The Complete Guide to Ransomware [Updated for 2022] Download eBook

9 critical flaws in auditing Active Directory natively

Aidan Simister by Updated On - 06.16.2020 Auditing

A question regularly asked by the IT community is why do we need a third party solution to audit (Active Directory, Group Policy, Exchange etc.)?

To answer this question, we’ve put together a high level paper to talk through the potential pitfalls of auditing without a third party solution. From the outset, this piece unashamedly takes the position that Native Auditing isn’t really adequate for [most]mid-market and enterprise level IT Teams today…. And here’s why!

  1. X Changed to Y – So Native Auditing will tell you something has changed, i.e. it will show you the value is now Y, which is useful to a point, though for this to be meaningful you really want to know what the previous value was so you have some context. For example, let’s say an admin makes a change to a particular AD object and the change had a detrimental impact to a specific user. Surely in this instance, you need to know what the change was previously to rectify the issue quickly? The fact is, showing an administrator something has changed is often not enough.

  2. It’s reactive – Sure, there are ways you can create alerts on particular events, but frankly, the alerting and reporting capabilities within the default Event Viewer are somewhat crude. Let’s say someone alters a permission on a specific user, or changed something critical, without it having a noticeable impact – how long would it take you until you found out? Often the reality is the only time these things are detected are in the wake of an incident, i.e. when data goes missing, a privilege is abused etc. So, with the ever increasing security threats, the importance of IT to business and the ever increasing need for overall business continuity… is Native Auditing doing its job here?

  3. Too noisy to deliver real value – I don’t think anyone can deny that auditing with everything enabled can be a tad noisy… in some instances to the extent of being severely disruptive to the performance of the audited system. Some organizations in fact, avoid auditing all together for this very reason. The bigger issue at hand here is the fact that through all the noise, it’s practically impossible to glean any real insight as to what’s actually happening within the specific system. Surely getting an approach that handles the filtering and normalization of the data makes more sense?

  4. It’s like a jigsaw puzzle – In trying to answer a basic question such as who, what, where and when a change is made manually requires patience and time.. And time, in particular is not something often associated with the modern IT department. Trying to piece together the required information to answer this one relatively simple question and then deliver it in a format that is accessible is no mean feat.

  5. It’s not easily scalable: Let’s say you’re a multi-site organization… have you ever tried to scale and consolidate logs and manage multiple sites – and maintain a policy for auditing and monitoring using native logs.. The fact is this is somewhat problematic.

  6. It lacks security – While we’d like to think we can trust everyone, the reality is from time to time people abuse our trust and abuse their privilege. Let’s say you have a rogue administrator in your team, they make changes, alter permissions and then they want to hide the trail. The log file is deleted and to a certain extent the trail is gone. Does it not make more sense to deploy a third party solution that doesn’t just rely on logs, one that encrypts the logs at rest and one in which automatically backs up and archives the logs should they require interrogation at a later date.?

  7. Time is money… Now, more than ever the mantra ‘time is money’ has been heard louder within IT teams. They’re under increasing pressure to automate as much as possible, find cheaper, leaner and faster ways of doing things. And I don’t think anyone can deny that searching through log files is a thankless and laborious task. Sure, perhaps 3-4 years ago, while the auditing market was in its infancy the only real alternatives were expensive, and was a big project to deploy. The fact is, this is no longer the case. The ROI case for investing in a solution to eliminate the need to handle logs manually in most cases is an easy one to make…

  8. Not good enough for compliance – For those organizations with compliance drivers, it’s likely they will have to produce some pretty extensive and detailed reports to keep the auditors happy. And sure, with time, patience and resources you could probably ‘get by’ and pass an audit without a third party approach. But does it make sense to do this? Surely there’s a better way.

  9. It’s a false economy – As I eluded too earlier, a common misconception is, deploying a third party auditing or monitoring solution will be a cost center without justification. And let’s be realistic here – for some companies this may well be the case, but increasingly it’s not. For most companies will be easily justifiable when considering time savings through automation combined with the implications of the damage a ‘rogue’ user can do. This is particularly relevant when there are organizations with compliance requirements or those organizations that are handling sensitive data or have large numbers of IT administrators. The savings made from the automation, the overall risk vs reward or having in place to identify abuse or even potentially a breach, combined with the risk of reputation etc. all lead to a strong business case.

In conclusion: We’re now in a fortunate position where there are a good range of mature Active Directory auditing solutions on the market that that solve all of these respective problems (If you pick the right one, which is a whole other topic) And while this blog is predominantly focused on the pitfalls of Active Directory, there are many other audit challenges that need to be addressed, many [most] of which are also by default covered in the various suites available. For example, there are a number of solutions that will give you a central place to also audit file servers, SQL servers, SharePoint, Exchange servers and more…

While it was certainly true to say up until recently there was a lack of real choice in this space and customers were left with either native auditing or the prospect of re-mortgaging their house and embarking upon an epic journey, the fact is the market has changed for the better. There are a number of solutions available today that are quick to deploy (we’re talking hours), easy to use, simple to manage and realistically priced. Perhaps in two of three years from now, we could be reminiscing on the ‘olden days’… ‘can you believe we actually used to use native audit logs?’…. I certainly hope so…