Monday, October 29, 2012

List of Security Events to Audit in Active Directory


Active Directory Auditing plays a very important role in helping maintain security because it provides the means by which we can find out who did what in Active Directory. For instance, it helps us find out who created a user account, or who reset a user account's password, or who deleted an OU etc.?

I've been meaning to come up with a list of events to audit, and put together something we have found to be helpful. I had initially come across a list What is the optimal set of administrative tasks to audit in Active Directory but found it to be just a tad incomplete, so thought of making a more complete list.

We've had to be careful to ensure that we don't set up excessive auditing in our Active Directory, so with a little help from a list I found here, we've been able to come up with the following list -

List of Security Events to Audit in Active Directory
Active Directory Admins

(Picture taken from - www.active-directory-security.com)

  • Note: I am not specifying the exact events, but rather the list of administrative tasks that when enacted should trigger an entry in your audit logs. The rationale for the selection of these tasks is based on this list of Active Directory Delegation Security Risks

List of User Account Management Security Events/Tasks

Creation of user accounts
Deletion of user accounts
User account password resets
Enabling/disabling of user accounts
User account logon/logoffs
Setting Password Not Required bit on user accounts
Changing account logon hours and/or workstations
Delegation of tasks on user accounts
Modification of security permissions on user accounts
Delegation of tasks on user accounts


List of Computer Account Management Security Events/Tasks

Creation of computer accounts
Deletion of computer accounts
Addition of computer accounts to Active Directory
Enabling/disabling of computer accounts
Changing Trusted for Delegation settings on computer accounts
Delegation of tasks on computer accounts
Modification of security permissions on computer accounts
Delegation of tasks on computer accounts


List of Security Group Management Security Events/Tasks

Creation of security groups
Deletion of security groups
Changes to security group types
Addition/removal of members to security groups
Delegation of tasks on security groups
Modification of security permissions on security groups
Delegation of tasks on security groups


List of Organizational Unit (OU) Security Events/Tasks

Creation of organizational units (OUs)
Deletion of OUs
Changes to OUs
Linking of group policies to OUs
Addition/removal of accounts from OUs
Delegation of tasks on OUs
Modification of security permissions on OUs
Delegation of tasks on OUs

Additional List of Security Events/Tasks

Changes to the Domain Root
Changes to the Domain Controllers OU
Changes to Domain Account Policies
Changes to Active Directory Quota Settings

Please note that the decision of which user accounts, computer accounts, security groups and OU to audit these settings on is a decision that has to be made on a case-by-case basis. In general, my recommendation is to have these settings specified on all user accounts, computer accounts, security groups and OUs, but if you only wish to do so on certain Active Directory objects, then the decision of which objects to specify these settings on is something that you will have to make yourself.

In general, Active Directory Audit is very important to Active Directory Security, and it is highly recommended that at least some basic level of Active Directory Auditing Settings be put in place.

3 comments:

  1. Hi Will,

    As you'll hopefully agree, Active Directory Security is critical to organizational security today and the need to know who has what access in Active Directory has become critical today.

    A good Permissions Analyzer for Active Directory can help identify, lockdown and audit security permissions in Active Directory quickly and efficiently.

    I recently came across a helpful post on How to View Active Directory (AD) Security Permissions and Perform ACL / Permissions Analysis so I thought I'd share it with you.

    Thanks,
    Aaron

    ReplyDelete
  2. Hello Will,

    Greetings from Dubai. I am an Windows IT admin and have been working with Active Directory for quite some time now. One of the things that interests me is Active Directory Security and I have been recently looking at Active Directory Risks. I've found that using a Permissions Analyzer for Active Directory can be very helpful in finding out who has what permissions in Active Directory. I thought I would share this with you in case it help you too.

    Best wishes,
    Armen

    ReplyDelete
  3. Hi Will,

    I happened to come across your blog, so thought I'd leave a note.

    I've been wanting to blog for a while now, and have a little blog of my own as well over as Active Directory Forestry, but I just can't seem to find the time.

    We've been very busy helping clients understand how to analyze and audit security permissions in Active Directory because it is so important to Active Directory security.

    We came across a valuable Active Directory Audit Tool and its been very helpful as we perform many an Active Directory Audit for our clients. Thought I mention it.

    If you have some time, do stop by. I would love to hear from you.

    Sincerely,
    Ben

    ReplyDelete