How to Audit the 5 Most Important Active Directory Changes



Similar documents
Keeping Tabs on the Top 5 Critical Changes in Active Directory with Netwrix Auditor

Windows Log Monitoring Best Practices for Security and Compliance

Windows Logging Configuration: Audit Policy Configuration

Netwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure

7 Tips for Achieving Active Directory Compliance. By Darren Mar-Elia

Netwrix Auditor. Administrator's Guide. Version: /30/2015

White Paper. 7 Questions to Assess Data Security in the Enterprise

The Change Auditing System

Overcoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.

Top 10 Security Hardening Settings for Windows Servers and Active Directory

Reports, Features and benefits of ManageEngine ADAudit Plus

Keeping Tabs on the Top 5 Critical Exchange Server Changes with Netwrix Auditor

Blackbird Management Suite Blackbird Group, Inc.

Netwrix Auditor for Active Directory

What s New Guide. Active Administrator 6.0

How to monitor AD security with MOM

Reports, Features and benefits of ManageEngine ADAudit Plus

Today s Agenda. Challenges, limitations & solutions Technology overview Demonstration Why Netwrix Q&A

Dell InTrust 11.0 Best Practices Report Pack

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

JIJI AUDIT REPORTER FEATURES

Admin Report Kit for Active Directory

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

Portland State University Office of Information Technologies Active Directory Standards and Guidelines for Campus Administrators

How To Protect Your Active Directory (Ad) From A Security Breach

2014 State of IT Changes Survey Results

Selecting the Right Active Directory Security Reports for Your Business

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

The 5 Most Critical Points

Administering Active Directory. Administering Active Directory. Reading. Review: Organizational Units. Review: Domains. Review: Domain Trees

Exchange Auditing in the Enterprise

Netwrix Auditor for Exchange

Netwrix Auditor for Windows Server

Quest InTrust. Change auditing and policy compliance for the secure enterprise. May Copyright 2006 Quest Software

Role Based Access Control for Industrial Automation and Control Systems

The Definitive Guide. Active Directory Troubleshooting, Auditing, and Best Practices Edition Don Jones

IT SECURITY GURU PRODUCT REVIEW Netwrix Auditor 6.5

Installing, Configuring, and Managing a Microsoft Active Directory

Netwrix Auditor for SQL Server

Netwrix Auditor. Role-Based Access. Version: /27/2015

Active Directory Integration Guide

Implementing HIPAA Compliance with ScriptLogic

Administering Group Policy with Group Policy Management Console

Windows Server 2012 / Windows 8 Audit Fundamentals

Netwrix Auditor for SQL Server

Configuring Windows Server 2008 Active Directory

Department of Information Technology Active Directory Audit Final Report. August promoting efficient & effective local government

R4: Configuring Windows Server 2008 Active Directory

Stellar Active Directory Manager

Resolving Active Directory Backup and Recovery Requirements with Quest Software

Group Policy 21/05/2013

Outpost Network Security

Active Directory Change Notifier Quick Start Guide

NetWrix SQL Server Change Reporter

Group Policy and Organizational Unit Re-Structuring Template

Netwrix Auditor for File Servers

Top 10 Most Popular Reports in Enterprise Reporter

CC4 TEN: Pre-installation instructions for Windows Server networks

Best Practices for Auditing Changes in Active Directory WHITE PAPER

10 Things IT Should be Doing (But Isn t)

WHITE PAPER. Take Back Control of Your Active Directory Auditing

White Paper. of User Activity Monitoring in Managed Environments

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide

Lesson Plans LabSim for Microsoft s Implementing a Server 2003 Active Directory Infrastructure

INUVIKA OVD VIRTUAL DESKTOP ENTERPRISE

Egress Switch Administration Panel. User Guide

Best Practices for an Active Directory Migration

Centrify Cloud Connector Deployment Guide

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Installing Active Directory

Restructuring Active Directory Domains Within a Forest

Netwrix Auditor for Windows File Servers

NetWrix File Server Change Reporter. Quick Start Guide

The Administrator Shortcut Guide tm. Active Directory Security. Derek Melber, Dave Kearns, and Beth Sheresh

CHAPTER THREE. Managing Groups

TestOut Course Outline for: Windows Server 2008 Active Directory

NetWrix SQL Server Change Reporter

Introduction to Auditing Active Directory

Active Directory Integration

Quest InTrust for Active Directory. Product Overview Version 2.5

Security and Rights Delegations for the Password Reset PRO Master Service Applies to software versions 2.x.x and 3.x.x

Ultimate Windows Security for ArcSight. YOUR COMPLETE ARCSIGHT SOLUTION FOR MICROSOFT WINDOWS Product Overview - October 2012

MS-6425C - Configuring Windows Server 2008 Active Directory Domain Services

Secret Server Qualys Integration Guide

Table of Contents WELCOME TO ADAUDIT PLUS Release Notes... 4 Contact ZOHO Corp... 5 ADAUDIT PLUS TERMINOLOGIES... 7 GETTING STARTED...

How To Use Sharepoint Online On A Pc Or Macbook Or Macsoft Office 365 On A Laptop Or Ipad Or Ipa Or Ipo On A Macbook (For A Laptop) On A Desktop Or Ipro (For An Ipro

Netwrix Auditor. Сomplete Visibility into IT Infrastructure Changes and Data Access. netwrix.com netwrix.com/social

Advanced Audit Policy Configurations for LT Auditor+ Reference Guide

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

NETWRIX EVENT LOG MANAGER

Planning and Implementing an OU Structure

NetWrix Logon Reporter V 2.0

GFI White Paper PCI-DSS compliance and GFI Software products

NetWrix Privileged Account Manager Version 4.0 Quick Start Guide

14 Ways to More Secure and Efficient Active Directory Administration

FileMaker Security Guide The Key to Securing Your Apps

Transcription:

How to Audit the 5 Most Important Active Directory Changes www.netwrix.com Toll-free: 888.638.9749

Table of Contents Introduction #1 Group Membership Changes #2 Group Policy Changes #3 AD Permission Changes #4 New and Enabled User Accounts #5 Trust Relationship Changes Getting Handle on Your AD Changes About Randy Franklin Smith About Netwrix Corporation 3 3 3 6 6 6 7 8 8 2

Introduction Active Directory is the central identity store and authentication provider for most networks today making it hugely critical to security. In this white paper I ll discuss the 5 most important changes affecting the security of Active Directory, show you how to audit these events using native auditing and point out the limitations and gaps you should be aware before depending on these events. Since domain controllers generate the events covered in this white paper, you need to enable audit policies on the Default Domain Controller Security Policy GPO. #1 Group Membership Changes Active Directory groups control access to resources throughout your domain. This includes not just permissions on file servers but also in SharePoint, Exchange, SQL Server and other applications that integrate with AD including cloud applications. Therefore you need an audit trail of group membership changes and you need to review changes to important groups like AD s built-in privileged groups and other custom groups you identify as having significant access to resources and applications within your environment. To audit group membership changes you need to enable the Audit Security Group Management audit policy and then look for events 4728, 4732 and 4756 which cover new members added to global, local and universal groups. These events indicate who made the change, which group was affected and who the new member is. You should also monitor changes to a group s scope (Global, Local or Universal) or type (Security/Distribution/Application). Scope changes can suddenly allow a group to be granted access in other trusting domains or have members from other trusted domains. A rogue privileged user, counting on you only monitoring security group changes, could change a Security group to a Distribution group, add an unauthorized member and change it back to a Security group. To catch all scope and type changes on groups review occurrences of event ID 4764. #2 Group Policy Changes Group Policy objects control domain level security settings as well as security configuration of member servers and workstations throughout your domain. So to be secure and compliant you need to be aware of any changes affecting Group Policy and that includes more than just changes to Group Policy objects themselves. Organizational Units (as well as Sites and the root of the domain) have Group Policy related attributes that can impact the application of Group Policy on the users and computers within that OU. To audit these events you need to enable the Audit directory service changes and Audit directory service access policies. Then you must configure object level auditing with Active Directory Users and Computers. 3

Here s what you should enable at the root of the domain: Who Object type Object Property Success/Failure Permissions Permissions Everyone Descendant Modify Success Everyone organizationalunit objects Permissions Write gpoptions Success Everyone Write gplink Success Everyone Descendant Write All Success Everyone grouppolicycontainer objects Properties Modify Success Permissions Everyone This object only Modify Success Permissions Everyone Write gpoptions Success Everyone Write gplink Success Note that these audit specs also include the necessary object level auditing for AD permission changes, which we ll discuss below. Now that you ve enabled system and object level auditing let s talk about auditing three aspects of GPO management: modifying permissions to the GPO, modifying GPO settings and deleting a GPO. The permissions on a GPO control who can edit the GPO and can be used for security filtering to limit the application of the GPO to a subset of users or computers. To find permission changes to GPOs look for event ID 4662, as shown below, where the Object Type is grouppolicycontainer (AD schema name for GPO) and the Properties include WRITE_DAC which means Modify Permissions. 4

As you can see from this event, Windows does not provide the display name of the GPO only it s GUID. This is an example of the limitations with native auditing. To figure out the Display Name of the GPO you ll need to go to Active Directory Users and Computers and add Display Name as a column. Then select the System\Policies folder and you ll see a list of all the GPOs in the domain with their GUID and Display Name which you can then cross reference. In addition to the GUID/Display Name issue, the standard event 4662 only tells you that the GPOs permissions where change and who changed them - It fails to tell you what permission were changed. In the example event above, Everyone was granted the authority to edit the GPO which could be very dangerous. Auditing changes to GPO settings is equally as unhelpful. Setting changes are logged in event 5136 with Class as grouppolicycontainer and Attribute LDAP Display Name as versionnumber. While this event tells you that a specified user (noted in the Subject section of the event detail) modified a GPO, it does not tell you which setting(s) within that GPO where modified much less their before and after values. And again you must translate the GUID in the event to the Display Name of the GPO to really understand which GPO was affected. Finally, you should also monitor for deletions of GPOs since that could wipe out entire collection of critical security settings. Look for event ID 5141, again with the Class as grouppolicycontainer. 5

#3 AD Permission Changes With the object level audit policy specified in the figure above, AD will also log permission changes to any object within the domain. Such permission changes are very important to review because they indicate that some level of access to AD objects was delegated. Permission changes in AD can be just as powerful as making someone a member of the Domain Admins group. For instance, if someone grants the Everyone group Full Control to the root of the domain you would want to know. Permission changes to OUs or domain roots are logged just like GPO permission changes described above but the Object Type will be either organizationalunit or domaindns. You need to investigate these permission changes to make sure privileged authority over AD has not been weakened. However we encounter the same limitation with native auditing affecting GPO permission changes. AD tells us Bob changed the permission on the organizational unit but not what the new permissions are. You will have to look at the security settings of the object in AD and assess whether the current permissions are appropriate. # 4 New and Enabled User Accounts New user accounts represent a new set of credential with access to your environment. It pays to review these additions to AD so that you can promptly respond to inappropriate accounts, accounts created outside normal controls or event backdoor accounts created by APTs and other attackers. Similarly, accounts that were previously disabled but suddenly enabled require review as well, since they should be fairly uncommon and represent the same risk as newly created accounts. To track these and other changes to AD user accounts enable the Audit user account management audit policy. Then look for event ID 4720 (user account creation) and 4722 (user account enabled). These events are pretty straightforward but be aware of a false positive situation: when you initially create a user account, AD creates the account as disabled, makes several initial updates to it and then immediately enables it. Therefore you will always see a somewhat bogus occurrence of 4722 associated with each new account created and need to ignore these. # 5 Trust Relationship Changes Trust relationship changes are infrequent but have massive security ramifications. When you trust another domain or forest your computers now accept the identity of all of those users. And if you resources where permission are granted to Everyone or Authenticated Users, the users of the newly trusted domain now instantly inherit those permissions. To audit trust relationships enable the Audit authentication policy changes audit policy and then look for event IDs 4706, 4707, 4716, 4865, 4866 and 4867. Together these events cover all changes to trust relationships. Be aware that Windows logs duplicates of some events and does not always use the terms trusted and trusting correctly. Again these events should be a trigger for you to investigate the new status of trust relationships in Active Directory Domains and Trusts. 6

Getting Handle on Your AD Changes While not an exhaustive list of everything you should audit in Active Directory, it is a good start. You will need to watch the security log of each domain controller in your environment because security events are not replicated between domain controllers. Events are simply logged on the domain controller that happened to service the client request. As you can see native auditing alerts you to important changes but frequently leaves out crucial details that you must investigate for yourself. I encourage you to compare native auditing with the capabilities of Netwrix Auditor for Active Directory which provides detailed insight into exactly who made what change, when and where in Active Directory. Once a change has been identified, Netwrix Auditor for Active Directory alerts IT administrators in real-time and gives the ability to roll-back unwanted changes and restore deleted objects with just a few clicks. The state-in-time auditing feature provides a complete visibility of how your Active Directory was configured in the past (days/moths/years ago). Other features of Netwrix Auditor for Active Directory include long-term storage of audit data, password expiration alerting, inactive user tracking, Windows Server auditing, event log management and user activity video recording. If you just need a simple tool that keeps you notified on changes to Active Directory, I suggest you try Netwrix Change Notifier for Active Directory. It s a 100% free tool that provides basic monitoring and reporting capabilities on Active Directory changes. 7

About Randy Franklin Smith Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active Directory security who specializes in Windows and Active Directory security. He performs security reviews for clients ranging from small, privately held firms to Fortune 500 companies, national, and international organizations. Certifications: Certified Information Systems Auditor (CISA) Microsoft Security Most Valuable Professional (MVP) Systems Security Certified Professional (SSCP) Industry Memberships: Information Systems Security Association (ISSA) Information Systems Audit and Control Association (ISACA) Center for Internet Security (CIS) About Netwrix Corporation Netwrix Corporation is the leading provider of change auditing software, offering the most simple, efficient and affordable IT infrastructure auditing solutions with the broadest coverage of audited systems and applications available today. Founded in 2006, Netwrix has grown to have thousands of customers worldwide. The company is headquartered in Irvine, California, with regional offices in New Jersey, Ohio, Georgia and the UK. Netwrix Corporation, 20 Pacifica, Suite 625, Irvine, CA 92618, US Regional offices: New York, Atlanta, Columbus, London netwrix.com/social (( Toll-free: 888-638-9749 Int'l: +1 (949) 407-5125 EMEA: +44 (0) 203-318-0261 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information