Top 5 Active Directory Events Auditors Look For

Posted on February 25, 2011 by DJones

Ah, Auditing. My favorite time of year, when the leaves begin to turn, the weather turns crisp… oh wait, that’s Autumn. I don’t like audits so much.

The key to a successful – or at least less-stressful – audit is preparedness. What are the auditors looking for? The quicker you can get it to them, the quicker you can get back to your job. Of course, auditors come in asking for a wide variety of reports, such as lists of disabled security principals, locked-out accounts, accounts that haven’t been used in a few months, and that sort of thing. Those are standard auditing concerns. Good auditors, however, will also be looking for a select few events within Active Directory. Events that, if found, may trigger a deeper look at things to make sure all’s well with the environment. You can save yourself time – and frankly make your environment more secure – by routinely looking for these same activities yourself.

Changes to GPOs

Of course, these are pretty much impossible to detect using only Windows’ native abilities, but changes to Group Policy objects (GPOs) GPOs are something that interest auditors – and should interest you – a great deal. Because GPOs are used to help apply security settings to servers and workstations, changes represent an opportunity for compromised security. Lay your hands on a tool that can detect and record changes to GPOs, and you’ll have all the data you need to satisfy auditors – not to mention change reports that can help ease troubleshooting when a GPO suddenly goes wrong. GPOs containing password policies will be especially scrutinized, so make sure you have as few of those as possible, and that changes to them are well-tracked and logged.

Changes to Groups

Not just any group, but those key groups. You know which ones I’m talking about: Domain Admins, Enterprise Admins, and any other custom group you may have set up with a great deal of delegated privileges. Any group that can change other groups’ memberships, reconfigure permissions within the directory, or perform other highly-sensitive operations are always worthy of close attention. Simply making a change to a group doesn’t mean someone is doing something they shouldn’t, but group membership changes are often the first, most-visible step to unwanted activity within the directory.

Use of Privilege

Next up, of course, is actually doing something in the directory. This can include enabling disabled user accounts. That’s not the same as unlocking a user account – accounts get locked all the time, and unlocking them probably occupies a third of your help desk’s time. But accounts are only disabled for a reason, and re-enabling them should be accompanied by some appropriate documentation explaining why it was done. Tracking this activity can help keep the domain more secure by protecting against stale accounts, unwanted accounts, and other concerns.

Modifying permissions in the directory is another thing to audit carefully and keep an eye on. That Delegation of Privilege Wizard seems easy to use, but it can have wide-reaching, far-ranging effects that simply must be tracked. Of course, modifying permissions in and of itself isn’t a problem activity. Most auditors will simply want to see corresponding documentation that explains why the change was made, who approved it, and so forth. It’s changes without that documentation that are a problem – and if you’re properly self-auditing your domain for these kinds of changes, you’ll quickly spot undocumented ones so that they can be investigated and resolved.

Objects in Motion

This is something only a clever auditor will think to look for – but it’s something you should be looking at on a regular basis: Objects moved from one organizational unit (OU) to another, especially objects which are quickly moved back again. Keep in mind that OU membership drives GPO application, which can in turn drive security. For example, it’s entirely possible to move someone to an OU where a less-restrictive password policy is in force, set their password to something weaker-than-normal, and then move their account back to where it came from.

OU membership also governs who has permissions over an object. For example, many organizations delegate permissions to unlock user accounts and reset passwords to local IT resources. Moving an account to a different OU gives someone else the ability to unlock it. It’s not impossible for administrators to collaborate in this fashion to accomplish things that they couldn’t do alone, and spotting the auditing activity is a key way to keep everyone honest.

Now You See it, Now You Don’t

One of the cleverest tricks trusted administrators can use against you is to create an account, do something evil with it, and then delete that account. With the account no longer visible in Active Directory, it’s easy for auditors to pass it over. That’s why a smart auditor (or administrator) will pay close attention to object creation, and make sure that each created object has a reason for being. Objects which are quickly removed are suspicious, and warrant further investigation.

Forewarned is Forearmed

While many of these events are difficult to pick out of the highly-distributed, less-than-verbose native event logs, they’re your key to a more secure, more easily-audited directory. Finding a way to track these pieces of information through reports, alerts, and centralized logs will help you prepare for every audit more efficiently, and help those audits go faster and more smoothly.