Tuesday, October 30, 2012

How to audit / find out what is being audited in Active Directory?


We used Active Directory auditing extensively and it helps us find out what made what changes in our Active Directory. For instance, it helps us find out who created new user acounts, who may have reset an user account's password, who may have deleted an OU etc.

In order for auditing to work though, we need to specify audit settings in the SACLs of objects in our Active Directory. Once we've specified what access is to be audited, and turned on Directory Services auditing on our Domain Controllers, an audit entry is generated whenever someone performs the access that is set to being audited.

How to audit / find out what is being audited in Active Directory?

However, because we are a group of admins, and there is no single point of control, sometimes when I am not on duty, a fellow admin might change one of the audit settings, so as a matter of policy, we require that we audit what access is being audited in our Active Directory deployment.

How to audit / find out what is being audited in Active Directory?


The purpose of such ans audit is to identify and document what audit settings are set on which objects in our Active Directory. For example, here are some sample contents of this audit report -
  1. User account creations are being audited on the OU Corp
  2. User account deletions are being audited on the OU Corp
  3. User account password changes are being audited on the OU Corp
  4. User account status changes are being audited on the OU Corp
  5. OU deletions are being audited on the OU Corp
This helps us ensure that all the access/tasks that should be audited is in fact being audited.

So, in order to perform this audit we needed a way to view the Active Directory System Access Control Lists (SACLs) on all the objects in our domain. SACLs are like ACLs but instead of specifying who has what access on an object, they specify what access to audit on that object.

We needed a quick, efficient and reliable way of exporting all the SACLs on all the objects in our Active Directory, so we performed a Google search for "Export SACLs" and we came across a site called Gold Finger - Active Directory Permissions / ACL / SACL Exporter

Upon reviewing the site, we discovered that there is a Microsoft-endorsed Active Directory ACL and SACL Export Tool called Gold Finger for Active Directory that could help us export all the SACLs of all the objects in our Active Directory.

We requested a trial of the software and it took just a few minutes to download the software, a free trial license and we were all set to export the ACLs of all objects in out Active Directory.

We were quite pleasantly surprised because it took us all of about 30 seconds to export all the SACLs of all the objects in our Active Directory domain to a CSV file. We basically selected the ACL Exporter capability, clicked on the Export all SACLs in an Active Directory Tree report, and clicked a button. In about 30 seconds the tool did its thing and all the SACLs were exported to a CSV file.




How to audit SACLs to report what audit settings are enabled in Active Directory?

The tool also had quite a few other capabilities such as an ACL Viewer, a Permissions Analyzer, an Effective Permissions Analyyzer and an Effective Delegated Access Reporter, and we're still in the midst of evaluating all of its capabilities, but for now I just wanted to share this with you.

Once you have all the SACLs of all the objects in your Active Directory exported to a CSV file, it is very easy to be able to sort the output based on any object of one's choice and determine what is being audited on that Active Directory object.

We've found such audits to be very helpful and plan to make this a quarterly affair, and in fact make it a part of our quarterly Active Directory Audit so that we can ensure that we are auditing everything that we should be auditing in our Active Directory.

If you have any questions about this, leave me a comment and I'll be happy to answer your question.

2 comments:

  1. Hi Will,

    I think you're very right about the need to audit what is being audited in Active Directory as well, because its what one relies on for security.

    Incidentally, I just shared a note on How to Find Out Who is Delegated What Access on an Active Directory Object? which is a related subject, and the funny thing is my solution involves using Gold Finger Active Directory Audit Tool as well.

    I don't know if you've tried its Effective Delegated Access Reports capability, but that's what I'm using to get the job done, and its saved us so much time and money.

    You may want to check out that capability too.

    Cheers,
    Abdul

    ReplyDelete
  2. Hi Will,

    As Domain Admins / Enterprise Admins we often delegate administrative tasks in Active Directory and from time to time need to know who is delegated what access in Active Directory.

    In my experience, I have found that it how to find out who is delegated what access in Active Directory is not as easy as it seems, but in fact can be quite difficult.

    I've seen many admins try to use a Permissions Analyzer for Active Directory but finding out who has what permissions in Active Directory is not the same thing.

    I recently came across an Active Directory Audit Tool that makes is super easy to find out who is delegated what access in Active Directory. Thought you may like to know.

    Cheers,
    Bob

    ReplyDelete