The Security threat posed by internal users with access to sensitive data in Active Directory is very real, as insider threats are the most common and often difficult to detect risk to your IT security.
As we know, Active Directory serves as the backbone for IT infrastructure. Delegated IT administrators are therefore required to mitigate the risks of insider abuse/misuse on this platform in any way they can. User logon information plays a key role in doing this, as it shows you whether users are attempting to logon to machines for which they don’t have legitimate privileges.
Additionally, monitoring user logon events in a domain also equips IT administrators the firepower to meet compliance regulations. In this article, I will demonstrate how to monitor user logon events in a domain using the native audit methods. Afterwards, I will show you a simpler, quicker and I think better Active Directory auditing solution that blows native auditing out of the water.
Monitoring User Logons in a Domain Using Native Auditing
Step 1: Enable Group Audit Policy
Perform the following steps to apply policy:
- Go to “Start Menu” ➔ “All Programs” ➔ “Administrative Tools”, and double-click “Group Policy Management” to access its window.
Note: You can also open “Run” dialog box from the start menu, type “GPMC.MSC”, and click “OK” to access Group Policy Management console.
- In the “Group Policy Management” window, double-click “Forest” node to select “Domain”. node.
- Now, right-click on “Domain”, and select “Create a GPO in this domain, and Link it here”.
Step 2: Edit the GPO
- Right-click on a “Newly Created GPO” and click “Edit”.
- Go to “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Advanced Audit Policy Configuration” ➔ “Audit Policies”.
- Expand “Audit Policies” node to access its sub- policies, which represent different event categories.
- Select “Audit Logon”.
- Double click on “Audit Logon” policy in the right pane to access its properties.
- Select “Configure the following audit events” and then select “Success and Failure” check boxes.
- Click “Apply and OK”.
Step 3: Filter the Security Event Log
- Go to “Start Menu” ➔ ”All Programs” ➔ ”Administrative Tools” ➔ “Event Viewer”
- In the left panel, go to Windows Logs” ➔ “Security” to view the security logs
- Search for Event ID 4648 to get the particular record.
- A dialog box appears confirming that “a logon was attempted using explicit credentials”.
A Better Way – Monitoring User Logons with LepideAuditor
The following image shows the User Logon event in a domain through the easy-to-use interface of LepideAuditor for Active Directory. It shows you the answers to the ‘who, what, when, and where’ questions (crucial for Active Directory auditing) in one place and in a way that is simple to read and understand:
When an enterprise is required to monitor the logon and logoff events of the users, native auditing method may not be a good choice as it can consume more time than expected. However, the same can be performed in no time when you have LepideAuditor on your side. It enables you to analyse every user logon event with a host of pre-configured reports and real time alerts.