Keeping Active Directory clean and secure is a never-ending challenge for IT teams. But worrying about what your users are changing in your critical servers or data shouldn’t be keeping you up at night. Insight-driven actions, taken at the right time, can help to identify and prevent potential attacks/leaks before the damage is done. Arming your infrastructure with a third-party auditing solution is an investment into the future security and safety of your organization. In this article, I will be casting some light on the most important things you need to audit in Active Directory to help give you peace of mind when it comes to security. The auditing solution we will be demonstrating is Lepide Active Directory Auditor (part of Lepide Data Security Platform).
10 things to audit in Active Directory are:
- Object Modifications
- Security Permissions and access rights
- Password resets and changes
- Logon and Logoff events
- Deleted Objects
- Privileged user activities
- Account Lockouts
- Inactive or obsolete accounts
- Ownership and Audit Settings of objects
- Securing Schema configurations
1. Object Modifications
Continuous, undetected and unauthorized changes to object attributes increase the chances of your environment being compromised. Relying on native auditing through Event Viewer can be a bit like looking for a needle in a haystack. It filters out the noise for you, and lays out the required data in a clear and concise manner:
Figure 1: Object Modifications Report
2. Security Permissions and access rights
Privileged users who exploit access permissions have the ability to leak sensitive data (either accidentally or maliciously). Help to maintain the principle of least privilege by ensuring that unauthorized permission changes aren’t taking place:
Figure 2: Permissions Modifications Report
3. Password resets and changes
If an Active Directory account is hacked, data can be easily stolen. Sometimes, this kind of intrusion can be prevented simply by implementing strict password policies. Lepide Active Directory Auditor audits all password reset and password change attempts so that you can ensure nothing untoward is taking place in Active Directory.
Figure 3: User Password Reset Report
Lepide’s Password Expiration Reminder lets administrators send password expiry notifications via email at regular intervals. It provides predefined audit reports on password expiration and password changes – so that you can easily implement a safe password policy that your users follow.
Figure 4: Users with Soon to Expire Password
4. Logon and Logoff events
A complete history of user logon and logoff patterns will give you the power to spot trend changes that appear anomalous. Logoff patterns that break from the norm can be indicative of suspicious activity. Lepide Active Directory Auditor enables you to pro-actively audit user logon & logoff, concurrent logons and failed logon attempts – all from a single console.
Figure 5: Successful User Logon/Logoff Report
5. Deleted Objects
Restoring removed Active Directory objects (accidental or otherwise) is one of the most frustrating tasks that IT admins handle on a daily basis. If critical objects are deleted, you need to know immediately so that you can restore it. It provides real-time auditing of all modifications, including deleted Active Directory objects.
Figure 6: Deleted Objects Report
It captures backup snapshots of the state of Active Directory Objects and Group Policies. The Lepide Object Restore Wizard then enables IT teams to restore Active Directory objects (even if they are not in the tombstone or “logically deleted” state).
6. Privileged user activities
Privileged users that misuse their access rights can be incredibly hard to detect, especially if those privileges were granted authentically. Lepide Active Directory Auditor monitors the activities of all users, including privileged users, in real-time and displays them in predefined reports. Real-time alerts give a snapshot of what exact changes are being made by Privileged Users in your Active Directory.
Figure 7: Privileged User activities Report
7. Account Lockouts
Determining the reason behind an account lockout is fairly straightforward. Multiple failed logon attempts, stale credentials or stale sessions could all lead to locked accounts. However, IT teams often overlook the fact that multiple failed logon accounts could be the symptom of a brute-force attack. For this reason, it’s important to verify the cause of the account lockout before re-enabling it. It allows you to perform this investigation. You can also investigate which other objects or activities will be affected because of a user account lockout.
Figure 8: Account Lockout Report
8. Inactive or obsolete accounts
Dormant user and computer accounts are open invitations for hackers to gain access to your systems and data. However, these often build up unnoticed in Active Directory unless you have a solution that notifies you of their creation. It offers detailed insights into all inactive users and computer accounts in your database. It lets you take automated actions against such obsolete objects – allowing you to rename them, move them to separate Organizational Unit, or delete them at predefined intervals.
Figure 9: Inactive Users Report
9. Ownership and Audit Settings of objects
When looking for ways to secure your IT infrastructure, a key concept often overlooked is ownership. To maintain control over the entire network, security restrictions and access control of objects need to be maintained – Lepide Active Directory Auditor enables you to do this.
Figure 10: Ownership Modifications Report
It also provides reports for tracking changes made in the audit settings of Active Directory objects.
10. Securing Schema configurations
Securing the network assets and data whilst embracing technological upgrades are necessary to prevent data leakage or insider abuse. It delivers clear and detailed audit reports to this effect.
Figure 11: Schema Modifications Report