Active Directory is a critical part of any organization’s IT infrastructure. Unwanted changes in Active Directory could result in potentially disastrous consequences for the security of data. Changes to user accounts, passwords, group memberships and more could lead to excessive permissions and increased risk of privilege abuse.
For those reasons, and more, it is essential that you continuously and proactively audit Active Directory changes. If you’re unsure where to start, in this article we have broken down five critical Active Directory changes that you need to audit.
1. Changes to User Accounts
There are a number of reasons why changes to user accounts could be potentially dangerous. If a new user with excessive permissions is created, is a user account is deleted, if a large number of user accounts are disabled/enabled, it can all be a sign of malicious activity or the precursor of a data breach. Therefore, these types of changes need to be detected and addressed quickly.
LepideAuditor enables you to easily audit user account changes and gives you the ability to see what changes were made to which accounts, who made the change, when the change was made and in which domain.
You can also audit user account changes using native auditing, however the steps are far more convoluted than using an Active Directory auditing solution would be.
2. Password Resets
Abnormal password resets, particularly when we’re referring to administrative accounts or users with access to sensitive data, could be a sign of a compromised account. In order to audit these password resets effectively you need to be able to determine which user accounts have been affected, who reset the password, when was it reset and was this activity anomalous with known user behavior? LepideAuditor will enable you to do all of this through real time alerts and detailed reports. You can also track who reset the password of an AD user using the Group Policy Management Console (GPMC).
3. Changes to Security Group Memberships
If a user is mistakenly added to a security group, they may be granted unwanted access to sensitive data that they could then modify, delete or copy. Your organization cannot operate on a policy of trust. You must ensure that users are only granted rights to access the data they need to do their job effectively. That’s why it is so important to monitor changes to security group memberships.
The kind of questions you will need to answer include who has been added/removed from a security group, who made the change and when was the change made. All of this information, and more, is provided within a pre-defined report in LepideAuditor. You can also use the GPMC to audit changes to security group memberships.
4. Concurrent Logins
One of Windows’ weakest areas of security is their login controls. For example, Windows does not allow you to limit a given user account from logging on at only one computer at a time. These so-called concurrent logins are potentially a sign of malicious activity. More often than not, a user will simply have forgotten to log out before opening another session. However, if two or more users are using the same credentials to login, this could be a sign of a data breach.
LepideAuditor has a concurrent login report that provides you with critical information so that you can determine whether the concurrent login sessions are legitimate or need to be addressed.
5. Changes to Group Policy
Group Policy is a vital part of controlling Active Directory permissions and changes to objects, settings, links and permissions may end up leaving your Active Directory vulnerable to privilege abuse or data leakage. In order to determine whether group policy changes are legitimate you will need to know what types of changes were made, what was changed, who made the change and when.
It is possible to audit changes to group policy objects using native auditing techniques, but the process isn’t nearly automated enough to provide insight when it is required. LepideAuditor, on the other hand, can provide you with actionable, real time information through automated reports and alerts.