The Security threat posed by internal users with access to sensitive data in Active Directory is very real, as insider threats are the most common and often difficult to detect risk to your IT security.
As we know, Active Directory serves as the backbone for IT infrastructure. Delegated IT administrators are therefore required to mitigate the risks of insider abuse/misuse on this platform in any way they can. User logon information plays a key role in doing this, as it shows you whether users are attempting to logon to machines for which they don’t have legitimate privileges.
Additionally, monitoring user logon events in a domain also equips IT administrators the firepower to meet compliance regulations. In this article, I will demonstrate how to monitor user logon events in a domain using the native audit methods. Afterwards, I will show you a simpler, quicker and I think better Active Directory auditing solution that blows native auditing out of the water.
Audit User Logons in Active Directory Using Native Auditing
Step 1: Create New GPO
Perform the following steps to apply policy:
- Go to “Start Menu” ➔ “All Programs” ➔ “Administrative Tools”, and double-click “Group Policy Management” to access its window.
Note: You can also open “Run” dialog box from the start menu, type “GPMC.MSC”, and click “OK” to access Group Policy Management console.
- In the “Group Policy Management” window, double-click “Forest” node to select “Domain”. node.
- Now, right-click on “Domain”, and select “Create a GPO in this domain, and Link it here”.
Step 2: Edit the GPO to Enable Auditing
- Right-click on a “Newly Created GPO” and click “Edit”.
- Go to “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Advanced Audit Policy Configuration” ➔ “Audit Policies”.
- Expand “Audit Policies” node to access its sub- policies, which represent different event categories.
- Select “Audit Logon”.
- Double click on “Audit Logon” policy in the right pane to access its properties.
- Select “Configure the following audit events” and then select “Success and Failure” check boxes.
- Click “Apply and OK”.
Step 3: Audit the Security Event Logs
- Go to “Start Menu” ➔ ”All Programs” ➔ ”Administrative Tools” ➔ “Event Viewer”
- In the left panel, go to Windows Logs” ➔ “Security” to view the security logs
- Search for Event ID 4648 to get the particular record.
- A dialog box appears confirming that “a logon was attempted using explicit credentials”.
A Better Way – Monitoring User Logons with Lepide Active Directory Auditor
The following image shows the User Logon event in a domain through the easy-to-use interface of Lepide Active Directory Auditor (part of Lepide Data Security Platform). It shows you the answers to the ‘who, what, when, and where’ questions (crucial for Active Directory auditing) in one place and in a way that is simple to read and understand:
When an enterprise is required to monitor the logon and logoff events of the users, native auditing method may not be a good choice as it can consume more time than expected. However, the same can be performed in no time when you have Lepide Active Directory Auditor on your side. It enables you to analyse every user logon event with a host of pre-configured reports and real time alerts.