Active Directory 2008 Audit Management Pack Guide for Operations Manager 2007 and Essentials 2010



Similar documents
Windows Scheduled Tasks Management Pack Guide for System Center Operations Manager. Published: 07 March 2013

How to monitor AD security with MOM

How to Configure Microsoft System Operation Manager to Monitor Active Directory, Group Policy and Exchange Changes Using NetWrix Active Directory

Audit account logon events

Integrating LANGuardian with Active Directory

Audit Policy Subcategories

Advanced Audit Policy Configurations for LT Auditor+ Reference Guide

Distributed File System Replication Management Pack Guide for System Center Operations Manager 2007

PLANNING AND DESIGNING GROUP POLICY, PART 1

Microsoft Windows Server 2008 Active Directory, Configuring

Partie Serveur Lab : Implement Group Policy. Create, Edit and Link GPOs. Lab : Explore Group Policy Settings and Features

Windows Logging Configuration: Audit Policy Configuration

Admin Report Kit for Active Directory

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

What s New Guide: Version 5.6

User Document. Adobe Acrobat 7.0 for Microsoft Windows Group Policy Objects and Active Directory

2. Using Notepad, create a file called c:\demote.txt containing the following information:

Table of Contents WELCOME TO ADAUDIT PLUS Release Notes... 4 Contact ZOHO Corp... 5 ADAUDIT PLUS TERMINOLOGIES... 7 GETTING STARTED...

Windows 2008 Server DIRECTIVAS DE GRUPO. Administración SSII

These guidelines can dramatically improve logon and startup performance.

Silect Software s MP Author

MS 50255B: Managing Windows Environments with Group Policy (4 Days)

Director and Windows Server 2008 (and 2003)

Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0

Windows Log Monitoring Best Practices for Security and Compliance

How to Enable the Audit of Active Directory Objects in Windows 2008 R2 Lepide Software

Managing Windows Environments with Group Policy 50255D; 5 Days, Instructor-led

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide

MS-50255: Managing, Maintaining, and Securing Your Networks Through Group Policy. Course Objectives. Required Exam(s) Price.

Hands-On Microsoft Windows Server 2008

Q&A. DEMO Version

Log Management and Intrusion Detection

Audit Management Reference

Windows Clients and GoPrint Print Queues

Exam Questions

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

Xcalibur. Foundation. Administrator Guide. Software Version 3.0

ALTIRIS CONNECTOR 6.0 FOR ACTIVE DIRECTORY HELP

CONFIGURING TARGET ACTIVE DIRECTORY DOMAIN FOR AUDIT BY NETWRIX AUDITOR

Stellar Active Directory Manager

Ultimate Windows Security for ArcSight. YOUR COMPLETE ARCSIGHT SOLUTION FOR MICROSOFT WINDOWS Product Overview - October 2012

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

About Archiving for Microsoft Exchange Server

Managing Windows Environments with Group Policy

Deploying System Center 2012 R2 Configuration Manager

EMC CLARiiON PRO Storage System Performance Management Pack Guide for Operations Manager Published: 04/14/2011

Ultimus and Microsoft Active Directory

DIRECTORY PASSWORD V1.2 Quick Start Guide

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain MOC 6425

Next-Gen Monitoring of Active Directory. Click to edit Master title style

EventTracker: Support to Non English Systems


Management Reporter Integration Guide for Microsoft Dynamics AX

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Authoring for System Center 2012 Operations Manager

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

How To Install And Configure Windows Server 2003 On A Student Computer

Windows Scheduled Task and PowerShell Scheduled Job Management Pack Guide for Operations Manager 2012

RSA Event Source Configuration Guide. Microsoft Exchange Server

Xerox Multifunction Devices. Verify Device Settings via the Configuration Report

TROUBLESHOOTING INCORRECT REPORTING OF THE WHO CHANGED PARAMETER

Lesson Plans LabSim for Microsoft s Implementing a Server 2003 Active Directory Infrastructure

Adobe Acrobat 9 Deployment on Microsoft Windows Group Policy and the Active Directory service

Configuring and Monitoring Event Logs

Administering Group Policy with Group Policy Management Console

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Administration GUIDE. Exchange Database idataagent. Published On: 11/19/2013 V10 Service Pack 4A Page 1 of 233

Idera SQL Diagnostic Manager Management Pack Guide for System Center Operations Manager. Install Guide. Idera Inc., Published: April 2013

Z-Term V4 Administration Guide

About Help Desk. McAfee Help Desk 2.0 Software. Product Guide. Functions of McAfee Help Desk software. Quarantine release.

Live Maps. for System Center Operations Manager 2007 R2 v Installation Guide

GFI White Paper PCI-DSS compliance and GFI Software products

FastPass Password Manager Version 3.5.1

Monitoring SQL Server with Microsoft Operations Manager 2005

Dell InTrust 11.0 Best Practices Report Pack

SyAM Software Management Utilities. Performing a Power Audit

Specops Command. Installation Guide

Table of Contents. Preface. Chapter 1: Getting Started with Endpoint Application Control. Chapter 2: Updating Components

Advanced Event Viewer Manual

Version 5.0. SurfControl Web Filter for Citrix Installation Guide for Service Pack 2

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

DriveLock Quick Start Guide

ContentWatch Auto Deployment Tool

SARANGSoft WinBackup Business v2.5 Client Installation Guide

IBM Endpoint Manager Version 9.1. Patch Management for Red Hat Enterprise Linux User's Guide

50255: Managing Windows Environments with Group Policy

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Create, Link, or Edit a GPO with Active Directory Users and Computers

Enterprise Vault 11 Feature Briefing

User Replicator USER S GUIDE

COMOS. Lifecycle COMOS Snapshots. "COMOS Snapshots" at a glance 1. System requirements for installing "COMOS Snapshots" Database management 3

Administration Guide. . All right reserved. For more information about Specops Gpupdate and other Specops products, visit

NETWRIX ACCOUNT LOCKOUT EXAMINER

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Transcription:

Active Directory 2008 Audit Management Pack Guide for Operations Manager 2007 and Essentials 2010 Published: June 2010 Version: 6.0.5000.0 Copyright 2010 All rights reserved

Terms of Use All management packs should be thoroughly tested before being introduced into a production System Center Operations Manager 2007 or Essentials 2010 environment. The authors of this management pack accept no responsibility or liability for negative impact as a result of use of this management pack in your Operations Manager environment. Active Directory 2008 Audit Management Pack for Operations Manager and Essentials

Contents Active Directory 2008 Audit Management Pack Guide... 5 Introduction to the Active Directory 2008 Audit Management Pack... 6 Supported Configurations... 6 Getting Started... 7 Before You Import the Management Pack... 7 Files in This Management Pack... 7 How to import the Management Pack... 7 Management Pack for Customizations... 7 Required Configuration... 7 Optional Configuration... 9 Security Considerations... 9 Low-Privilege Scenario and Run As Profile... 9 Understanding Management Pack Operations... 10 Classes... 10 Discoveries... 10 Agent Tasks... 10 Console Tasks... 11 Console Views... 11 Rules... 12 Monitors... 14 Reports... 14 Known Issues... 14 Support... 14

Active Directory 2008 Audit Management Pack Guide Author: Tommy Gunn E-mail: tgunn09@gmail.com Document Version This guide was written based on the 1.0.0.60 version of the Active Directory 2008 Audit Management Pack. Revision History Release Date June 2010 Changes Production Release (RTM) of this MP MP version 1.0.0.60 May 2010 Original release of this MP (beta 1) MP version 1.0.0.55 Table 1 - Management Pack Versions 5

Introduction to the Active Directory 2008 Audit Management Pack The Active Directory 2008 Audit Management Pack is designed to address a feature not included in the Active Directory 2008 Management Pack or System Center Essentials 2010 auditing of security events related to changes in Active Directory objects. This management pack is intended to be a not only a relatively complete resource for auditing Active Directory changes, but also very efficient in its operation. Features of the Active Directory 2008 Audit Management Pack include: Security event auditing without the use of wildcards to optimize performance and minimize unnecessary load on your OpsMgr or Essentials environment Auditing of all of the most common areas of Active Directory administration: users, security groups, organizational units, group policy and Active Directory topology A custom class used to target audit rules to allow administrators to easily control the execution of these auditing rules as well as to facilitate basic alert reporting Alert views that filter the audit events by category, making it easy to filter down to the events that are of interest Uses rules instead of unit monitors, as audit events do not generally indicate a problem with the health of Active Directory or the domain controller Alert descriptions include a link to the knowledge article in the security event WIKI at ultimatewindowssecurity.com (when possible) This is the first release of this management pack, which I hope to improve over time through community feedback. Getting the Latest Management Pack and Documentation You can find the latest version of the Active Directory 2008 Audit Management Pack in the Community Management Pack Catalog at SystemCenterCentral.com. Supported Configurations The Active Directory 2008 Audit Management Pack for Operations Manager 2007 and Essentials 2010 supports the following Operations Manager versions: Operations Manager Version Notes Operations Manager 2007 R2 System Center Essentials 2010 Table 2 - Management Pack Compatibility NOTE: This management pack has only been fully tested on System Center Operations Manager 2007 R2 and System Center Essentials 2010. 6

Getting Started Before You Import the Management Pack Before importing the Active Directory 2008 Audit Management Pack, note the following limitations of the management pack: It requires the Windows Server 2008 Active Directory Management Pack (version 6.0.6452.0 or higher) to be installed. This is because the management pack includes diagnostic tasks targeting Windows 2008 Operating System MP. Files in This Management Pack The Active Directory 2008 Audit Management Pack consists of the following files: SCC.Active.Directory.Audit.xml Active Directory 2008 Audit MP Guide 1.0.0.60.pdf How to import the Management Pack A single XML file is included for this management pack (SCC.Active.Directory.Audit.xml) which is imported into the Operations Manager Console. For general instructions about importing a management pack, see How to Import a Management Pack in Operations Manager 2007 (http://go.microsoft.com/fwlink/?linkid=142351). Management Pack for Customizations This version of the Active Directory 2008 Audit Management Pack is not sealed, so there is no need to create a separate version of the management pack for customizations. Required Configuration The required configuration to enable full functionality for this management pack is to enable the appropriate audit and object access policies in Active Directory 1. Enable the Directory Service Access audit category in the Default Domain Policy (Policies, Windows Settings, Security Settings, Local Policies, Audit Policy) for success and failure auditing as pictured below Figure 1 - Domain Audit Policy Settings 7

2. Enable the Directory Service Change group policy subcategory using the command line below on a domain controller. auditpol /set /subcategory:"directory Service Changes" /success:enable /failure:enable 3. Configure auditing for specific Active Directory object types in your Active Directory domain(s) a) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. b) Make sure that Advanced Features is selected on the View menu by making sure that the command has a check mark next to it. c) Right-click the Active Directory domain that you want to audit (e.g. contoso.com), and then click Properties. d) Click the Security tab, and then click Advanced. e) Click the Auditing tab, and then click Add. f) Select the object types you wish to audit. For this MP, I suggest Write all properties checkbox for This object and all descendent objects as pictured below: Figure 2 - AD Object Audit Settings IMPORTANT: This setting will likely be okay in small-to-medium AD environments. However, in larger environments, you may have to enable object auditing at a more granular level. The detailed steps for how to do this are also explained in some detail KB article 814595 (http://support.microsoft.com/kb/814595) in the section titled Configure Auditing for Specific Active Directory Objects NOTE: Make sure your Security Event Logs are of sufficient size on your domain controllers to ensure events are not lost or overwritten. This could be as much as 100-500 MB, depending on the size of your environment and the audit policy you configure. 8

TIP: Windows security expert Randy Franklin Smith offers recommendations for Windows 2008 audit policies you may wish to read to eliminate noise events in other areas of your audit strategy. Recommended Baseline Audit Policy for Windows Server 2008 Optional Configuration This management pack contains a small number rules to audit account logon events (e.g. account lockout). If you wish to audit account logon events, you should enable success / failure for the Audit account logon events (success and failure) and Audit logon events (success and failure) category in the Default Domain Policy. Security Considerations Low-Privilege Scenario and Run As Profile Since these rules involve reading of the Security Event Log on domain controllers, the default agent security context (Local System) should be sufficient. No additional configuration required. 9

Understanding Management Pack Operations The Windows 2008 Active Directory Audit Management Pack contains the following components. Classes There is one class in this management pack named Windows 2008 Active Directory Audit Target. This class serves two primary purposes: To facilitate alert reporting using alert reports in the Microsoft Generic Report Library As the target of all auditing rules. This allows administrators to easily control where the rules Task Name Description Windows 2008 Active Directory Audit Target This class represents a Windows 2008 Active Directory Domain Controllers targeted for security auditing Table 3 Classes Discoveries There is one object discovery in this management pack. Task Name Frequency Enabled Description Windows 2008 AD Audit Target Discovery 3600 (seconds) N/A Discovers the Windows 2008 Active Directory Audit Target Class. This class is defined largely to facilitate linked alert reports containing audit alerts. By disabling this discovery for domain controllers in domains where auditing is not desired, you can prevent these auditing rules from being loaded by those agents. Table 4 Discoveries Agent Tasks The following table lists the tasks defined for this management pack. Task Name Command Line / Script Parameters Description GPResult c:\windows\system32\gpresult /r Retrieves the output of GPResult /R from the target computer 10

Task Name Command Line / Script Parameters Description Get RSoP GetRSoP.vbs N/A Retrieves resultant set of policy (RSoP) from the selected agent. Script taken from http://www.vbsedit.com/scripts/policy/scr_347.asp Table 5 Agent Tasks Console Tasks This management pack contains no console tasks Console Views The Active Directory 2008 Audit Management pack includes a custom alert views to display audit events related based on the type of change. All alerts raised by the audit rules in this management pack contain a value in parameter8 of the alert that is used to filter alerts displayed in each view without the use of wildcards, as shown in the figure below. Each view filters based on a specific parameter8 value added to the rule when it was originally authored. The table below contains the rules contained within the Active Directory 2008 Audit MP. View Name View Type Description Group Management Alerts Alert View Displays alerts related to Active Directory security group changes Group Policy Management Alerts Alert View Displays alerts related to Active Directory group policy changes. Log Management Alerts Alert View Displays alerts related to the Windows Security Event Log OU Management Alerts Alert View Displays alerts related to Active Directory organizational unit changes Physical Topology Management Alerts Alert View Displays alerts related to changes in physical elements of Active Directory topology components, including sites, site links and subnets 11

View Name View Type Description User Management Alerts Alert View Displays alerts related to Active Directory user changes Table 6 - Console Views Rules There following rules are located in this management pack. These rules all filter on the specific event parameters to minimize load by eliminating wildcard searches on event descriptions as a whole. Special thanks to Stefan Koell (www.code4ward.net) for creating the Log Smith for Operations Manager 2007 that was used extensively to identify event parameters to make a more efficient management pack! IMPORTANT: The rules contained in this table that are disabled by default (Enabled = false) are primarily event collection rules used in the creation of this pack. Read the description field of these rules carefully BEFORE you enable, which includes an explanation of the function of the rule. Name Target Category Enabled (Security Event ID 4728) - A member was added to a security-enabled global group Windows 2008 Active Directory Audit Target SecurityHealth True An Active Directory Site was Created Windows 2008 Active Directory Audit Target SecurityHealth True An Active Directory Site was Deleted Windows 2008 Active Directory Audit Target SecurityHealth True An Active Directory Site Link was Created Windows 2008 Active Directory Audit Target SecurityHealth True An Active Directory Site Link was Deleted Windows 2008 Active Directory Audit Target SecurityHealth True An Active Directory Site has been Modified Windows 2008 Active Directory Audit Target SecurityHealth True An Active Directory Subnet was Created Windows 2008 Active Directory Audit Target SecurityHealth True An Active Directory Subnet was Deleted Windows 2008 Active Directory Audit Target SecurityHealth True An Active Directory Subnet was Modified Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4723) - Change password attempt Windows 2008 Active Directory Audit Target SecurityHealth True Collect Account and Group Events (misc 47XX events) (DO NOT ENABLE for development only) Windows 2008 Active Directory Audit Target EventCollection False Collect Event 5136: Object Modifications (DO NOT ENABLE development only) Windows 2008 Active Directory Audit Target EventCollection False Collect Event 5136: Object Creation (DO NOT ENABLE development only) Windows 2008 Active Directory Audit Target EventCollection False Collect Event 5139: Object Moved (DO NOT ENABLE development only) Windows 2008 Active Directory Audit Target EventCollection False 12

Collect Event 5141: Object Deleted (DO NOT ENABLE development only) Windows 2008 Active Directory Audit Target EventCollection False (Security Event ID 4727) - A securityenabled global group was created Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4739) - Domain Policy was changed Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4730) - A securityenabled global group was deleted Windows 2008 Active Directory Audit Target SecurityHealth True A Group Policy Object (GPO) has been Created Windows 2008 Active Directory Audit Target SecurityHealth True A Group Policy Object (GPO) was Deleted Windows 2008 Active Directory Audit Target SecurityHealth True A Group Policy Object (GPO) was Modified Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4713) - Kerberos policy was changed Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 1102) - The audit log was cleared Windows 2008 Active Directory Audit Target SecurityHealth True An Organizational Unit was Created Windows 2008 Active Directory Audit Target SecurityHealth True An Organizational Unit was Deleted Windows 2008 Active Directory Audit Target SecurityHealth True An Organizational Unit was Modified Windows 2008 Active Directory Audit Target SecurityHealth True An Organizational Unit was Moved Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4729) - A member was removed from a security-enabled global group Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 1104) - The security event log was cleared Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4706) - A new trust was created to a domain Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4707) - A trust to a domain was removed Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4755) - A securityenabled universal group was changed Windows 2008 Active Directory Audit Target SecurityHealth False (Security Event ID 4754) - A securityenabled universal group was created Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4758) - A securityenabled universal group was deleted Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4756) - A member was added to a security-enabled universal group Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4757) - A member was removed from a security-enabled universal group Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4764) - A group s type was changed Windows 2008 Active Directory Audit Target SecurityHealth True A User Account was Modified Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4720) - A User Account was Created Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4726) - A user account was deleted Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4725) - A user account was disabled Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4740) - A user account was locked out Windows 2008 Active Directory Audit Target SecurityHealth True (Security Event ID 4740) - A User Account Password was Set Windows 2008 Active Directory Audit Target SecurityHealth True 13

Monitors There are no monitors in this management pack. Reports This management pack contains the following reports Report Name Report Type Description Security Audit Alerts Linked Report Displays alerts targeted to the Active Directory 2008 Audit Target class, which is defined and discovered in this MP. NOTE: This report uses the OpsMgr 2007 R2 class filter to make object selection easier for the user running the report Known Issues There are no known issues associated with this management pack at this time Support Support for the Active Directory 2008 Audit Management Pack can be obtained in the support forums available at SystemCenterCentral.com 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information