Embed Size (px)
Citation preview
Click to edit Master title style
Global Active Directory Seminar – 2017
Bharath – Technical [email protected]@manageengine.com
Click to edit Master title style
Active Directory Change monitoring
3
1. What is Change Monitoring in Active Directory ? 2. Advanced auditing to track Active Directory changes
3. Security log Recommendations4. With ADAudit Plus what can we do ? 5. Configure Email notification for adverse changes
Agenda
4
• Tracking all changes that occur to objects in Active Directory • Users, Groups, Computers, Group Policy, Password change etc.
• Tracking all details regarding changes to objects in Active Directory • ‘Who’ did ‘What’ actions ‘When’ from ‘Where’, old and new settings
Active Directory Change Monitoring
•New user is created •Domain policy is changed •Group policy settings changes •Domain admin group membership changes• Privileged accounts change• Service account modification•User account is locked out
20
Admin’s ‘Most wanted’ changes to track
6
• Each domain controller must have auditing enabled • Enable Auditing of AD through Group Policy • Configure the Default Domain Controllers policy OR create
new GPO and link to Domain Controllers OU • Auditing is located at: Computer Configuration\Policies\
Windows Settings\Security Settings\Local Policies\Audit Policy
Auditing to Track Active Directory Changes
7
Auditing to Track Active Directory changes
8
• Success – Tracks successful changes to AD• Failure – Tracks denials to change AD
8
Auditing to Track Active Directory Changes
9
9
• Configure object level auditing with ‘SACLs’ • Enable Auditing directory service access• Configure Auditing tab after clicking Security tab of
object Properties• Must select each property you'll want to track
Auditing to Track Active Directory Changes
10
• Events are stored and viewed in Event viewer• Some events generated by Auditing Directory Service
Access• Some events generated by Auditing Object Access
10
Auditing to Track Active Directory Changes
• Expanded auditing for auditors and securityprofessionals• Provides details for most compliance
mandates• Provides more granularity• Still events are triggered to Security Log
11
Advanced Auditing to Track AD Changes
Advanced Auditing to Track AD Changes
12
13
Advanced Auditing to Track AD ChangesDS Access–Directory
Service ChangesReports changes to objects in Active Directory Domain Services (AD DS).
The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed.
DS Access–Directory Service Replication
Reports when replication between two domain controllers begins and ends.
DS Access–Detailed Directory Service Replication
Reports detailed information about the information replicating betweendomain controllers. These events can be very high in volume.
DS Access–Directory Service Access
Reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the directory service access events in previous versions of Windows Server.
•AD GPO in GPMC (2008 R2, 7, 8, 10, 2012 R2)• Computer Configuration\Policies\Windows Settings\
SecuritySettings\Advanced Audit Policy Configuration\System
• Local GPO on Windows 2008 R2, 7, 8, 10 2012 R2)• Computer Configuration\Windows Settings\Security
Settings\Advanced Audit Policy Configuration\System
14
Advanced Auditing to Track AD Changes
•Manual configuration through CLI• auditpol /get /category:*• auditpol /set /subcategory:”DS Access” /success:enable
/failure:enable• Command line check for ‘Winning GPO’• gpresult /h gpresult.html
15
Advanced Auditing to Track AD Changes
What we need ? • Audit Account logon
• Audit Kerberos authentication service• Audit Credential validation
• Audit Account Management• Audit computer account management• Audit Distribution group management• Audit Security group management• Audit User account management
• Audit DS Access • Audit Directory Service Changes• Audit Directory Service Access
• Audit Logon/Logoff• Audit Logon• Audit Logoff
• Audit Policy Change• Audit policy change • Authentication policy change• Authorization policy change
• Audit System Events• Audit System security state change
• Tracked changes are stored in Security Log on DC where event occurred
• Each DC has a unique Security Log
• In order to view all events, must view each DC or consolidate logs
18
Security Log in Event Viewer
Security Log in Event ViewerMaximum Log size: 4GBMicrosoft Recommended: 300MB
19
• Can we consolidate logs from multiple computers into a central log collector ?• Event Forwarding • Collector must be Win 2008 or greater • Event Subscription defines forwarding rules• Backward compatible with win XP/2003
20
Security Log in Event Viewer
•Automatically backup logs • Create custom views by log, date, event level,
category, keywords etc..•Associated scheduled jobs to alert for events • Alerts are triggered by activity in log• Alerts can be ‘messages’ or ‘emails’• Alerts are for event ID, not ‘event details’
21
Security Log in Event Viewer
• Issues with Event viewer• Security log size too small• Interface does not provide option for reporting • Hard to parse the details • Events are logged on DC where event occurs – Multiple logs • Alerting is not detailed enough
22
Security Log in Event Viewer
20
END RESULT,
Data
Poor Insights
Ineffective Actions
• Reporting• Over 125 default reports• Over 10 default report areas• Users• Groups• Passwords• Logons• More….
20
ADAudit Plus Reporting
•Audit policies configure properly• Security log is prepped • Sufficient privileges given • Port are opened for communication• 135 (RPC)• 389 (LDAP)• 445 (NetBios session service)• Dynamic ports (49152-65535)
20
Do’s – For best possible outcome
•Auditing – Comprehensive reports in user friendly interface
•Alerting – Triggers alerts for critical actions
•Archiving – maintain history of changes over time
20
With ADAudit Plus what can we do ?
Real time AD change monitoring
29
• Identifying vulnerabilities • Capacity planning • Terminal services activity •Audit Scenarios
• Enormous logon failures in short span • User logon during ‘after business hours’ • Calculate logon duration on computers
User Logon Auditing
30
• Track all changes made ‘by’ a user & ‘to’ a user• Password changes to ‘privileged accounts’•Admin groups’ membership changes •Audit scenarios
• Wrong delegation to a wrong object at a wrong time • Privilege escalation • Monitor password policy violation
Monitor AD object changes
31
•Admin group changes • Service Account modifications •Group policy setting changes• Folder deletions/Permission changes• Custom Alert configuration – Account lockout, Admin
user logon etc.
Email notification for ‘Most wanted’ events
32
•What is Change Monitoring in Active Directory ? •Advanced auditing to track Active Directory changes • Security log Recommendations•With ADAudit Plus what can we do ? • Configure Email notification for adverse changes
Summary
Click to edit Master title styleQuestions?
Thank you!
