View
14
Download
1
Category
Preview:
Citation preview
#completevisibility
Become an Active Directory Auditing Superstar:an all-in-one guide!
Speakers
Jeff MelnickManager, Sales EngineeringJeff.Melnick@netwrix.com888-638-9749 x 971
Adam BertramMicrosoft MVP,Technical Writer
Part 2: Deep Dive
#completevisibility
Housekeeping
All microphones will be mutedfor the duration of the webinar
To submit text questions use the Question Pane
All questions, comments or opinions are greatly appreciated
The Question Pane
#completevisibility
Agenda
Introduction
Most Critical Changes to Audit in Active Directory
Limitations of Native Auditing and How to Overcome them
Product Demonstration
Best Tips and Tricks in Active Directory Auditing
Briefly about Netwrix
Questions and Answers
Prize Drawing
#completevisibility
Introduction
Adam Bertram
17 Year IT Veteran
Microsoft MVP (Powershell)
Blogger: adamtheautomator.com
Technology Writer
@adbertram
Jeff Melnick
Manager, Sales Engineering
Jeff.Melnick@netwrix.com
888-638-9749 x 971
linkedin.com/in/jeffmelnick
#completevisibility
The Only Constant is Change
The Only Thing That Is Constant Is Change
“
- Heraclitus
#completevisibility
Not All Changes are Created Equal
Changes in AD have various severity levels
Filter what's important vs. what's just routine activity
Tools like Netwrix Auditor are able to turn this inundation of information into actionable data
#completevisibility
Audit Only What Matters
Changes to powerful objects
Privilege escalation techniques
Suspicious behavior
#completevisibility
Important Change #1: Group Changes
Groups are convenient but dangerous
Don’t forget about group type changes
#completevisibility
Group Building Tips
Use Least Privilege Match Groups with Job Roles
Prevent Nesting Groups
#completevisibility
Which Groups to Audit
Enterprise Admins
Domain Admins
Schema Admins
Anything with *Admins*
Groups with Access to Important Systems
#completevisibility
Types of Changes to Audit
Group Adds Group Removals Type Changes
#completevisibility
Scenario: VPN Group Addition
ADVPN
AD
AD
AD
Audit groups that control access to other services
Don’t forget about service accounts
#completevisibility
How to Audit
Audit Security Group Management
Event IDs 4728,4732,4756 and 4764
#completevisibility
Important Change #2: User Accounts
A user account is the key to access
Must watch for unprivileged accounts going privileged
#completevisibility
Important User Account Changes
Password Changes
− Event IDs 4723 and 4724
Locked Out Users
− Event ID 4740
Unlocked Users
− Event ID 4767
Directory Services Restore Mode Password
− Event ID 4794
#completevisibility
Which Users to Audit
Administrative Users Powerful UsersService Accounts
#completevisibility
How to Audit
Audit User Account Management:
The visibility you need to user account changes
#completevisibility
Important Change #3: Infrastructure Changes
Organizational Units
Trusts
New domains
New domain controllers
#completevisibility
Organization Unit (OU) Changes
Event IDs 5136 and
5137
Audit Directory Service
Changes
#completevisibility
Domain Trusts
6 different event IDs. Ouch!
4706
4707
4716
4865
4866
4867
#completevisibility
The Case of the Missing OU
“I didn’t do it!”
“Yes, you did and here’s the proof!”
#completevisibility
Important Change #4: Group Policy
GPOs are complex
Changes to GPOs can have enormous ramifications
#completevisibility
What to Audit
Some Recommended SACLs for auditing GPOs
#completevisibility
How to Audit
Audit Directory Service Changes
Audit Directory Service Access
Enable two audit
policies
#completevisibility
Important Change #5: Administrator Activity
Not all malicious activity comes from outside
#completevisibility
Strategic SACLs
Either use an existing or create a new group and place the admins you want to track in there
#completevisibility
The 4 Ws
What
Why
When
Where
#completevisibility
What
What
Certain OUs?
Groups?
Sites?
It’s about defining objects
#completevisibility
Why
WhyWhy is the admin doing something?
The "why" question can't easily be answered with AD auditing alone.
#completevisibility
When
When"When“, can be answered with AD auditing
Account activity at 2AM? That might be a problem
Bob’s working on his vacation? That’s not right!
#completevisibility
Where
WhereJoey’s account is logging in from Zimbabwe?
…”oh, it’s just from his office cube.”
#completevisibility
Limitations of AD Auditing
Lots of Noise
Actions <> Event IDs
Reporting is Nonexistent
No Specific Role-Based
Control
Not Tamper-Proof
#completevisibility
Two Solutions to the Problem
1 The Agent-Free Approach
2 The Intrusive Agent Approach
Netwrix Auditor
A Non-Intrusive Way
enables #completevisibility into both security configuration
and data access within your IT infrastructure
by providing actionable audit data
about who changed what, when and whereand who has access to what.
What We Do?
#completevisibility
Active Directory changes; Group Policy changes; State-in-Time information on configurations; real-time alerts; AD change rollback; inactive user tracking and password expiration alerting.
Changes to Windows-based file servers, EMC Storage and NetApp Filers; State-in-Time information on configurations.
SharePoint farm configuration changes, security and content changes.
Exchange changes and non-owner mailbox access auditing.
SQL configuration and database content changes.
Changes to configuration of Windows-based servers; Event Logs, Syslog, Cisco, IIS, DNS; User activity video recording.
VMware vSphere changes.
Netwrix Auditor forActive Directory
Netwrix Auditor forExchange
Netwrix Auditor forFile Servers
Netwrix Auditor forSharePoint
Netwrix Auditor forSQL Server
Netwrix Auditor forVMware
Netwrix Auditor forWindows Server
Netwrix Auditor Applications Scope
#completevisibility
Demonstration: Complete Visibility Into Changes With…
Netwrix Auditor
#completevisibility
Netwrix Auditor Feature -AD Object Restore
Rollback from Netwrix
Snapshots
Rollback from AD
Tombstones
#completevisibility
Netwrix Auditor Feature -Real-Time Alerting
Admin group membership is a great and relevant real-time alert
Netwrix Auditor makes real time alerting much easier
#completevisibility
Netwrix Auditor Feature - Reporting
Generate reports in a nice, visual, boss-friendly format
#completevisibility
All awards: www.netwrix.com/awards
Briefly About Netwrix
#completevisibility
Netwrix Corporation
Corporate Headquarters:300 Spectrum Center Drive #820 Irvine, CA 92618888-638-9749www.netwrix.com
Additional Offices:Columbus, OHParamus, NJAtlanta, GAKent, UK
Year of foundation: 2006
Core competency: Change, configuration and data access auditing across the IT infrastructure
Headquarters location: Irvine, California
Global customer base: 6000
Global customer support: 24/5 support with 99% customer satisfaction
Recognition: Among the fastest growing software companies in the US with more than 70 industry awards (Redmond Mag, SC Mag, WindowsIT Pro, etc.)
#completevisibility
Financial
Healthcare & Pharmaceutical
Federal, State, Local, Government
Industrial/Technology/Other
Our Customers
#completevisibility
Next Steps
Free Trial: setup in your own test environment
netwrix.com/freetrial
Test Drive: virtual POC, try in a Netwrix-hosted test lab
netwrix.com/testdrive
Live One-to-One Demo: product tour with Netwrix expert
netwrix.com/livedemo
Contact Sales to obtain more information
netwrix.com/contactsales
Webinars: join our upcoming webinars or watch the recorded sessions
netwrix.com/webinars
netwrix.com/webinars#featured
#completevisibility
Thank You for Your Attention!
Questions?
Adam Bertram
Microsoft MVP,
Technical Writer
Jeff MelnickManager, Sales EngineeringJeff.Melnick@netwrix.com888-638-9749 x 971
#completevisibility
Right now… Prize Drawing
Haven’t won this time? Sign up for upcoming sessions: https://www.netwrix.com/webinars.html
Get Your Oculus Rift DK2!
Recommended