Active Directory Change Auditing

Audit Active Directory Changes

We are now in the year 2016 but still we find that most of the basic Active Directory Change Auditing tasks have been ignored or not understood by Network security admin or security professionals. But we should have systems, procedures, and understanding on how to properly audit Windows Active Directory.

Active Directory Change Auditing and reporting is one of the critical processes for tracking the unauthorized changes. A single change can put your organization at a high risk. There are about more than 30 areas of AD that every auditor needs to understand to keep track of all changes of these areas. Protecting an IT environment is a big challenge. Imagine if there is any secured and sensitive information which has been changed by some business insider, then how will administrator come to know the answers of who, when, what and where questions about the change?

In the past years there have been some great changes in Active Directory but when it comes to actually managing an existing Active Directory domain, the process has not changed much. But with the time the process of doing Active Directory Auditing has come with more and more advanced methods and with most useful automated process.

Active Directory change auditing software has capabilities which allow administrator to audit list of additions, deletions, and modifications made to Active Directory users, groups, computers, OUs, permissions, trust policies, admin roles, Group Policy objects and settings, and all other types of activities found in Active Directory key areas. With its permission analysis feature administrators can compare the permissions for the selected objects between two date and time intervals while displaying all the historical changes done to the permissions of the objects. This Active Directory change auditing software is available as a part of LepideAuditor Suite. The other modules of LepideAuditor Suite are GPO auditor, Exchange Server auditor, SQL Server auditor, File Server auditor, and SharePoint auditor.

The software has a special feature which indicates "before" and "after" values for all modified settings and also the changed data can be stored for years. Some other Important features of software are:-

  • Component Management Settings which allows managing the auditing of domains.
  • Enable Logon/Logoff Monitoring, enable auditing settings, enable Group Policy Auditing of Windows Server 2003, Mailbox Auditing.
  • Feature to audit deleting, modifying and uninstall agent from domain.
  • It comes with a wide range of predefined audit reports.

In Windows Server 2008, while setting up auditing, users can modify three places to implement controls

  • Global Audit Policy: In Windows Server 2008, the Global Audit Policy is not ON by-default and needs to be enabled
  • System Access Control List (SACL): It is the ultimate authority for an access check to be audited or not. It is a part of security descriptor for an AD object and specifies which operations should be audited
  • Schema: In order to protect IT administrators from generating a lot of auditing events, an override can be set in the schema to exclude the number of events having an attribute set

Enabling Global Audit Policy on Windows Server 2008:

  • Go to Start > Administrative Tools. Click on Group Policy Management
  • Navigate down through Forest, to the Domains, then Domain Controllers and then left-click on Default Domain Controllers Policy
  • Schema: In order to protect IT administrators from generating a lot of auditing events, an override can be set in the schema to exclude the number of events having an attribute set

A warning message appears stating that changes made here will impact all other locations that the GPO is linked to. Click OK.

  • Right-click on Default Domain Controllers Policy. Then, left-click on Edit.
  • Navigate under Computer Configurations > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
  • Right-click on Audit Directory Service Access, then click Properties.
  • Select Define these policy settings and then select Success. Click on Apply and then OK.

Setting up Auditing in System Access Control List (SACL):

  • Open Active Directory Computers and Users
  • Click on View and ensure that Advanced Features is enabled. If not, then left-click on it to enable it
  • Right-click on any of the Organizational Units to be audited. Let us suppose user requires auditing Users. Then click on Users > Properties
  • In Properties window, click on Security
  • Click Advanced
  • Click Auditing tab, then click Add
  • Under Enter the object name to select:, type in Authenticates Users, and then click OK
  • In the next window under Apply onto:, select Descendant User Objects and under Access check the box for Successful next to Write all properties and click OK
  • Click OK, until you are out of any dialog boxes

Component Management Settings which allows managing the auditing of domains. Enable Logon/Logoff Monitoring, enable auditing settings, enable Group Policy Auditing of Windows Server 2003, Mailbox Auditing. Feature to audit deleting, modifying and uninstall agent from domain. It comes with a wide range of predefined audit reports.

  • Component Management Settings which allows managing the auditing of domains.
  • Enable Logon/Logoff Monitoring, enable auditing settings, enable Group Policy Auditing of Windows Server 2003, Mailbox Auditing.
  • Feature to audit deleting, modifying and uninstall agent from domain.
  • It comes with a wide range of predefined audit reports.

Health Monitoring allows monitoring the health of Active Directory environment and Exchange Server.

Real Time Alerts feature helps you manage & get the real-time alerts for Auditing and Health Monitoring.

Restore Tab of LepideAuditor Suite shows the lists of the captured backup snapshots to let you restore a change.

One of the main features of LepideAuditor Suite is its proprietary Backup Snapshot Technology.

Bear in mind that auditing Active Directory changes is not a part time job, it's a very important job. If you have your own organization then you can be under attack every day and the attacks are not necessarily only from outside, but the majority of the attacks are from within the organization. This means we must secure the Active Directory (internal network) fully.

Why LepideAuditor for Active Directory

  • Uphold Compliance
  • Real Time AD Tracking
  • Eliminate Risk Factors
  • Protect AD against Unauthorized Changes
  • Save Overall Auditing Time

Download Free Trail Version

LepideAuditor Suite is available as the free trial version. The trial version will work fully as featured without any limitations. But for long-term Active Directory change auditing, you can purchase license.