Become an Active Directory Auditing Superstar: an all-in ... · Become an Active Directory Auditing...

#completevisibility

Become an Active Directory Auditing Superstar:an all-in-one guide!

Speakers

Jeff MelnickManager, Sales EngineeringJeff.Melnick@netwrix.com888-638-9749 x 971

Adam BertramMicrosoft MVP,Technical Writer

Part 2: Deep Dive

#completevisibility

Housekeeping

All microphones will be mutedfor the duration of the webinar

To submit text questions use the Question Pane

All questions, comments or opinions are greatly appreciated

The Question Pane

#completevisibility

Agenda

Introduction

Most Critical Changes to Audit in Active Directory

Limitations of Native Auditing and How to Overcome them

Product Demonstration

Best Tips and Tricks in Active Directory Auditing

Briefly about Netwrix

Questions and Answers

Prize Drawing

#completevisibility

Introduction

Adam Bertram

17 Year IT Veteran

Microsoft MVP (Powershell)

Blogger: adamtheautomator.com

Technology Writer

@adbertram

Jeff Melnick

Manager, Sales Engineering

Jeff.Melnick@netwrix.com

888-638-9749 x 971

linkedin.com/in/jeffmelnick

#completevisibility

The Only Constant is Change

The Only Thing That Is Constant Is Change

“

- Heraclitus

#completevisibility

Not All Changes are Created Equal

Changes in AD have various severity levels

Filter what's important vs. what's just routine activity

Tools like Netwrix Auditor are able to turn this inundation of information into actionable data

#completevisibility

Audit Only What Matters

Changes to powerful objects

Privilege escalation techniques

Suspicious behavior

#completevisibility

Important Change #1: Group Changes

Groups are convenient but dangerous

Don’t forget about group type changes

#completevisibility

Group Building Tips

Use Least Privilege Match Groups with Job Roles

Prevent Nesting Groups

#completevisibility

Which Groups to Audit

Enterprise Admins

Domain Admins

Schema Admins

Anything with *Admins*

Groups with Access to Important Systems

#completevisibility

Types of Changes to Audit

Group Adds Group Removals Type Changes

#completevisibility

Scenario: VPN Group Addition

ADVPN

AD

AD

AD

Audit groups that control access to other services

Don’t forget about service accounts

#completevisibility

How to Audit

Audit Security Group Management

Event IDs 4728,4732,4756 and 4764

#completevisibility

Important Change #2: User Accounts

A user account is the key to access

Must watch for unprivileged accounts going privileged

#completevisibility

Important User Account Changes

Password Changes

− Event IDs 4723 and 4724

Locked Out Users

− Event ID 4740

Unlocked Users

− Event ID 4767

Directory Services Restore Mode Password

− Event ID 4794

#completevisibility

Which Users to Audit

Administrative Users Powerful UsersService Accounts

#completevisibility

How to Audit

Audit User Account Management:

The visibility you need to user account changes

#completevisibility

Important Change #3: Infrastructure Changes

Organizational Units

Trusts

New domains

New domain controllers

#completevisibility

Organization Unit (OU) Changes

Event IDs 5136 and

5137

Audit Directory Service

Changes

#completevisibility

Domain Trusts

6 different event IDs. Ouch!

4706

4707

4716

4865

4866

4867

#completevisibility

The Case of the Missing OU

“I didn’t do it!”

“Yes, you did and here’s the proof!”

#completevisibility

Important Change #4: Group Policy

GPOs are complex

Changes to GPOs can have enormous ramifications

#completevisibility

What to Audit

Some Recommended SACLs for auditing GPOs

#completevisibility

How to Audit

Audit Directory Service Changes

Audit Directory Service Access

Enable two audit

policies

#completevisibility

Important Change #5: Administrator Activity

Not all malicious activity comes from outside

#completevisibility

Strategic SACLs

Either use an existing or create a new group and place the admins you want to track in there

#completevisibility

The 4 Ws

What

Why

When

Where

#completevisibility

What

What

Certain OUs?

Groups?

Sites?

It’s about defining objects

#completevisibility

Why

WhyWhy is the admin doing something?

The "why" question can't easily be answered with AD auditing alone.

#completevisibility

When

When"When“, can be answered with AD auditing

Account activity at 2AM? That might be a problem

Bob’s working on his vacation? That’s not right!

#completevisibility

Where

WhereJoey’s account is logging in from Zimbabwe?

…”oh, it’s just from his office cube.”

#completevisibility

Limitations of AD Auditing

Lots of Noise

Actions <> Event IDs

Reporting is Nonexistent

No Specific Role-Based

Control

Not Tamper-Proof

#completevisibility

Two Solutions to the Problem

1 The Agent-Free Approach

2 The Intrusive Agent Approach

Netwrix Auditor

A Non-Intrusive Way

enables #completevisibility into both security configuration

and data access within your IT infrastructure

by providing actionable audit data

about who changed what, when and whereand who has access to what.

What We Do?

#completevisibility

Active Directory changes; Group Policy changes; State-in-Time information on configurations; real-time alerts; AD change rollback; inactive user tracking and password expiration alerting.

Changes to Windows-based file servers, EMC Storage and NetApp Filers; State-in-Time information on configurations.

SharePoint farm configuration changes, security and content changes.

Exchange changes and non-owner mailbox access auditing.

SQL configuration and database content changes.

Changes to configuration of Windows-based servers; Event Logs, Syslog, Cisco, IIS, DNS; User activity video recording.

VMware vSphere changes.

Netwrix Auditor forActive Directory

Netwrix Auditor forExchange

Netwrix Auditor forFile Servers

Netwrix Auditor forSharePoint

Netwrix Auditor forSQL Server

Netwrix Auditor forVMware

Netwrix Auditor forWindows Server

Netwrix Auditor Applications Scope

#completevisibility

Demonstration: Complete Visibility Into Changes With…

Netwrix Auditor

#completevisibility

Netwrix Auditor Feature -AD Object Restore

Rollback from Netwrix

Snapshots

Rollback from AD

Tombstones

#completevisibility

Netwrix Auditor Feature -Real-Time Alerting

Admin group membership is a great and relevant real-time alert

Netwrix Auditor makes real time alerting much easier

#completevisibility

Netwrix Auditor Feature - Reporting

Generate reports in a nice, visual, boss-friendly format

#completevisibility

All awards: www.netwrix.com/awards

Briefly About Netwrix

#completevisibility

Netwrix Corporation

Corporate Headquarters:300 Spectrum Center Drive #820 Irvine, CA 92618888-638-9749www.netwrix.com

Additional Offices:Columbus, OHParamus, NJAtlanta, GAKent, UK

Year of foundation: 2006

Core competency: Change, configuration and data access auditing across the IT infrastructure

Headquarters location: Irvine, California

Global customer base: 6000

Global customer support: 24/5 support with 99% customer satisfaction

Recognition: Among the fastest growing software companies in the US with more than 70 industry awards (Redmond Mag, SC Mag, WindowsIT Pro, etc.)

#completevisibility

Financial

Healthcare & Pharmaceutical

Federal, State, Local, Government

Industrial/Technology/Other

Our Customers

#completevisibility

Next Steps

Free Trial: setup in your own test environment

netwrix.com/freetrial

Test Drive: virtual POC, try in a Netwrix-hosted test lab

netwrix.com/testdrive

Live One-to-One Demo: product tour with Netwrix expert

netwrix.com/livedemo

Contact Sales to obtain more information

netwrix.com/contactsales

Webinars: join our upcoming webinars or watch the recorded sessions

netwrix.com/webinars

netwrix.com/webinars#featured

#completevisibility

Thank You for Your Attention!

Questions?

Adam Bertram

Microsoft MVP,

Technical Writer

Jeff MelnickManager, Sales EngineeringJeff.Melnick@netwrix.com888-638-9749 x 971

#completevisibility

Right now… Prize Drawing

Haven’t won this time? Sign up for upcoming sessions: https://www.netwrix.com/webinars.html

Get Your Oculus Rift DK2!