Active Directory security and compliance: Comprehensive reporting for key security monitoring, and...

Click to edit Master title style

Global Active Directory Seminar – 2017

Bharath – Technical ConsultantBharathwajan.s@manageengine.combruce@manageengine.com

Click to edit Master title style

Active Directory Change monitoring

3

1. What is Change Monitoring in Active Directory ? 2. Advanced auditing to track Active Directory changes

3. Security log Recommendations4. With ADAudit Plus what can we do ? 5. Configure Email notification for adverse changes

Agenda

4

• Tracking all changes that occur to objects in Active Directory • Users, Groups, Computers, Group Policy, Password change etc.

• Tracking all details regarding changes to objects in Active Directory • ‘Who’ did ‘What’ actions ‘When’ from ‘Where’, old and new settings

Active Directory Change Monitoring

•New user is created •Domain policy is changed •Group policy settings changes •Domain admin group membership changes• Privileged accounts change• Service account modification•User account is locked out

20

Admin’s ‘Most wanted’ changes to track

6

• Each domain controller must have auditing enabled • Enable Auditing of AD through Group Policy • Configure the Default Domain Controllers policy OR create

new GPO and link to Domain Controllers OU • Auditing is located at: Computer Configuration\Policies\

Windows Settings\Security Settings\Local Policies\Audit Policy

Auditing to Track Active Directory Changes

7

Auditing to Track Active Directory changes

8

• Success – Tracks successful changes to AD• Failure – Tracks denials to change AD

8

Auditing to Track Active Directory Changes

9

9

• Configure object level auditing with ‘SACLs’ • Enable Auditing directory service access• Configure Auditing tab after clicking Security tab of

object Properties• Must select each property you'll want to track

Auditing to Track Active Directory Changes

10

• Events are stored and viewed in Event viewer• Some events generated by Auditing Directory Service

Access• Some events generated by Auditing Object Access

10

Auditing to Track Active Directory Changes

• Expanded auditing for auditors and securityprofessionals• Provides details for most compliance

mandates• Provides more granularity• Still events are triggered to Security Log

11

Advanced Auditing to Track AD Changes

Advanced Auditing to Track AD Changes

12

13

Advanced Auditing to Track AD ChangesDS Access–Directory

Service ChangesReports changes to objects in Active Directory Domain Services (AD DS).

The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed.

DS Access–Directory Service Replication

Reports when replication between two domain controllers begins and ends.

DS Access–Detailed Directory Service Replication

Reports detailed information about the information replicating betweendomain controllers. These events can be very high in volume.

DS Access–Directory Service Access

Reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the directory service access events in previous versions of Windows Server.

•AD GPO in GPMC (2008 R2, 7, 8, 10, 2012 R2)• Computer Configuration\Policies\Windows Settings\

SecuritySettings\Advanced Audit Policy Configuration\System

• Local GPO on Windows 2008 R2, 7, 8, 10 2012 R2)• Computer Configuration\Windows Settings\Security

Settings\Advanced Audit Policy Configuration\System

14

Advanced Auditing to Track AD Changes

•Manual configuration through CLI• auditpol /get /category:*• auditpol /set /subcategory:”DS Access” /success:enable

/failure:enable• Command line check for ‘Winning GPO’• gpresult /h gpresult.html

15

Advanced Auditing to Track AD Changes

What we need ? • Audit Account logon

• Audit Kerberos authentication service• Audit Credential validation

• Audit Account Management• Audit computer account management• Audit Distribution group management• Audit Security group management• Audit User account management

• Audit DS Access • Audit Directory Service Changes• Audit Directory Service Access

• Audit Logon/Logoff• Audit Logon• Audit Logoff

• Audit Policy Change• Audit policy change • Authentication policy change• Authorization policy change

• Audit System Events• Audit System security state change

• Tracked changes are stored in Security Log on DC where event occurred

• Each DC has a unique Security Log

• In order to view all events, must view each DC or consolidate logs

18

Security Log in Event Viewer

Security Log in Event ViewerMaximum Log size: 4GBMicrosoft Recommended: 300MB

19

• Can we consolidate logs from multiple computers into a central log collector ?• Event Forwarding • Collector must be Win 2008 or greater • Event Subscription defines forwarding rules• Backward compatible with win XP/2003

20

Security Log in Event Viewer

•Automatically backup logs • Create custom views by log, date, event level,

category, keywords etc..•Associated scheduled jobs to alert for events • Alerts are triggered by activity in log• Alerts can be ‘messages’ or ‘emails’• Alerts are for event ID, not ‘event details’

21

Security Log in Event Viewer

• Issues with Event viewer• Security log size too small• Interface does not provide option for reporting • Hard to parse the details • Events are logged on DC where event occurs – Multiple logs • Alerting is not detailed enough

22

Security Log in Event Viewer

20

END RESULT,

Data

Poor Insights

Ineffective Actions

• Reporting• Over 125 default reports• Over 10 default report areas• Users• Groups• Passwords• Logons• More….

20

ADAudit Plus Reporting

•Audit policies configure properly• Security log is prepped • Sufficient privileges given • Port are opened for communication• 135 (RPC)• 389 (LDAP)• 445 (NetBios session service)• Dynamic ports (49152-65535)

20

Do’s – For best possible outcome

•Auditing – Comprehensive reports in user friendly interface

•Alerting – Triggers alerts for critical actions

•Archiving – maintain history of changes over time

20

With ADAudit Plus what can we do ?

Real time AD change monitoring

29

• Identifying vulnerabilities • Capacity planning • Terminal services activity •Audit Scenarios

• Enormous logon failures in short span • User logon during ‘after business hours’ • Calculate logon duration on computers

User Logon Auditing

30

• Track all changes made ‘by’ a user & ‘to’ a user• Password changes to ‘privileged accounts’•Admin groups’ membership changes •Audit scenarios

• Wrong delegation to a wrong object at a wrong time • Privilege escalation • Monitor password policy violation

Monitor AD object changes

31

•Admin group changes • Service Account modifications •Group policy setting changes• Folder deletions/Permission changes• Custom Alert configuration – Account lockout, Admin

user logon etc.

Email notification for ‘Most wanted’ events

32

•What is Change Monitoring in Active Directory ? •Advanced auditing to track Active Directory changes • Security log Recommendations•With ADAudit Plus what can we do ? • Configure Email notification for adverse changes

Summary

33

Every problem does have a solution!

support@adauditplus.combruce@manageengine.com

Click to edit Master title styleQuestions?

Thank you!