For organizations that use Windows Server, nearly all authentication and access control related tasks are tied to the Active Directory. Additionally, application configuration information is also sometimes stored in the Active Directory. Given everything that the Active Directory does, it would not be a stretch to think of the Active Directory as being the glue that ties all of an organization’s IT resources together.
Because the Active Directory is such a major part of the overall IT infrastructure, Active Directory audit logging should be considered a critically important task. After all, malicious or accidental Active Directory modifications could impact multiple systems.
There are a number of best practices for audit logging within the Active Directory. One of the most essential is that log contents should be meaningful. Windows Server is natively able to perform audit logging for the Active Directory, and for various other Windows rules, features, and subsystems. However, Windows tends to log so much information, that the audit logs can become congested with relatively insignificant log entries. This can make it extremely difficult to locate a specific log entry.
Furthermore., Windows event log entries are based around the use of somewhat obscure Event ID numbers. For each event, Windows provides an Event ID number, a level, a user, a vague description of the event, and a few other pieces of information. This approach to audit logging is inadequate because it can be difficult to locate an event within the event logs, and the event log entry provides very limited information about the event.
When it comes to protecting something as critical as the Active Directory, you are better off using a third party audit logging solution, such as LepideAuditor. This product logs Active Directory activity in a way that makes it easy to track down specific events. More importantly, log entries contain meaningful information. When an Active Directory setting is changed, the corresponding log entry will show not only what has changed, but also the setting’s original value.
The approach that an organization takes to Active Directory audit logging is every bit as important as the software that it uses to create the logs. Generally speaking, Active Directory audit logging must be able to detect two things – modifications and events.
Modifications refer to changes that are made within the Active Directory. These changes might involve the creation of a new user account, or perhaps a change to a group policy setting. Auditing the modification of Active Directory settings gives administrators insight into the current state of the Active Directory. The information can be used to determine how the Active Directory is currently configured, who was responsible for the various modifications, and when each modification occurred.
Active Directory audit logging should also keep track of events that occur. An example of such an event might be a user logging in using an Active Directory account. Tracking this type of information is useful for a variety of reasons. Sure, tracking actions such as log in attempts can help the IT staff to spot attempted security breaches, but there are other benefits. For example, an administrator might use logging data to determine which Active Directory accounts are no longer being used. Removing these accounts can improve security and may also reduce licensing costs.
In order for Active Directory audit logging to be truly beneficial, the logs must contain meaningful information, and the administrative staff must be able to easily locate that information on an as needed basis. Although Windows Server provides extensive logging capabilities, the Windows event logs and the Event Viewer tool leave a lot to be desired. As such, organizations that are serious about Active Directory audit logging should use a third party Active Directory auditing tool.
About Author – Brien Posey is a freelance author, technical speaker and Microsoft MVP.