, you can use InTrust tasks and jobs, which allow you to: Periodically collect all events logged by InTrust for Active Directory, and store them to the specified repository Import the necessary data to the audit database Generate ready-to-use reports Clean up unnecessary information This feature is accessible in the InTrust Manager MMC snap-in, which allows you to work with repositories for centralized, long-term data storage, and audit databases for data analysis and reporting. You can organize central or local reporting, and set up data gathering and report generation workflow which best fits your organization's requirements. For more information about configuring the reporting workflow, refer to Quest InTrust documentation. Anomaly Analysis The Anomaly Analyzer component brings in valuable capabilities of event data correlation and anomaly detection. This feature further simplifies the discovery of network activity trends and the detection of security incidents. InTrust for Active Directory audits not only Active Directory changes and change attempts, but also other events logged by domain controllers, such as logons, object access and so on. By analyzing this data in large sets, you can find out trends and define normal and anomalous administrative behavior. Unusual actions include suspicious logons, suspicious access to objects, security incidents (such as series of failed logons and uncalled-for resource access). To detect suspicious occurrences, events are compared to normal activity patterns. Anomaly Analyzer provides ways to fine-tune the data processing algorithm to fit any environment. A Report Pack for event analysis and anomaly detection is also provided. 11

14 InTrust for Active Directory Interoperation The functionality of the solution depends on several components of the InTrust framework. Depending on what you want to do, you can deploy components as necessary. This section describes how these components work together and which ones to choose for specific tasks. Change Auditing and Protection InTrust for Active Directory allows you to avoid unwanted, potentially disastrous changes to your Active Directory. The following two components work together to provide a more secure Active Directory. InTrust for Active Directory Service The InTrust for Active Directory Service operates on domain controllers. It captures and audits all changes made to Active Directory and Group Policy objects. The InTrust for Active Directory Service also, optionally, protects critical objects from accidental and unwanted changes, enabling an organization to audit and manage changes in their Active Directory environment. InTrust for Active Directory Administration Tools The InTrust for Active Directory Administration Tools console lets you select objects to be protected and actions they must be protected against. The following figure shows the relationship between the two components. Active Directory InTrust for Active Directory Administration Tools InTrust for Active Directory Service 12

15 Introducing InTrust for Active Directory InTrust for Active Directory Administration Tools is used to configure object protection. The InTrust for Active Directory Service gets the configuration information from Active Directory and processes change requests accordingly. Reporting and Real-Time Monitoring The following figure shows the components responsible for reporting on data related to Active Directory changes and real-time monitoring of Active Directory objects. Gathering InTrust for Active Directory Service InTrust Server InTrust Manager InTrust for Active Directory log Repository audit database Reports Real-Time Monitoring InTrust for Active Directory Service InTrust Server InTrust Manager InTrust for Active Directory log alert database InTrust Monitoring Console The following is a list of components that participate in the process, with descriptions of what part each component plays. 13

16 InTrust for Active Directory InTrust for Active Directory Service This service audits change attempt data to the InTrust for Active Directory log. InTrust Server This component gets data from the InTrust for Active Directory log. This retrieval of data is required by two separate processes: gathering and realtime monitoring. Real-time monitoring is continuous, but gathering occurs on demand or on schedule. InTrust Agent This is an application that runs on the computer where the required log is located. It transmits data from the log to InTrust Server. InTrust agents are required for real-time monitoring. For gathering, they are not required, but recommended. InTrust Manager This MMC snap-in is the control center for audit data gathering and real-time monitoring. With InTrust Manager, you configure reporting tasks and real-time alerting. Reporting tasks include storing audit data in repositories, importing the necessary data to audit databases, and building reports based on the data. Real-time alerting means creating alerts as soon as specific events are caught, storing the alerts in the alert database, and, optionally, sending out notifications immediately. InTrust Manager Extension This component extends the InTrust Manager snap-in with the Configure Active Directory Audit wizard and property pages to objects that are related to InTrust for Active Directory. InTrust Monitoring Console This Web-based application is intended for working with real-time monitoring alerts. It tracks alert resolution progress and has tools that help personalize alert display. 14

17 Introducing InTrust for Active Directory MOM Integration Although InTrust for Active Directory is part of the InTrust auditing, reporting and real-time monitoring solution, two of its components (InTrust for Active Directory Service and InTrust for Active Directory Administration Tools) can operate as a standalone Active Directory auditing and protection system. However, if your environment uses Microsoft Operations Manager as the primary monitoring system, you can integrate InTrust for Active Directory using the MOM Management Pack. This pack is made up of MOM rules and configuration objects that enable MOM agents to monitor domain controllers where the InTrust for Active Directory Service is deployed. The MOM Management Pack contains the same rules as the Knowledge Pack for InTrust. Anomaly Detection In addition to catching and preventing obvious violations, you can use InTrust for Active Directory to detect unusual event patterns that should be checked. This is done by analyzing archives of events in InTrust audit databases. The following components are involved in anomaly detection: InTrust for Active Directory Service InTrust Server InTrust agent InTrust Manager InTrust Anomaly Analyzer Server InTrust Anomaly Analyzer Manager All of these components except InTrust Anomaly Analyzer Server and InTrust Anomaly Analyzer Manager have been described previously. They prepare data for analysis. After the data is ready, use the Anomaly Analyzer Server and Anomaly Analyzer Manager applications to study the audit database. Anomaly Analyzer performs a statistical analysis of the specified data and rates events according to how uncommon they appear. The following activity is analyzed: Logons Suspicious administrative activity Security incidents 15

18 InTrust for Active Directory The figure shows the steps that you should take to detect anomalies. InTrust for Active Directory Service InTrust Server InTrust Manager InTrust for Active Directory log Repository audit database InTrust Anomaly Analyzer 16

19 2 Working with InTrust for Active Directory Auditing and Monitoring Changes to Active Directory Real-Time Monitoring of InTrust for Active Directory Events Configuring Object Protection Anomaly Detection 17

20 InTrust for Active Directory Auditing and Reporting on Changes to Active Directory To gather audit data and include it in reports, use the InTrust Manager MMC snap-in. The InTrust for Active Directory audit configuration wizard in InTrust Manager lets you do the following: Configure the deployment of the InTrust for Active Directory Service on your domain controllers. Gather data for reports from the audited domain controllers. Select, schedule, run, deliver and view reports related to InTrust for Active Directory. To start the wizard, select Getting Started Configure Active Directory Audit in the treeview. To avoid possible script errors in the wizard, add about:security_mmc.exe to the list of trusted sites. For that, open Internet Options in the Control Panel, go to the Security tab in the Internet Properties dialog box, select the Trusted sites icon and use the Add button. Service Deployment The Configure service deployment link in the right pane lets you perform the initial InTrust for Active Directory Service deployment and reconfigure deployment settings later. The link takes you to the Configure service deployment page. Add your domain controllers to the list on this page. Domain controllers in the list are queued for service deployment (Start Pending) or service deactivation (Stop Pending), or have already been processed (no label). Use the Start and Stop buttons to change the status of the selected domain controllers, or Add and Remove to change the list. To complete all pending operations, click Apply. When you have finished the deployment configuration, click Back to main page. Selecting Reports The next step is to select the reports you want and optionally define what data they must include using filters. Click the Select Reports link to go to the report configuration screen. When you have finished selecting reports, click Back to main page. 18

21 Working with InTrust for Active Directory Scheduling Reports To define one or more schedules for the reports you selected, click the Set schedule link. To specify where the compile reports must arrive, click Configure delivery method. Select any of the following options: Send the reports as an attachment in the format you select Save them in the specified network share in the format you select Store a snapshot on the reporting server On-the-Spot Reporting To gather data and run the specified reports immediately, click the Run button. Clicking View more details at the bottom of the page lets you track the progress of the gathering and reporting session. When the session completes, click the View Reports button. This takes you to the default InTrust report storage with the prepared reports. Advanced Auditing and Reporting: Jobs and Tasks InTrust tasks are chains of specialized operations called jobs. To gather InTrust for Active Directory audit data and report on it, you need a task that includes at least a properly configured gathering job and a reporting job. To work with tasks and jobs, use the Workflow Tasks node in InTrust Manager. When configuring gathering jobs, you must supply the following information: Where to get the data This is determined by your choice of an InTrust site, which is a collection of audited computers. Using the predefined "Domain Controllers (installed ITAD service)" site guarantees that you gather events from domain controllers that are currently audited. What data to gather This is defined by InTrust gathering policies. On the one hand, policies let you narrow down the choice of audited computers. On the other hand, they provide filters for data that arrives in InTrust data storages. A useful predefined gathering policy is InTrust for Active Directory: All Events, which is used by the auditing and reporting configuration wizard. To avoid affecting the wizard, use a copy of it for your gathering jobs. Define import policies to specify which data is brought from repositories into audit databases for reporting. 19

22 InTrust for Active Directory Where to store the data InTrust supports two types of audit data storage: repositories and audit databases. Repositories are for long-term archival of arbitrary amounts of data, and audit databases should store data for immediate reporting needs. You can gather to a repository and then import data for reports to a database by including an InTrust import job in the task. This is the recommended way. You can also gather to a repository and a database at once if you want. To configure a reporting job, specify the following: The URL of the reporting server's Web service The database to be used as the data source for the reports Optionally, the credentials for creating the reports The reports and filters you need Where to deliver the ready reports address, network share or a Reporting Server snapshot that you can view using InTrust Knowledge Portal. Optionally, settings for notification about job completion by The InTrust server where the job runs This section concentrates on what you do with InTrust Manager that produces a reporting workflow. For detailed instructions on how to do it, see the Understanding Jobs and Tasks section in the Quest InTrust 9.5 User Guide. Creating Reports To create custom reports in addition to those provided in the InTrust for Active Directory Report Pack, use the Report Builder tool that comes with SQL Server Reporting Services. Report Builder creates reports based on models, which are structures associated with particular kinds of data in Reporting Services data sources. Report Model A report model helps Report Builder users to explore and select the data that they want to use from a data source. Report models provide familiar business names for database fields and tables, logically grouped model items, and predefined relationships between items within the data source. They are used by Report Server to automatically generate a query for retrieving the requested data, thus facilitating ad-hoc reporting. 20

23 Working with InTrust for Active Directory Models are brought in by the Report Packs you install. Each model defines: What product provides data for the reports What data source this data should be obtained from. The InTrust for Active Directory model comes with the InTrust for Active Directory Report Pack, and you use this model to create the reports on Active Directory audit data. To work with the InTrust for Active Directory model in Report Builder, open the home page of the reporting server that provides InTrust for Active Directory reports and click Report Builder. Reporting servers based on SQL Server 2005 Express do not provide the Report Builder feature..net Framework 2.0 must be installed on the client computer where you want to run Report Builder. Using Report Builder When you start Report Builder for the InTrust for Active Directory data source, ITAD Model is one of the models displayed in the Task pane on the right. Expand the InTrust for Active Directory model in the Task pane. Under the model node the following items are displayed: Normal Perspective W5 Perspective A perspective is a view of the model's data associated with specific database tables. For example, the whole InTrust for Active Directory model allows you to create reports on any kind of event audited by InTrust for Active Directory, and the W5 Perspective can be used to make reports that answer the questions "who (made the change)", "what (was changed)", "when (did the change occur)", and so on. After you select a model or any of its views (perspectives) for example, the Normal Perspective and click OK, a number of entities and their attributes are displayed in the left pane. For the "AD Change Event" entity in the Normal Perspective, the attribute list is as follows: User DC Client Computer 21

24 InTrust for Active Directory Date/Time Failure Type Action Object DN Number of Events Example Suppose you want to create a very basic report that shows the following: Which users successfully changed the membership of which Active Directory groups during the past month When the changes occurred How many group membership changes were made in all Use the Normal Perspective for this report, as follows: 1. In the Task pane, expand ITAD Model and double-click Normal Perspective. 2. Drag the AD Change Event entity from the Explorer pane to the workspace. Several columns are added. 3. Delete all columns except Date/Time, User and Object DN. 4. Make Object DN the leftmost column to use it for grouping. 5. From the Fields list in the Explorer pane, drag the Number of Events field into the workspace to add it as a column. Now the report has all the necessary graphical elements. 6. To set the time period and event type, click the Filter button in the toolbar. 7. In the Filter Data window that opens, drag the Date/Time field into the right pane. 8. In the first Date/Time condition, replace equals with the relative date in last 1 month. 9. Select the AD Change Event Change Details entity and drag the Object Class and Attribute Name fields into the right pane. Set these conditions so that they read Object Class equals group and Attribute Name equals member. 10. Click OK. Now the report is ready. 22

25 Working with InTrust for Active Directory For more information about working with models in Report Builder, refer to Report Builder Help. Real-Time Monitoring of InTrust for Active Directory Events InTrust Manager and InTrust Monitoring Console are the two components that enable you to work with real-time monitoring objects. InTrust sends out alerts as soon as certain events or conditions occur. Alerts are viewable in InTrust Monitoring Console. Notifications about alerts can be sent using or net send messages. Alerts are created by InTrust rules. The following types of alerts are related to the operation of InTrust for Active Directory: Alerts on Active Directory changes and change attempts Alerts on GPO changes and change attempts Alerts that help diagnose the InTrust for Active Directory Service For more information about real-time monitoring configuration procedures in InTrust, see the InTrust for Active Directory 2.6 Quick Start Guide and the InTrust documentation suite. 23

26 InTrust for Active Directory Configuring Object Protection You can lock down Active Directory objects and GPOs. Object protection in InTrust for Active Directory prevents any changes from occurring to the protected object regardless of who attempts to make the change and regardless of the tool or method used to make the change. Attempts to make such changes fail and produce errors. Deletion of protected Group Policy objects fails but does not produce any error messages on Windows Object protection is configured in the InTrust for Active Directory Administration Tools snap-in. This snap-in lets you do the following: Select objects that you want to protect from unwanted changes or accidental deletions Set the level of protection on these objects For example, you can add protection from attribute modification for the Enterprise Admins group so its membership cannot be modified by anyone. When an object is protected from attribute modification, all attributes are protected except the following: lastlogon lastlogontimestamp logoncount lastlogoff Protection for these attributes can be enabled using registry key values. For more information about InTrust for Active Directory registry keys, see Appendix B. If you protect user accounts then users cannot change their passwords. Thus, you would normally protect service accounts rather than accounts used by normal users. 24

27 Working with InTrust for Active Directory To define protected objects 1. In the InTrust for Active Directory Administration Tools console rightclick the Protected Objects node and select Add. 2. Select the objects then click Add. 3. Click OK. You can adjust the default level of protection if you want more control over the types of operations allowed on the protected object. You can remove an object from the protected objects list at any time. Rightclick an object, and then select Delete. Object Protection Recommendations InTrust for Active Directory protection should be applied cautiously. Always test protected objects in a non-production environment before deploying these to a live Active Directory. Protecting some objects in Active Directory can prevent legitimate system changes or operations from occurring and can yield unexpected results. Generally, you should protect only those objects that are not expected to change often, if ever; for example, schema objects. It is recommended that you constrain protection to the following types of objects: 1. Administrative user and group accounts including built-in users and groups such as Domain Admins and Enterprise Admins 2. Organizational Units 3. Group Policies 4. Schema objects 5. Sites and site links 25

28 InTrust for Active Directory How Object Protection Works When InTrust for Active Directory protection is applied to an Active Directory object, the protection applies to that object only. InTrust for Active Directory protection is not applied recursively. For example, you can use InTrust for Active Directory to place a root-level Organizational Unit (OU) into a protected state so that no changes can be made to the OU. However, the hundreds of user accounts that are in the OU can still be managed by the Help Desk, and changes can be made to all of the objects contained in the OU. InTrust for Active Directory protection is intended to be applied to the most critical objects in Active Directory, those objects for which unexpected changes are unacceptable, and can cause considerable disruption or downtime. For example, such objects include service accounts, GPOs, OUs and replication configuration objects. Unpreventable Indirect Changes Some changes to Active Directory objects are not audited and thus cannot be prevented, as follows: Changes initiated by replication Changes to so-called back-linked attributes Changes to objects which InTrust for Active Directory is incapable of watching For the sake of Active Directory integrity, InTrust for Active Directory does nothing about changes done as part of the replication process. Changes caused by the SYSTEM account are not prevented by default either. However, you can change this behavior by editing registry key values. For details, see Appendix B. Back-linked attributes of objects are actually links to attributes of other objects. For example, the Member Of attribute of a user account is not really a property of that account. It is just a convenient representation of other objects attributes, in this case containers which include the user account. As a result, back-linked attributes do not exist for InTrust for Active Directory. It audits and protects the original attributes. For example, to protect the membership of a user account, it is not enough to protect the account itself. You must also protect the group it is a member of. Although InTrust for Active Directory audits and protects changes to most types of Active Directory objects, some changes are performed involving functions that InTrust for Active Directory cannot track. For instance, SID history changes are not audited. 26

29 Setting Protection on GPOs Working with InTrust for Active Directory The policy and security settings contained in a Group Policy can be applied to thousands of users and computers in an environment. InTrust for Active Directory captures every change to Group Policy settings, so critical modifications are tracked and can be easily rolled back using the provided detail. You may want to ensure that changes do not occur to certain Group Policy objects in the first place. Use InTrust for Active Directory to protect Group Policy objects so that changes to policy settings are prevented regardless of who attempts the changes or the tool that is used. To set protection on a GPO 1. Open the InTrust for Active Directory console. 2. Right-click the Protected Objects node and select Add to add a protected object. 3. Browse to the Group Policy objects located in the following directory: <domain name> System Policies. 4. All Group Policy objects in your domain are displayed in the right pane. 5. Select the Group Policy you want to protect then click Add. 6. To protect a GPO from deletion select all containers in it, including nested containers, then select Add. Group Policy protection prevents changes to both portions of Group Policy data: the Group Policy objects in Active Directory and the actual configuration data stored in the SYSVOL share on domain controllers. A protected Group Policy object can be changed only by accounts excluded from protection. However, direct changes to protected configuration files on the SYSVOL share are prevented unconditionally. For more information about excluding accounts from protection, see the Overriding Protection section in this guide. 27

30 InTrust for Active Directory Setting the Level of Protection You can set the level of protection on objects and GPOs. To set the level of protection 1. Select the Protected Objects node. When protection is set at the container level, the protected state only applies to the container. The protection level does not apply to objects in the container. 2. Right-click the object in the listview, then select Protection. 3. Select the check boxes for the protection level that you want on your objects: a) Protect from deletion b) Protect from attribute modification, including renaming c) Protect from moving d) Protect from creation of child objects If you select any of these check boxes, and the object or the object attributes must be changed, you can clear the check box, update the object information, and then select the check box again to return the object to a protected state. 4. Click OK. Setting Additional Security on Protected Objects By default, InTrust for Active Directory settings are accessible by all domain administrators. In some environments, there are many individuals assigned domain administrator privileges. You can use the security feature in InTrust for Active Directory to provide an additional layer of security for your protected objects. You can delegate the right to manage protected objects to trusted administrators. This limits the number of administrators that can change InTrust for Active Directory settings. When you change the security settings on a protected object through InTrust for Active Directory, you are not changing the permissions assigned to the object. You are changing the access rights on who can change the InTrust for Active Directory settings. 28

31 Working with InTrust for Active Directory To set additional security on a protected object 1. Right-click the protected object then click Security. Selecting access rights is similar to selecting access rights in Active Directory Users and Computers. 2. Select the permissions then click OK. Overriding Protection If you have trusted administrators whose accounts must be permitted to make any change to Active Directory or Group Policy, exclude these accounts from protection. Management actions by excluded accounts are audited but not prevented. To exclude accounts 1. Right-click Protected objects in the treeview, and select Excluded Accounts. 2. In the Excluded Accounts dialog box that appears, configure the list of accounts using the Add and Remove buttons. All direct changes to files on the SYSVOL share are prevented, whether or not the account that requests them is excluded from protection. This happens because InTrust for Active Directory cannot tell who attempts to perform the direct change, so any attempt is prevented. Controlling Protection Through API The QCMMngr.dll library is installed with InTrust for Active Directory Administration Tools. This library provides a COM component that implements the object protection API. The API lets you do the following through function calls: Enumerate protected objects Modify the list of protected objects Enable protection Disable protection Query protection status Work with the list of accounts excluded from protection Use the API in situations when protecting multiple objects through the user interface is cumbersome. 29

32 InTrust for Active Directory The API is most useful for working following types of objects: Schema objects Group Policy objects Sample scripts are provided as part of InTrust for Active Directory Administration Tools. Anomaly Detection Anomaly detection usually involves the following actions: 1. Collect the required data to an audit database. 2. Make Anomaly Analyzer study the database to determine what kind behavior is normal or unusual. This estimation is known as training. 3. Create or select a model, which is a definition of the type of behavior you want to analyze. 4. Perform analysis using the model. This initial analysis is called classification. 5. Review the initial classification results. If necessary, adjust the model. 6. Build reports based on the analysis data. Anomaly detection concepts and workflow are described in detail in the Quest Anomaly Analyzer 1.5 User Guide. 30

33 Appendix A. Objects Related to InTrust for Active Directory InTrust for Active Directory Report Pack You can use InTrust to create reports that provide detailed information about InTrust for Active Directory activities. For more information on running reports, refer to the InTrust documentation. The following is a list of InTrust for Active Directory reports. For descriptions of the reports, refer to the Readme file that comes with the Report Pack installer. Summary Summary of change requests Active Directory Overview of changes Top N busiest domain controllers Top N most frequently changed Active Directory objects Top N IP subnets where most changes are originating from Top N IP addresses where most changes are originating from Active Directory Changes General Change Requests All change requests for Active Directory objects Change requests for protected Active Directory objects Changes to Active Directory object attributes Changes to Active Directory object security Permission inheritance changes Forensic ITAD log data analysis Specific Active Directory Changes User Object Changes Users created/deleted Users disabled/enabled User identity changed User accounts moved User account management 31

34 InTrust for Active Directory 32 User account options management Changes to user account passwords Logon hours changed Mail proxy address added Group Object Changes Groups created/deleted Group objects moved Group type changed Group membership management Changes to built-in administrative groups membership Mailbox Changes Mailbox enabled Mailbox moved Mailbox quota changed Mailbox security changed Organizational Unit Changes OU created/deleted OU moved/renamed Block policy inheritance disabled/enabled OU delegation changes Domain changes Domain trust relationship changes Domain changes Computer Object Changes Global Catalogs promoted/demoted Computer objects moved DNS Zone Changes DNS Record changes DNS records delegation changes Active Directory Configuration Changes Changes to Active Directory schema Changes to FSMO roles Changes to replication configuration Changes to site configuration

35 Working with InTrust for Active Directory Universal group membership setting changes Site link schedule changes Connection schedule changes Group Policy Changes General Change Requests All change requests for GPOs Change requests for protected GPOs Direct SYSVOL changes Specific Group Policy Changes Changes to Audit Policy settings Changes to User Rights Security options changes Group Policy Assignment Group Policy assignments Changes to assigned Group Policy priorities InTrust for Active Directory Service Discovery Domain controllers with InTrust for Active Directory Service installed Domain controllers without InTrust for Active Directory Service installed InTrust for Active Directory Configuration Changes Protected Active Directory objects configuration changes Protected Group Policy objects configuration changes Changes to the list of accounts excluded from protection ActiveRoles Server/InTrust for Active Directory Change Management Administrative activity performed outside of ActiveRoles Server All activity within and outside of ActiveRoles Server Unauthorized activity using the ActiveRoles Server account 33

36 InTrust for Active Directory Rules Change Attempts Tracking Active Directory Object Change Attempts Attempt to Delete Protected Active Directory Object Attempt to Modify Protected Active Directory Object Attempt to Move Protected Active Directory Object Attempt to Create Active Directory Object in Protected Container Unauthorized Attempt to Delete Active Directory Object Unauthorized Attempt to Modify Active Directory Object Unauthorized Attempt to Create Active Directory Object Unauthorized Attempt to Move Active Directory Object Group Policy Object Change Attempts Attempt to Modify Protected Group Policy Object Attempt to Delete Protected Group Policy Object Attempt to Create Group Policy Object in Protected Container Unauthorized Attempt to Delete Group Policy Object Unauthorized Attempt to Modify Group Policy Object Unauthorized Attempt to Create Group Policy Object Service Discovery and Availability InTrust for Active Directory Service is not Installed InTrust for Active Directory Service is not Running Successful Change Tracking Active Directory Object Changes 34 Active Directory Object Was Successfully Modified Active Directory Object Was Successfully Deleted Active Directory Object Was Successfully Created Active Directory Object Was Successfully Moved Replication Topology Changed Administrative Group Membership Changed FSMO Role Transferred

37 Working with InTrust for Active Directory Group Policy Object Changes Group Policy Object Was Deleted Group Policy Object Was Modified Group Policy Object Was Created Sites All Domain Controllers Domain Controllers (installed ITAD service) Domain Controllers (active ITAD service) Domain Controllers (stopped ITAD service) Domain Controllers (uninstalled ITAD service) Tasks InTrust for Active Directory: Scheduled log gathering and reporting InTrust for Active Directory: Service Management Data Sources InTrust for Active Directory Service Discovery InTrust for Active Directory Service Status InTrust for AD Event Log InTrust for AD: Activate AD change tracking service InTrust for AD: Stop AD change tracking service InTrust for AD: Uninstall AD change tracking service Gathering Policies InTrust for Active Directory: Activate AD change tracking service InTrust for Active Directory: All Events InTrust for Active Directory: Stop AD change tracking service InTrust for Active Directory: Uninstall AD change tracking service 35

38 InTrust for Active Directory Miscellaneous InTrust for Active Directory: All Events import policy InTrust for Active Directory real-time monitoring policy InTrust for Active Directory Operators notification group 36

39 Appendix B. Registry Settings InTrust for Active Directory configuration can be fine-tuned by configuring several registry key values on the InTrust for Active Directory server. This section documents the most important values that can help you tailor InTrust for Active Directory to fit your requirements. The values are contained in the HKEY_LOCAL_MACHINE\SOFTWARE\Quest Software\InTrust for Active Directory key. Logging The EnableLogging value determines how detailed the internal logs of the InTrust for Active Directory Service are. You can set the value to the following: 1 (error messages) 2 (error and warning messages; this is the default) 3 (error, warning and information messages) 4 (verbose logging) 5 (debugging mode) The MaxLogSize sets the maximum size (in bytes) for the InTrust for Active Directory Service log file. When this size is reached, the extension.old is appended to the file name, and a new log file is started. By default, MaxLogSize is set to The AuditBinarySDChanges value specifies whether to store the actual hexadecimal values of those attributes whose changes are logged in humanreadable form (ntsecuritydescriptor, msexchmailboxsecuritydescriptor). If AuditBinarySDChanges is set to 1, the InTrust for Active Directory Service logs the original "before" and "after" values, which can take a lot of disk space. By default, AuditBinarySDChanges is set to 0, and the following placeholder string is written instead of the attribute values: <blob>. 37

40 InTrust for Active Directory Logon Attributes The AuditLogonAttributes and ProtectLogonAttributes values specify whether the changes to following account attributes are audited and prevented: lastlogon lockouttime badpwdcount badpasswordtime logoncount lastlogoff The values of these attributes is changed by the system at each logon, and tracking them is usually meaningless. By default, AuditLogonAttributes and ProtectLogonAttributes are 0, which means no audit and protection. If you need to audit or prevent changes to these attributes, set the corresponding value to 1. Protecting these attributes from modification by the system helps prevent account lockouts, for example. SYSVOL File Changes The GpoConfirmTimeOut value sets a timeout in milliseconds. This timeout is used to determine whether a Group Policy object was changed by directly modifying files on the SYSVOL share. The default for this value is The GptFileOpenTimeOut value specifies how long to wait for a Group Policy template file to be unlocked before logging a GPO protection error. A Group Policy template (*.gpt) file can be locked by tools such as the Group Policy Editor snap-in. The timeout is in milliseconds, and is set to 2000 by default. You might want to increase this value if regular GPO changes take long to apply and are mistaken for direct SYSVOL changes. Some Group Policy management tools, such as Quest Group Policy Manager, delay modifications before changing multiple files on SYSVOL at once. Such legitimate changes may be misinterpreted if the GpoConfirmTimeOut value is set too low. The ProtectFromDirectGptChanges value can be 1 or 0. This value specifies whether direct changes to files on the SYSVOL shares of domain controllers are prevented (1) or permitted (0). By default, they are prevented (1). 38

41 Appendix B. Registry Settings Some Group Policy changes may appear to be direct manual SYSVOL changes when in fact they are not. For example, the backup and restore operations of Group Policy Management Console are treated as direct SYSVOL changes. As such, they are prevented by default. If this behavior interferes with Group Policy administration in your environment, set the ProtectFromDirectGptChanges value to 0. General Auditing and Protection The following registry key values are more generic, and they are interpreted differently: SuccessAuditLevel Controls auditing of successful changes. ProtectAuditLevel Controls auditing of change prevention events, including prevention by the system and prevention of changes attempted by undetermined accounts. FailureAuditLevel Controls auditing of change attempts prevented by the system, not by InTrust for Active Directory. ProtectLevel Controls protection from changes. These are DWORD values contained in the HKEY_LOCAL_MACHINE\SOFTWARE\Quest Software\InTrust for Active Directory key. The numbers specified determine which events are audited and prevented, and which events are not. Registry settings override Administration Tools settings. For example, if you use the snap-in to protect objects but protection is disabled in the registry, the objects will not be protected. For backward compatibility, InTrust for Active Directory also supports the HKEY_LOCAL_MACHINE\SOFTWARE\Quest Software\InTrust for Active Directory\WriteAllEvents key, which does not exist by default. This key is used only if none of the previously described values exist, and it results in InTrust for Active Directory working the way versions prior to 2.0 worked. 39