Overcoming the limitations of Native Auditing with LepideAuditor for Active Directory

Umendra Singh by   08.29.2013   Auditing

The importance of active directory auditing cannot be neglected in today’s world as it highlights the clear picture about how active directory is being used. Auditing for active directory reveals the truth about who has made what changes, in which object, when and from where. In addition, real-time monitoring of all changes and consistent tracking of log files help the companies including their IT Administrators to encounter the veridical dangers because of unauthorized intrusion and unwanted changes inside an IT infrastructure. However, the native active directory auditing doesn’t serve the purpose as it has severe loopholes. In this blog, we’ll discuss why native auditing is not a practicable approach and what can be a one-stop solution to override its drawbacks.

Report on Who, What, When, & Where

The events captured in Event Viewer don’t give the complete detail about every change. Especially, it doesn’t specifically point out who have done what, in which object, when, and from where. It only indicates changes and rest of the details appear in non-understandable format. For example, the Event Viewer, after clearing all logs, captures more than 1400 entries for three actions such as disabling a user, deleting another user, and creating a new user.

Figure 1: Event Viewer captured more than 1400 events for three actions

Figure 1: Event Viewer captured more than 1400 events for three actions

Lack of Simplicity

The information displayed inside Event Viewer and the log file is not presented in an understandable manner. It requires a lot of efforts to format the captured information. Reading or presenting these entries consumes time and resources to a greater extent. Let us have a look at the screenshot of an “User Creation” event and its detailed log.

Figure 2: An event of user creation

Following is the detail of the captured log of new user creation. This captured information is completely non-understandable and non-precise.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/23/2013 12:55:35 PM
Event ID:      4662
Task Category: Directory Service Access
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Server-Server.www.domain.com
Description:
An operation was performed on an object.

Subject :
Security ID:        Domain\administrator
Account Name:        administrator
Account Domain:        Domain
Logon ID:        0x1069a9

Object:
Object Server:        DS
Object Type:        user
Object Name:        CN=create,OU=testing,DC=www,DC=Domain,DC=com
Handle ID:        0x0

Operation:
Operation Type:        Object Access
Accesses:        Write Property

Access Mask:        0x20
Properties:        Write Property
{4c164200-20c0-11d0-a768-00aa006e0529}
{bf967a68-0de6-11d0-a285-00aa003049e2}
{bf967aba-0de6-11d0-a285-00aa003049e2}

Additional Information:
Parameter 1:        –
Parameter 2:
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
<System>
<Provider Name=”Microsoft-Windows-Security-Auditing” Guid=”{54849625-5478-4994-A5BA-3E3B0328C30D}” />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=”2013-07-23T07:25:35.236957700Z” />
<EventRecordID>93367389</EventRecordID>
<Correlation />
<Execution ProcessID=”664″ ThreadID=”6668″ />
<Channel>Security</Channel>
<Computer>Server-Server.www.domain.com</Computer>
<Security />
</System>
<EventData>
<Data Name=”SubjectUserSid”>S-1-5-21-613456321-2338313241-2375461292-500</Data>
<Data Name=”SubjectUserName”>administrator</Data>
<Data Name=”SubjectDomainName”>domain</Data>
<Data Name=”SubjectLogonId”>0x1069a9</Data>
<Data Name=”ObjectServer”>DS</Data>
<Data Name=”ObjectType”>%{bf967aba-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name=”ObjectName”>%{a610aa7e-eb73-4a62-9d22-37d732121aa5}</Data>
<Data Name=”OperationType”>Object Access</Data>
<Data Name=”HandleId”>0x0</Data>
<Data Name=”AccessList”>%%7685
</Data>
<Data Name=”AccessMask”>0x20</Data>
<Data Name=”Properties”>%%7685 {4c164200-20c0-11d0-a768-00aa006e0529}{bf967a68-0de6-11d0-a285-00aa003049e2}{bf967aba-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name=”AdditionalInfo”>-</Data>
<Data Name=”AdditionalInfo2″>
</Data>
</EventData>
</Event>

No Centralized System

If there are dozens of primary and backup domain controllers in a domain, then the Administrators have to audit each domain controller separately. A change is captured with dozens of multiple events and is displayed with hundreds of default system events in the Event Viewer. Administrators have to go through a vast number of events for tracing a change sequence.

No Long-term Storage

There is a default or user-defined limitation of the storage space for logs in the Event Viewer. After reaching that limit, the old logs gets overwritten, auto-archived, or manually deleted for storing new logs. This option does not comply with the regulatory standards and compliances, as they require long-term storage of all logs.

Figure 3: Limitation on the storage of logs

No Advanced Reporting and Alert System

Native auditing doesn’t have any functionality related to audit report creation. Administrators have to consolidate the logs manually, which are scattered on servers, in order to create a report. In addition, there is no provision to alert about unauthorized changes or activity in real-time.

Easy Reversal of Changes

There should be a mechanism to restore the Active Directory to the last known state if something unwanted has happened and it needs to be undone as soon as possible. Native tool lacks this much needed feature.

One-stop Solution – LepideAuditor for Active Directory

The drawbacks of native auditing discussed above are more than enough to signify the importance of employing an all-round third party solution like LepideAuditor for Active Directory (LAAD). Unlike similar products, this product allows to add the domain with all of its domain controllers at once.

LAAD is a true centralized solution as it displays the change logs of all domain controllers in a domain at a single place and stores them for long-term in a centralized database. There is no limitation to the storage space and has no expiry limit. It presents the information in a completely understandable format with rich options like filters, search and sort.

It clearly reports who has made what changes, on which objects, when, and from where. You can even sort out the changes made by a specific user. It generates multiple reports in two major categories, which can be saved in different formats and scheduled for automated delivery to the Administrators and other recipients via email. Moreover, the software sends the real-time alerts for the critical changes as desired through email. This facilitates the administrators to undo any unwanted change before it gets too late. What’s more? Its advanced and interactive Snapshot feature allows Administrator to restore the current Active Directory state to the last desirable state. One can even select the particular unwanted change that has to be undone.

Final Verdict

Native auditing tools for Active Directory has critical loopholes such as unformatted captured events, Short-term storage of logs, Distributed log collection, etc. LepideAuditor for Active Directory is a perfect product for real-time monitoring and interactive auditing of Active Directory. Its centralized system is equipped with many features such as real-time alerts of critical events, generate reports for critical changes, AD restoration and much more.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.