Derek Melber, Technical Evangelist for the AD Solutions team at ManageEngine and one of only 12 Microsoft Group Policy MVPs in the world, from his extensive knowledge in the Windows Active Directory security domain showcases the benefits of Active Directory Change Monitoring and the answers the “WHY” to do it. Know the differences between traditional Windows auditing and ManageEngine ADAudit Plus auditing and reporting capabilities.
Boost Fertility New Invention Ups Success Rates.pdf
Change Monitoring of Active Directory
1. Click to edit Master title style
Change Monitoring of Active Directory
2. 2
• Derek Melber, MCSE & MVP (Group Policy and AD)
• derek@manageengine.com
• Online Resources
• ManageEngine “Active Directory” Blog
• Group Policy Resource Kit – MSPress
• Windows Security Audit Package Consulting
• Active Directory/Windows Audit Program
• Training for efficient auditing
• Administration Consultant
• Active Directory and Server Design/Security
• Active Directory and Group Policy Design
About Your Speaker
3. 3
• What is Change Monitoring of Active Directory?
• Auditing to Track Active Directory Changes
• Advanced Auditing to Track Active Directory Changes
• Security Log in Event Viewer
• Traditional Monitoring and Auditing of Active Directory
• True Continuous Monitoring and Auditing of Active
Directory
• ADAudit Plus Reporting and Alerting
Agenda
4. 4
• Tracking all changes that occur to objects in Active
Directory
• Users
• Groups
• Computers
• Group Policy
• Password Policy
• Etc.
What is Change Monitoring of Active Directory?
5. 5
• Tracking all details regarding changes to objects in
Active Directory
• Who made the change
• Which object was changed
• When the change was made
• What the new setting is
• What the old setting was
What is Change Monitoring of Active Directory?
6. 6
• Each domain controller must have auditing enabled
• Enabled Auditing of AD through Group Policy
• Configure the Default Domain Controllers policy OR create
new GPO and link to Domain Controllers OU
• Auditing is located at:
Computer ConfigurationPoliciesWindows SettingsSecurity
SettingsLocal PoliciesAudit Policy
Auditing to Track Active Directory Changes
8. 8
• Success – Tracks successful changes to AD
• Failure – Tracks denials to change AD
Auditing to Track Active Directory Changes
9. 9
• Audited events are stored in Event Viewer
• Tracked changes are stored in Security Log on DC where event
occurred
• Each DC has a unique Security Log
• In order to view all events, must view each DC or consolidate
logs
• Some events generated by Auditing directory service
access
• Some events generated by Auditing Account
Management
Auditing to Track Active Directory Changes
10. 10
• Secret!
• Enable Auditing directory service access
• Configure Auditing tab after clicking Security tab of object
Properties
• Must select “each property” you want to track!
Auditing to Track Active Directory Changes
11. 11
• Don’t forget all areas
• Users
• Groups
• Computers
• Schema
• Group Policy
• GPC
• GPT
Auditing to Track Active Directory Changes
12. 12
• Expanded auditing for troubleshooting, auditors and
security professionals
• Provides details for most compliance mandates
• cce.mitre.org
• Matches with Security Compliance Manager (SCM)
• Still reports audited events to Security Log
Advanced Auditing to Track AD Changes
14. 14
• System
• Logon/logoff
• Object access
• Detailed tracking
• Policy change
• User account management
• DS access
• Account logon
• Privilege use
Advanced Auditing to Track AD Changes
15. 15
Advanced Auditing to Track AD Changes
DS Access–Directory
Service Changes
Reports changes to objects in Active Directory Domain Services (AD DS).
The types of changes that are reported are create, modify, move,
and undelete operations that are performed on an object. DS Change
auditing, where appropriate, indicates the old and new values of the
changed properties of the objects that were changed.
DS Access–Directory
Service Replication
Reports when replication between two domain controllers begins and
ends.
DS Access–Detailed
Directory Service
Replication
Reports detailed information about the information replicating between
domain controllers. These events can be very high in volume.
DS Access–Directory
Service Access
Reports when an AD DS object is accessed. Only objects with SACLs
cause audit events to be generated, and only when they are
accessed in a manner that matches their SACL. These events are
similar to the directory service access events in previous versions of
Windows Server.
16. 16
• Local GPO on Windows 2008 R2 and 7
• Computer ConfigurationWindows SettingsSecurity
SettingsAdvanced Audit Policy ConfigurationSystem Audit
Policy –Group Policy Object
• AD GPO in GPMC (2008 R2 and 7)
• Computer ConfigurationPoliciesWindows SettingsSecurity
SettingsAdvanced Audit Policy ConfigurationSystem Audit
Policy – Local Group Policy Object
Advanced Auditing to Track AD Changes
17. 17
• Compatibility Issues
• Legacy Audit Policy
• New Advanced Auditing
• If legacy Audit Policy exists… it will win over new Advanced
Auditing... unless
• Computer ConfigurationPoliciesWindows SettingsSecurity
SettingsLocal PoliciesSecurity Options
• “Audit: Force audit policy subcategory settings (Windows Vista or
later) to override audit policy category settings” is configured
Advanced Auditing to Track AD Changes
18. 18
• Can override default behavior…
• Computer ConfigurationPoliciesWindows SettingsSecurity
SettingsLocal PoliciesSecurity Options
• “Audit: Force audit policy subcategory settings (Windows Vista or later)
to override audit policy category settings”
• Enabled: will ignore legacy setting
• Disabled: will use default behavior
Advanced Auditing to Track AD Changes
20. 20
•Manage Auditing and security log User Right
• Configure auditing on files, folders, Registry, etc.
• View audited events in Security Log
• Can view and clear Security Log
• Save Security Log
Security Log in Event Viewer
21. 21
•Event IDs
• Older versions – 3 digit IDs
• Newer versions – 4 digit IDs
• www.eventid.net
• Microsoft KB 947226 (Vista and Server 2008)
• Microsoft KB 977519 (7 and Server 2008 R2)
Security Log in Event Viewer
22. 22
• Create Custom View of “many logs” or “many sources” into “one log”
• 2008 Domain Controllers
• Administrative Events
• Server Roles
• Active Directory Domain Services
• DHCP Server
• DNS Server
• File Server
• Network Policy and Access Services
• Web Server
Security Log in Event Viewer
23. 23
• Custom View Options
• Filter by log
• Logged (Date/Time ranges)
• Event level (type of log)
• View options
• By log(s)
• By source(s)
• Task category
• Keywords
Security Log in Event Viewer
24. 24
• After Custom View is created…
• Filter can be added to the view
• Task can be attached to view
• View can be exported
• View can be copied
Security Log in Event Viewer
25. 25
• Backing up Security Log
• Automatically back up logs
• Computer ConfigurationPoliciesAdministrative
TemplatesWindows ComponentsEvent Log ServiceSecurity
• Also configure Log file path
Security Log in Event Viewer
26. 26
• Security Logs size too small
• Interface does not provide for reporting
• Events are hard to decrypt and not easy to analyze
• Events are logged on DC where event occurs… multiple
logs
• Alerting is not detailed enough
Issues with Event Viewer
27. 27
• Typically done one time a year
• Information is gathered on servers/DCs
• Information is for a single point in time
• Changes can be made directly before and anytime
after information is gathered
Standard Auditing/Monitoring of AD
31. 31
• Reporting
• Over 125 default reports
• Over 10 default report areas
• Users
• Groups
• Passwords
• Logons
• …more
ADAudit Plus Reporting
32. 32
• Custom Reporting
• Track service account activity
• Track Administrator activity
• Track administrative activity
• Track modifications to Group Policy
ADAudit Plus Custom Reporting
33. 33
• Alerting
• Allows for an email to be sent immediately when a key change
is made
• Track service account activity
• Track Administrator activity
• Track administrative activity
• Track modifications to Group Policy
ADAudit Plus Alerting
34. 34
• What is Change Monitoring of Active Directory?
• Auditing to Track Active Directory Changes
• Advanced Auditing to Track Active Directory Changes
• Security Log in Event Viewer
• ADAudit Plus Reporting and Alerting
Summary
35. Click to edit Master title style
Questions?
Our gift to you… the link to download the tools!
http://www.manageengine.com/products/active-directory-audit/
Thank you!