7 Tips for Achieving Active Directory Compliance

8/3/2019 7 Tips for Achieving Active Directory Compliance

1/9

7 Tips or Achieving Active DirectoryCompliance

B Dae Ma-Ea


2/9

2 7 Tips or AchiEving AcTivE DirEcTory coMpliAncE sed b Quet stwae

Contents

7 T Ae Ate Det

cmae .............................................2

itdut.............................................2

Te U ad Dw nate AD

Audt ..................................................2

Te U!..................................................3

Te Dw ..............................................4

Audt ad cmae AD ..............6

leea Td-pat Audt T .......7

Wat t lk , ad Wat t

lk out ............................................7

cu ..............................................8

Abut te Aut .....................................8

Aedx: Quet sut

cmae .............................................9

7 Tips or Achieving Active

Directory Compliance

B Dae Ma-Ea

Introductioni ma azat, Ate Det (AD) a ket autetat ad autzat t mtatate eue. A a eut, te ue dette ted AD ad te u te ae membe ae mtatt t ad audt kw wat be a-eed wt u azat. Te abt t audt adbe aeted abut ae t AD a ta at aazat.

Te ate audt wt AD a meet me, but t a, u audt ad mae eed. i t ae,

i de t ad tk t make te bet ue ateAD audt, a we a udee wat audt admae fe k we t me t keea ee wat wt u AD e-met. i a k at me td-at ateate tate audt tat a eat eae u abtt u et wat ae wt u ADatutue.

The Ups and Downs o Native AD AuditingTe abt t audt wat wt u ADatutue a eed e te ea mea mted Wdw see 2000 ad 2003 e-met t ett d see 2008 ad 2008 r2emet. Te ma aee wt AD audt te eae e Wdw wa tat a) t aae t AD wee ed ed a wa tat waueu ad b) bee ad ate aue ae weet ed at a, u ad wa kw watte d data wa ue u eted te bjet mbaku. Wt te eeae see 2008 ad te see2008 r2, ate AD audt t bette. Te eeaee me mete eae audted eet, adbee ad ate aue mdfed attbute ae watued te Wdw eut eet (ee ue 1),abet wt tw eaate eet: e tat ed tea aue te attbute ad ate tat edte ew aue.


3/9

sed b Quet stwae 7 Tips or AchiEving AcTivE DirEcTory coMpliAncE 3

Figure 1: Viewing changed values in Server 2008R2 AD

The Ups!let take a k at w audt wk AD adw u a eabe te t audt u ADbjet. m exame, i be u see 2008r2. i w make te a fat deeetat ext betwee t ewet e Wdwsee ad eae e.

Te ft t t kw abut eab AD audt- tat tee e butt t u t tu a te audt u mt eed. itead, t amut-te e:

Te ft te e te a AD dma1.tat u wat t eabe audt (ad watee u wat t audt).

Te ed te e ett te seut2.Ae ct lt (sAcl) a atua b-

jet bjet t et AD kw w bjetu wat t ee audt eet .

Step 1. Tell the AD domain that you want to en-

able auditinglet k at te ft te. Be abe t audt ADeet eque te a u dma tetat te ud a attet t a ae tatae t AD. T e eab me gup ett wt u AD dma.

i Wdw see 2003, u ad e ee auat tem AD audt: t waete a a . Te tadad edue t wa t e te gu p Edt, u te Deaut Dma cte p gup objet (gpo), ad eabe te Directory

Service Access audt ude cmutecfuat\Wdw sett\seutsett\la pe\Audt p. oe taudt wa eabed ue aueeet, te a AD bjet tat ad a sAclfued t audt ae wud ed aeeet t te eut eet te dmate (Dc) tat originated the change. T a mtat t!

TIP #1: AD changes are logged only within thesecurity event log on the DC that originated thatchange. In other words, AD does not replicatesecurity events to all DCs the way it replicatesobject changes!

stat Wdw see 2008, u w aete abt t et me aua audt ADeet, deetat betwee AD ae, ADae eet (eet eated t ee aeAD), AD eat eat, ad detaed ADeat. Tee u ubatee e u meauat e wat ed wt te Wdw

eut eet , ad tu me t e teume eut eet tat ae be ed.

TIP #2: In Server 2008, these subcategories areexposed through the auditpol.exe command-lineutility. However, in Server 2008 R2, you can nowenable and disable these sub-categories throughGroup Policy, under Computer Confguration\Windows Settings\Security Settings\AdvancedAudit Policy Confguration (see Figure 2).

Figure 2: Viewing Advanced Audit Policy Con-fguration in Group Policy


4/9


Step 2. Let AD know which objects you want to

see audit events or using the SACL.oe audt ba eabed a ADdma, te ext te t eue tat te bjetu ae teeted tak wt AD aete et sAcl t aw audt eett be eeated aat tem. Te sAcl ae AD bjet bjet aebe m teAdaed tab wt te ta Acl Edtwt AD Ue & cmute ( ma t).We u defe a sAcl, mu ke we udefe a tadad Ae ct lt (Acl), ue w ue u u ae teeted

audt aat. i te wd, u watt tak ae aat a e AD bjet b aef e, u wud add tat e ueiD t te sAcl, a wt wete u wat taudt ue aue ae ad wat e-te ad bjet ae u wat t audt aat.ue 3 w a ta sAcl ue bjet tatwa defed at a oU ee.

Figure 3: Viewing a SACL on user objects withinan OU

TIP # 3: I you want audit events to show upor all objects in your AD domain, youll have toset up a SACL at the domain level that covers all

objects and their attributes and all users (e.g.,by using the Everyone group). Note, however,that this will truly mean that every change thathappens to AD will be logged in the securityevent log on the originating DCwhich or largerdomains could mean a lot o events.

We ba audt eabed ad te bjettat u ae teeted audt ae sAcl ae, u a exet t tat ett eet teeut eet te at Dc eated tu ae. o see 2008 ad 2008 r2, teeeet w aea te eut eet udete Directory Services Changes tak ate.

TIP #4: Another thing to note is that theDirectory Service Access subcategory is alsouseul rom a compliance perspective because itlogs accesses to AD data. However, i the SACLson your AD tree are extensive, this subcategorycan generate a lot o data, so be cautious aboutenabling this category.

The DownsWe tee ae bee memet AD audt- wt eet t te eae ad quat audt data tat ed, we t me t me-met etee audt AD te ue at audt ad mae equemet,mu t ak.

Handling the Volume o Audit Datalet tat b tak te aee te ee

quatt audt data tat a be eeated b AD a eaab zed emet. i a e-met eea tuad ue, t t um-m dma te audt t ewt a e da. i te wd, ue ueut ae et t a e b ze, u mtt be abe t ee a eet wt a e da,beaue mt iT w et te eet t e a eeded ate ta t . oue, te eut eet me ta jutAD aet a a te eut-

eated eet eabed u dma te.

T mea tat u w ke eed t ae mewa atu ad dat eet te-et bee te e. T eea m-tat ue t et a te etee


5/9


audt data tat eeated, beaue t eumbeme t t t d t a mute d-ma te. Tee me wa t d tat a aabe wa ut te bx. Mt dede te t eet wad, weeu a eete wad eet m mutetem eet t a e dated ,but te aabt tat ubjet t te ze u atutue.

TIP #5: You can use the Event Forwarding ea-ture in Server 2008 and above to orward selectsecurity events rom one or more DCs to a centralevent log. Just keep scalability in mind when youdo this, because the volume o events in largerenvironments could outstrip this native eaturescapability.

Alerting and Reporting on Audit EventsAte ke aee aet ad et audt eet. Mt eed t be abe teeate a et a audt be tfedwe a atua -k ae u (u

a we mebd added t te DmaAdm u). Tee ea, aabe wa td tat ut te bx. yu a ue te but-eatue t atta a tak t a atua eet et uee (ee ue 4) ad teue tat tak t ed me kd aet (e.., bema). But aa, tat wt ae t ma aette ad ma aet.

Figure 4: Attaching a task to an alert to generatealerts on security events

Reporting on AD Audit EventsAte a wt ate t et ADaudt eet. Ee ue abe t date, ue t eed me wa beabe t eeate et u audt, ad tat t aaabe wt te ate os. Awequet u a Te me a u membeae tat aeed te at 30 da ae et u exeed dfut, tmbe, wtut me kd et t ae. ute, euat eque tat u keead ae audt , u eed a wa dtat a azed, tutued wa (te taa te atua eet fe).

Change Auditing or Group Policy Objectsa, et du e at ke defe tat ke t aue u ad audt eadae:te ak a ae audt gu pobjet (gpo). gu p te fua-t maaemet eatue wt AD tat et ueue ad fue u Wdw dektad ee e mae. gpo ae ebe eet m u dma awd e

t t w a t w ee adwktat. A a eut, audt fd te -t ad ue gpo t be e teet. Tatmea tat u eed t ae d ee ae audt we ae ae t gpo.Utuate, te ate os e ak ee.Wdw see w we a ae ut e te AD at a gpo, but t w t w ett wee aed wt te gpo.T mea ue et kw tat *met*aed, but t kw wat te ae wa

t e at u ta audt.

TIP#6: You can see when a GPO was changedby looking or a Directory Services Change eventagainst a groupPolicyContainer class object. Thisevent will correspond to the AD part o a GPOand will show you limited inormation about whomade the change and which properties on the ADpart o that GPO were changed. You wont seeany inormation related to what setting changedin the GPO, but at least you know who made the

change.

nw tat wee ked at wat u a d wt a-te t, et tak abut wat audt ae ta


6/9


k wt eet t AD ad w u amake ue ue eaed a tuat.

Auditing and Compliance in AD

What Auditors WantA i meted eae, AD a ue mat audt ad mae fe.Beaue t t ae t ma eue a ta emet, t mtat t be abet w audt tat u kw wat ae- at a tme wt u AD emet. Tmea a audt t e u kw abuta te ae ad wat te ae ae. sme

exame ae tat ae atua teett audt:

cae t u membe, eeau tat t eed ae (e..,Dma Adm ma) ad u tatt ae t ete ate data (e..,ae t fe ee te data ue)

cae t attbute tat ae eut ete(e.., awd ae) te dab/e-ab ue mute aut, ee-a k t ee tat emee w eaete azat ae dabed u eaad tat te aut ae t ued aeate tee et

cae t audt tat wud eut audt ae eet tat date tateut ae bee eaed

cae t gu p objet, eea

te gpo tat t eut dektad ee (e.., awd )

i ue e ate t t et te ma-t tat audt eed, u eed t eue tatue t udated wt data tat wud e-et u m eete ad kee tkd mat. T mea eu tat uae te data u ea eed t mt teew eet data tat a eut a ta

AD emet. T mea eab teatee tat ae eeat t u audtad maaemet eed. i u ae u asee 2003 AD emet, u kw tat uae e ae t e wat eeta be audted (a i meted eae). But u

ae a 2008 2008 r2 Dc, u a takeadatae te ubatee tat aeeabed tu audt.exe gu p t

tue dw wat eted.

TIP #7: Use Advanced Audit Confguration(Figure 2) or auditpol.exe on your Server 2008 orR2 DCs to only enable auditing on those subcat-egories you really need to meet your audit andsecurity requirements. See http://technet.micro-sot.com/en-us/library/cc731607(WS.10).aspx ormore details. Also, avoid using audit categoriesthat produce extraordinary quantities o securityevents (e.g., Object Access auditing), unless youare only doing it or short periods o time.

Giving Auditors What They WantTe ke t a ueu AD audt eu tatu ae te mat tat audt taeed, t at u fet. T mea makue tat u ae te t audt eabed, adtat u a et tat mat at a m-met te. yu dt wat t be a t

wee a audt ak u t e tat ea ed t u dma te e te at 90 da ad a tat u at.

Te ma t audt wat t kw tat uae a dated e ae aetat u t AD ad tat u a e tat ukw abut a te ae. But te ae teed wt ae t a ue e umbe( mt ae). Wat te mt ae abut aeae tat wud at ae t ta e-

ue ae tat umet d eutate (e.., ett a ue aut awdt ee exe). Beaue ue aut, e-ut u, ad (t a ee deee) muteaut ae te bet taet audt, tatwee u ud eue tat u ae aae ad ae abe t et aat te ae tme ed.

i u ae u te eet wad eatuei meted abe, te u a t a e

eet t be abe t que a eet eated t aatua aut eet iD. Te fte eatuewt te see 2008 eet (ee ue 5) amake t e eae beaue u a fte bdate, eet ue, ad det text wtte .
http://technet.microsoft.com/en-us/library/cc731607(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc731607(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc731607(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc731607(WS.10).aspx


7/9


Figure 5: Filtering security events based on vari-ous criteria

B w tat u ae a e aeaud AD ad gu p ae, ad bbe abe t bak tat u wt audt et w- a ae made aat ta AD bjet,u w be abe t meet exeed audt eed u AD emet.

But a ie debed, tee ae me fatmtat wt te ate audt, et,aet, ad et tat a mt u abtt et wat audt exet. te ea, ieea uet tat k ae a k at te td-at AD audt dut te maket beauete a ea make a deee tem uabt t quk ad ea et AD ae.

Leveraging Third-Party Auditing Tools

Advantages o Third-Party Auditing ToolsTe adatae td-at AD audt t aeumeu:

Log consolidation Te d t a

date eet m ae umbe daate Dc t a e et (e.., adatabae fe et), w t a-tate eae et ad aet, but ae u meet a a equemetu mt be ubjet t.

Better change detection

i addt, me te bette audt dut dt e ate Wdw eut eet t detetae t AD ( dt e e tem).Teee, te a te f te bak tem ae t AD data tat Wdwdet detet ate, tat eque exte-e e-sAcl u AD bjet t utte equed audt.

Less audit data Td-at t a a

eat edue te amut audt datatat eeated, beaue te utm audt- aabte a be me efet abutw te ed te data tat eeded (.e.,u dt eed tw eet t ed beead ate aue, a ate audt eque).

Better auditing o GPOs i addt, ma te td-at dut ae abe t detetad ed ef ae t gpo, w met u m at d ate.

What to Look or, and What toLook Out or

Agentsi u dede t ue a td-at audt ut,u wat t kee a ee ut a ew t.t, mt mmea audt ut eed tut a aet ee e u Dc det detet, aet , ad et audt eet. T

bemat me AD , but t tete wa t eab ad aab et audteet (ad t m at). i u d eed tta aet, jut make ue te aet ae etfedt u Dce te ett AD t mtazat, te at t u wat a audtdut tat b u AD ee t te kee( ue, t mtat t te tat ate audt, et fued, a d tat b te).

Tamper-Proo Repository

i addt, mt audt wat t kw tat e ud ae ateed te tet u audt e te tem a eeated tem; t eeed t a -eudat. i u ae u atd-at audt dut tat et uate Wdw eet (w ae -eutabe


8/9


te ate tate) ad t tem ateet, te (ad u) eed t be abe t et a audt tat e ud ae tameed

wt te eet a te wee eted adted.

Canned Reportsyu a ud k aed et tat teed a eated a umbe deetmae euat eme. yu audtma ae deet teetat t te aueuat ut tee, but te ed a det mewk ad de aed et tedut te au euat equemet(e.., soX, pci, hipAA), tat w eat eduete wk u ae t d t make te audta.

Scalabilitya, aabt a eea e but etat aet audt dut atua, ete umbe eut eet tat Wdwta eeate. yu wat t make ue tatte td-at audt dut u e ameet te ume eet ad umbe e-e tat u emet ta. Mt edw ae z udee te dut; uud eue tat te ed a u -ae emet, tat a equemet.

ConclusionWdw ate a de d audt u AD emet, eea wt see 2008 see 2008 r2, w ude eatue u abee ad ate aue audt. But ate t aeteabe a eae (e.., gpo ae),deta te data, ume data eeated,

etazed et, aet, ad et tata e ae. Audt ta k t eetat u ae d t ae aud AD ad

t uae, ad tat u a ead awe quetabut we ke u, ue, ad te bjet aeaed (ad w made te ae).

Ate ex te ate utat, u mtfd tat td-at AD audt ut ae teawe. Td-at ut de ma ea-tue tat Wdw ak. yu eed t eue tatu d u mewk wt eet t te e-ae, et, aabt, ad matbt wtu AD emet, but tee dut a a wa twad mak u audt aad tat make u iT k a!

About the Author

Darren Mar-Elia te cTo ad ude sDMstwae. Dae a e 25 ea iT ad t-wae exeee te Mt te aea,ud e a a Det iatutue atcae swab, cTo Wdw Maaemetsut at Quet stwae, ad se Det pdut Eee at Dektstadad, wwa aqued b Mt.

Dae a bee a Mt Mvp gup te te at x ea, ad ea wtte ad ke AD, gu p,ad pwese t aud te wd. Daemata te ua gu p eue tegpogu.m ad a bee a tbut edt Windows IT Pro maaze e 1997. he awtte ad tbuted t 12 bk Wdwad etee etwk t.
http://gpoguy.com/http://gpoguy.com/


9/9


Appendix: Quest Solutions orCompliance

Quet mae ut e u a -dated ew u iT mae tatu b aead d a baee u emet,etab a audt ad aet e aeet eated t te eut mat, adutt ae autmated emedat weat t eut e u.

Quet mae ut e u adde keequemet de b tea ad extea eu-at, ad a edue te t ad mext

mae wt u Wdw atutue.Take u mt dfut mae aeewt tee Quet dut:

Quest Knowledge Portal

Unifed Compliance ReportingQuet Kwede pta de a ufed et- atm a aet Quet dut. Tepta atate edued ad ad- et,eab mete bue ew t iT at aumma ad aua ee. Autetat aw

ue t ew et w te aeae. Wt a me, Web-baed demetu a quk beeft m Kwede ptaedefed ad utmzabe et ad ew.

Quest ChangeAuditor

Real-time Change Auditing or Your Windows

EnvironmentEet ad ae et ete-e aat ad ee ae umbeme,tme-um ad, me ae, mbeu ate audt t. tuate teeQuet caeAudt. T dut am audt,aet ad et a ae made t: AteDet (ADAM/ADlDs), Exae, EMc,netA, sQl see, Wdw fe ee adee quee aat Ate Det a eatme ad wtut eab ate audt. Wtt awad-w t, u a ta, de

ad maae u emet m e etae. yu a e caeAudt t eu aee u mex mae aeead at tea eut e.

Reporter

Windows and Active Directory Reporting ToolQuet rete et, te ad et datam wktat, Wdw ee ad AteDet, d mat eeta m-ae audt, Wdw eut aemet Ate Det e- ad t-mat aae.rete e admtat quk det

ted ad eat ad te ad eeue ad make tate ad tata detat e te eut te Ate Detad Wdw emet. rete deeaeda maaemet wkad b autmat dataet ad et eeat, a a eut, a-zat a ed e tme ad me maa- te atutue ad dedate me tme ttate memet.

InTrust

Security Inormation Management & Security EventManagement or ComplianceiTut eue et, te, et ad aet eet data m Wdw, Ux ad luxtem, e u m wt extea eua-t, tea e ad eut bet ate.iTut e u aee euat maeb audt ae t ta tem ad detetaate uu ae-eated eet.Wt t t, u a et, aaze, et adeeate autmated ea-tme aet a eeatae-eated eet a u eteeeuetwk. U iTut t mt ae t tatem mute atm edue te m-ext eet maaemet, ae exeetae admtat t, me matauae, mtate k ad e t edue tad me efe eut, eata admae et.

Documents

7 Tips for Achieving Active Directory Compliance