Tuesday, October 30, 2012

How to audit / find out what is being audited in Active Directory?


We used Active Directory auditing extensively and it helps us find out what made what changes in our Active Directory. For instance, it helps us find out who created new user acounts, who may have reset an user account's password, who may have deleted an OU etc.

In order for auditing to work though, we need to specify audit settings in the SACLs of objects in our Active Directory. Once we've specified what access is to be audited, and turned on Directory Services auditing on our Domain Controllers, an audit entry is generated whenever someone performs the access that is set to being audited.

How to audit / find out what is being audited in Active Directory?

However, because we are a group of admins, and there is no single point of control, sometimes when I am not on duty, a fellow admin might change one of the audit settings, so as a matter of policy, we require that we audit what access is being audited in our Active Directory deployment.

How to audit / find out what is being audited in Active Directory?


The purpose of such ans audit is to identify and document what audit settings are set on which objects in our Active Directory. For example, here are some sample contents of this audit report -
  1. User account creations are being audited on the OU Corp
  2. User account deletions are being audited on the OU Corp
  3. User account password changes are being audited on the OU Corp
  4. User account status changes are being audited on the OU Corp
  5. OU deletions are being audited on the OU Corp
This helps us ensure that all the access/tasks that should be audited is in fact being audited.

So, in order to perform this audit we needed a way to view the Active Directory System Access Control Lists (SACLs) on all the objects in our domain. SACLs are like ACLs but instead of specifying who has what access on an object, they specify what access to audit on that object.

We needed a quick, efficient and reliable way of exporting all the SACLs on all the objects in our Active Directory, so we performed a Google search for "Export SACLs" and we came across a site called Gold Finger - Active Directory Permissions / ACL / SACL Exporter

Upon reviewing the site, we discovered that there is a Microsoft-endorsed Active Directory ACL and SACL Export Tool called Gold Finger for Active Directory that could help us export all the SACLs of all the objects in our Active Directory.

We requested a trial of the software and it took just a few minutes to download the software, a free trial license and we were all set to export the ACLs of all objects in out Active Directory.

We were quite pleasantly surprised because it took us all of about 30 seconds to export all the SACLs of all the objects in our Active Directory domain to a CSV file. We basically selected the ACL Exporter capability, clicked on the Export all SACLs in an Active Directory Tree report, and clicked a button. In about 30 seconds the tool did its thing and all the SACLs were exported to a CSV file.




How to audit SACLs to report what audit settings are enabled in Active Directory?

The tool also had quite a few other capabilities such as an ACL Viewer, a Permissions Analyzer, an Effective Permissions Analyyzer and an Effective Delegated Access Reporter, and we're still in the midst of evaluating all of its capabilities, but for now I just wanted to share this with you.

Once you have all the SACLs of all the objects in your Active Directory exported to a CSV file, it is very easy to be able to sort the output based on any object of one's choice and determine what is being audited on that Active Directory object.

We've found such audits to be very helpful and plan to make this a quarterly affair, and in fact make it a part of our quarterly Active Directory Audit so that we can ensure that we are auditing everything that we should be auditing in our Active Directory.

If you have any questions about this, leave me a comment and I'll be happy to answer your question.

Monday, October 29, 2012

List of Security Events to Audit in Active Directory


Active Directory Auditing plays a very important role in helping maintain security because it provides the means by which we can find out who did what in Active Directory. For instance, it helps us find out who created a user account, or who reset a user account's password, or who deleted an OU etc.?

I've been meaning to come up with a list of events to audit, and put together something we have found to be helpful. I had initially come across a list What is the optimal set of administrative tasks to audit in Active Directory but found it to be just a tad incomplete, so thought of making a more complete list.

We've had to be careful to ensure that we don't set up excessive auditing in our Active Directory, so with a little help from a list I found here, we've been able to come up with the following list -

List of Security Events to Audit in Active Directory
Active Directory Admins

(Picture taken from - www.active-directory-security.com)

  • Note: I am not specifying the exact events, but rather the list of administrative tasks that when enacted should trigger an entry in your audit logs. The rationale for the selection of these tasks is based on this list of Active Directory Delegation Security Risks

List of User Account Management Security Events/Tasks

Creation of user accounts
Deletion of user accounts
User account password resets
Enabling/disabling of user accounts
User account logon/logoffs
Setting Password Not Required bit on user accounts
Changing account logon hours and/or workstations
Delegation of tasks on user accounts
Modification of security permissions on user accounts
Delegation of tasks on user accounts


List of Computer Account Management Security Events/Tasks

Creation of computer accounts
Deletion of computer accounts
Addition of computer accounts to Active Directory
Enabling/disabling of computer accounts
Changing Trusted for Delegation settings on computer accounts
Delegation of tasks on computer accounts
Modification of security permissions on computer accounts
Delegation of tasks on computer accounts


List of Security Group Management Security Events/Tasks

Creation of security groups
Deletion of security groups
Changes to security group types
Addition/removal of members to security groups
Delegation of tasks on security groups
Modification of security permissions on security groups
Delegation of tasks on security groups


List of Organizational Unit (OU) Security Events/Tasks

Creation of organizational units (OUs)
Deletion of OUs
Changes to OUs
Linking of group policies to OUs
Addition/removal of accounts from OUs
Delegation of tasks on OUs
Modification of security permissions on OUs
Delegation of tasks on OUs

Additional List of Security Events/Tasks

Changes to the Domain Root
Changes to the Domain Controllers OU
Changes to Domain Account Policies
Changes to Active Directory Quota Settings

Please note that the decision of which user accounts, computer accounts, security groups and OU to audit these settings on is a decision that has to be made on a case-by-case basis. In general, my recommendation is to have these settings specified on all user accounts, computer accounts, security groups and OUs, but if you only wish to do so on certain Active Directory objects, then the decision of which objects to specify these settings on is something that you will have to make yourself.

In general, Active Directory Audit is very important to Active Directory Security, and it is highly recommended that at least some basic level of Active Directory Auditing Settings be put in place.

Friday, June 11, 2010

Optimal Security Logging Strategies

If you're a Windows Admin, you know what a security log is, and if you're a good Windows admin, you know how important it is to keep your security logged optimal.

By keeping the log optimal, I'm of course referring to the fact that you're doing what you need to do to ensure that only the minimal essential set of security events are being logged in your security log and that you have a strategy in place that ensures that you're able to archive all your log events before your log rolls over.

Then there are some other essentials such as collecting and collating security event logs from all your domain controllers into one single database so you can get the complete view of what's really happening in your domain.

In this blog, I intend on sharing optimal logging strategies and other relevant aspects of security logging that could help improve your security logging strategies as well.

Thanks,
Will.