People generally think that auditing and monitoring are the same thing and, in some ways, they are. The differences between them are subtle, but important none-the-less. In short, auditing is done by auditors, and it is the auditors responsibility to make use of the available technology to aggregate and present the log data in a way that that can be understood and “monitored” by administrators and managers.
While most modern operating systems have auditing capabilities built-in, auditing software alone will not be sufficient in delivering a consistently successful audit. Most organizations would undoubtedly benefit from hiring a dedicated and experienced auditor, as security settings have a tendency to drift away from their optimal state. Likewise, some security settings may be misconfigured to begin with. An experienced auditor will be able to pick-up on such issues and ensure that the organization is compliant with industry regulations.
Auditors typically carry out periodic audits (usually once a year) on a number of devices and user accounts within Active Directory. Sometimes auditors create custom scripts which automate and aggregate the log data for continuous monitoring.
Once baseline security settings have been established, the auditor should continuously track all changes that relate to those settings. All changes should be presented/reported in a way that allows administrators to verify the state of the system quickly and intuitively.
Active Directory provides native logs which can be used to audit system changes; however, the information provided by these logs is sparse and unintuitive. On top of which, a typical AD domain may log millions of events over a single month. As you can imagine, it can take a long time to search through these logs to find the precise information you need to perform a meaningful audit. Likewise, auditors would need to create custom scripts, perhaps using PowerShell, in order to generate alerts and reports.
Using the AD’s native logs is a challenge, but don’t despair, for there is a better way. In recent years, we’ve seen significant advances in the field of IT security auditing. There are a large number of commercial solutions on market, and the cost of these solutions have come down considerably. The LepideAuditor for Active Directory, for example, has a wide range of features which make the task of auditing much simpler.
Using Lepide Active Directory Auditor you can:
- Over 90 relevant reports for all manner of security, IT operations and compliance challenges
- Powerful reports showing a single log for a single change with who, what, when and where values
- Real time alerts
- Threshold alerts based on a user-defined time and date criteria
- Mobile App to keep track of changes on the go
- Roll back unwanted changes
- Analyze historical permission changes
- See all permissions to an object
- Compare permissions of an object between two dates
With LepideAuditor, determining who is changing what, where and when becomes a trivial task and the audit data that is aggregated from multiple sources is presented via a single, intuitive dashboard.