How to monitor AD security with MOM A article about monitor Active Directory security with Microsoft Operations Manager 2005 Anders Bengtsson, MCSE http://www.momresources.org November 2006 (1)
Table of Contents Introduction... 3 Domain Controller and Active Directory settings... 4 Create a new group policy object and enable auditing... 4 Friendly names... 5 Settings in MOM... 6 Create a new rule group... 6 Create rule to monitor changes in a security group... 7 Create a rule to monitor logon by a specified account... 8 Create a rule to monitor permission changes on a OU... 9 Enable auditing for a OU... 9 Create a rule to monitor OU permission... 10 More information... 11 Feedback... 11 A n d e r s B e n g t s s o n, M C S E w w w. m o m r e s o u r c e s. o r g P a g e 2
Introduction Which is you most important service? Most organizations running MOM will answer Active Directory. Most of you services like Exchange, SQL and all you clients are depending on Active Directory. Most issues within Active Directory are pretty easy to fix if they are detected early. Active Directory management pack for Microsoft Operations Manager will help your organization to do that. AD MP monitor core AD functions, client side services, replication and give you a overview or the Active Directory health. The is one disadvantage of the AD MP, it is not monitoring security or security changes that will affect your active directory, for example changes in your Domain Administrators security group. This article will show how to monitor some basic changes. You should create rules to fulfill your organization security demands. The purpose of this article is not to give you a complete security management pack, only to give you a hint what you can do with MOM regarding Active Directory security. This article presupposes that you have some basic knowledge about working with MOM. A n d e r s B e n g t s s o n, M C S E w w w. m o m r e s o u r c e s. o r g P a g e 3
Domain Controller and Active Directory settings You can log events to the security event log for every successful and/or failed attempt to access or modify objects in Active Directory. Auditing it configured in a group policy object that is linked to the domain controllers OU. You should not change in the default domain controller policy, instead you should create a new GPO and link it to the domain controllers OU. Group policy management console (GPMC) is a great tool to work with group policies. Create a new group policy object and enable auditing 1. Start group policy management console (GPMC) with a suitable account 2. GPMC: Expand your forest, domain and group policy objects folder 3. GPMC: Right-click the group policy objects folder and choose New 4. New GPO: Insert a suitable name for the new policy, for example DC Auditing policy, then click OK 5. GPMC: Right-click your new policy object and choose Edit 6. Group Policy Object Editor: Expand Computer settings, Windows Settings, Security Settings, Local Policies, Audit Policy 7. Group Policy Object Editor: Double click Audit account logon events and mark both Success and Failure. Then click OK. This policy will generate an alert for all success or failure logon to the domain. 8. Group Policy Object Editor: Double click Audit account management and mark both Success and Failure. Then click OK. This policy will generate an alert for all success or failure change, create and delete of users and groups. 9. Group Policy Object Editor: Double click Audit logon events and mark both Success and Failure. Then click OK. This policy will generate an alert for all logons to the domain. 10. Group Policy Object Editor: Double click Audit directory service access and mark Success. Then click OK. This policy will for example generate an alert for security changes on a OU. 11. Group Policy Object Editor: Close the console by choosing exit on the file menu 12. GPMC: Right-click your Domain Controllers folder and choose Link an Existing GPO 13. Select GPO: Choose the new policy you have created, in this example DC Auditing policy and then click OK Active Directory domain controllers automatically check for policy changes to domain controller policy every five minutes. Replication intervals also must be considered for the policy to propagate throughout all domain controllers in the organization. A n d e r s B e n g t s s o n, M C S E w w w. m o m r e s o u r c e s. o r g P a g e 4
Friendly names With default settings you will only see SID and GUID, not friendly names in alerts. To change this you will have to modify the registry of every agent machine. You can do the modification on different ways for example with a script. Don t forget to do a backup of your registry before you do any changes. 1. Start Registry Editor on a domain controller (in this example it is domain controllers) 2. Registry Editor: Browse to this folder HKEY_LOCAL_MACHINE\Software\Mission Critical Software\OnePoint 3. Registry Editor: Right-click one point and choose new DWORD value 4. Registry Editor: Name the new DWORD value ResolveGUID 5. Registry Editor: Double click the new DWORD value and change clue data to 1, base should be hexadecimal 6. Registry Editor: Close the registry editor Restart the MOM agent service (MOM) in the services console. A n d e r s B e n g t s s o n, M C S E w w w. m o m r e s o u r c e s. o r g P a g e 5
Registry change Settings in MOM Create a new rule group To maintain order and keep you manually created rules separated you should create a new rule group for your rules. 1. Start MOM 2005 Administrator Console 2. Administrator Console: Expand management packs and right-click rule groups, choose Create Rule Group 3. Rule Group Properties General: Enter name and description, for example AD security Monitoring, then click next 4. Rule Group Properties Knowledge Base: Enter information in company knowledge base and click Finish 5. Microsoft Operations Manager: Choose YES to deploy the rules in this rule group to a group of computers 6. Rule Group Properties: Click Add and choose a computer group including all your domain controllers, for example Windows Server 2003 Domain Controllers. Click OK A n d e r s B e n g t s s o n, M C S E w w w. m o m r e s o u r c e s. o r g P a g e 6
7. Rule Group Properties: Click OK Create rule to monitor changes in a security group This example will show how to create an alert if anyone changes members in the domain Admins security group. You can create rules for any important group within your organization. 1. Administrator Console: Expand you new rule group in MOM administrator console and rightclick on Event Rules, choose Alert on or Respond to Event 2. Event Rule Properties Data Provider: Provider name: Security Provider type: Windows NT Event Log Click Next 3. Event Rule Properties Criteria: Click Advanced and add the following to the criteria list Field: Event Number Condition: matches Boolean regular expression Value: 632 633 ( = OR) and also add Field: Description Condition: matches wildcard Value: *Domain Admins* (* = any character, 0 or More Matches) Click Close and then Next 4. Event Rule Properties Schedule: Choose to Always process data and then click Next 5. Event Rule Properties Alert: Mark Generate alert and then click Next 6. Event Rule Properties Alert Suppression: Leave default settings and click Next 7. Event Rule Properties Responses: Add a response if your organization require it, then click Next 8. Event Rule Properties Knowledge Base: Add company knowledge base if needed, then click next 9. Event Rule Properties General: Insert a name, for example Group membership changes and then click Finish. Verify that the rule is enable before you click Finish. You should be aware of that there are diffrent event ids for different group types. Verify that you are using collecting the correct event ids for the security group(s) you are monitoring. Changes to global security groups will generate event ids 632 and 633 A n d e r s B e n g t s s o n, M C S E w w w. m o m r e s o u r c e s. o r g P a g e 7
Change to Universal security groups will generate event ids 660 and 661 Changes to Domain Local security groups will generate event ids 650 and 651 Changes to Local security groups will generate event ids 636 and 637 Create a rule to monitor logon by a specified account It should be interesting for you as a network administrator to see if your service accounts are used somewhere in the network, except where you think they are used. Another interesting monitoring is to see if someone is logging in with the Administrator account. This example will show if the Administrator account logon at any computer. 1. Administrator Console: Expand you new rule group in MOM administrator console and rightclick on Event Rules, choose Alert on or Respond to Event 2. Event Rule Properties Data Provider: Provider name: Security Provider type: Windows NT Event Log Click Next 3. Event Rule Properties Criteria: Click Advanced and add the following to the criteria list Field: Event Number Condition: equals Value: 528 and also add Field: Source Domain Condition: equals Value: your domain name (for example CONTOSO ) and also add Field: User Name Condition: equals Value: Administrator 4. Event Rule Properties Schedule: Choose to Always process data and then click Next 5. Event Rule Properties Alert: Mark Generate alert and then click Next 6. Event Rule Properties Alert Suppression: Leave default settings and click Next A n d e r s B e n g t s s o n, M C S E w w w. m o m r e s o u r c e s. o r g P a g e 8
7. Event Rule Properties Responses: Add a response if your organization require it, then click Next 8. Event Rule Properties Knowledge Base: Add company knowledge base if needed, then click next 9. Event Rule Properties General: Insert a name, for example Administrator logon and then click Finish. Verify that the rule is enabled before you click Finish. You should be aware of that there are multiple logon types. If you add criteria to monitor specified logon type verify that you are collecting the right type. Interactive logons = logon type 2 (for example logon to the console) Network logons = logon type 3 (for example connection to a shared folder or network printer) Batch = logon type 4 (for example schedule tasks) Service = logon type 5 (for example when a service starts) Unlock = logon type 7 (for example unlock a workstation when screensaver is password protected) Network Cleartext = logon type 8 (like logon type 3 but password in clear text) New Credentials = logon type 9 (for example when you use RunAs) Remote Interactive = logon type 10 (for example when you use remote desktop) Cached Interactive = logon type 11 (for example when a user logon with cached credentials) Create a rule to monitor permission changes on a OU First we will have to enable auditing for an OU where you want to monitor permission changes. After that we will have to create a rule in MOM to collect those events. Enable auditing for a OU 1. Open Active Directory Users and Computers, browse to the OU you want to monitor permission changes at. Right-click and choose properties. 2. OU Properties: Click the security tab 3. OU Properties: Click Advanced 4. Advanced Security Settings for OU: Click Auditing tab, click Add A n d e r s B e n g t s s o n, M C S E w w w. m o m r e s o u r c e s. o r g P a g e 9
5. Select User, Computer, or Group: Enter Everyone and click check name, then OK 6. Auditing Entry for OU: Name: Everyone Apply onto: This object and all child objects Access: Modify Permissions, successful Click OK 7. Advanced Security Settings for OU: Click OK 8. OU Properties: Click OK Create a rule to monitor OU permission 1. Administrator Console: Expand you new rule group in MOM administrator console and rightclick on Event Rules, choose Alert on or Respond to Event 2. Event Rule Properties Data Provider: Provider name: Security Provider type: Windows NT Event Log Click Next 3. Event Rule Properties Criteria: Click Advanced and add the following to the criteria list Field: Event Number Condition: equals Value: 566 and also add Field: Description Condition: matches wildcard Value: *organizationalunit* (* = any character, 0 or More Matches) 4. Event Rule Properties Schedule: Choose to Always process data and then click Next 5. Event Rule Properties Alert: Mark Generate alert and then click Next 6. Event Rule Properties Alert Suppression: Leave default settings and click Next 7. Event Rule Properties Responses: Add a response if your organization require it, then click Next 8. Event Rule Properties Knowledge Base: Add company knowledge base if needed, then click next A n d e r s B e n g t s s o n, M C S E w w w. m o m r e s o u r c e s. o r g P a g e 10
9. Event Rule Properties General: Insert a name, for example OU Permission change and then click Finish. Verify that the rule is enable before you click Finish. You could enable OU change monitoring at domain level, which will apply to all your OUs. More information Group Policy Management Console with Service Pack 1 http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272- DD3CBFC81887&displaylang=en Feedback I hope you find this article helpful. Your feedback is always welcome and appreciated at anders@contoso.se or administrator@momresources.org A n d e r s B e n g t s s o n, M C S E w w w. m o m r e s o u r c e s. o r g P a g e 11