Thursday, November 18, 2010

Auditing is Important, But Periodic Security Assessments Are Also Important

In the last post we took a look at some of the most important tasks that you should definitely consider auditing in the Active Directory. It is very helpful and vlauable to have the right audit settings in place, and turned on, so tha when these tasks are enacted, you are in the know.

However, it is also important to keep in mind that auditing is primarily a reactive measure, i.e. it informs you about the occurence of an event that has already taken place. While this can certainly be helpful in maintaining security, this is not always true.

Consider for instance a scenario wherein a delegated administrator was able to reset the password of a more powerful administrator. Now suppose you had auditing turned on, an audit event would certainly be generated but by the time you would take notice of it, and figure out that this seemed unusual, that individual could log in as the powerful administrator and do substantial damage and you would not be able to prevent that from happening.

So, in this case, while auditing would help figure out who may have compromised security, the fact is that the damage would have been done, and auditing would not have helped you prevent this security incident.

The point here is that while auditing is important, it is equally important to periodically audit your Active Directory so you can identify and lock-down any excessive administrative grants that could endanger the security of your Active Directory.

By the way, when you are reviewing security grants in Active Directory, please make sure that you review them correctly. What you see in Active Directory permissions is not always what really is. Meaning that just because someone is specified some privileges in some security entry, it does not necessarily mean that that individual would actually have the ablity to carry out that task. This is because there could be other privileges for that user, or some group that he/she is a member of and these other privileges could negate the first privilege.

That's all for now. Thanks, and have a happy Thanksgiving!

Wednesday, June 30, 2010

Which administrative tasks to audit in Active Directory

As you may know, auditing for identity and access management is actually configured in the Active Directory, and in fact audit entries are generated in the audit logs on domain controllers.

It is important to ensure that you audit the enactment of all vital administrative tasks, but at the same time it is also important to ensure that you do not go overboard so as to result in the unnecessary excessive filling up of your audit logs.

With that in mind, here is a list of some of the most important administrative tasks that you should audit for in your Active Directory -
  1. Creation and deletion of domain user accounts
  2. Resetting domain user account passwords
  3. Disabling and enabling of domain user accounts
  4. Unlocking domain user accounts
  5. Creation and deletion of domain security groups
  6. Changing domain security group memberships
  7. Changing domain security group scopes
  8. Changing domain security group types
  9. Creation and deletion of organizational units
  10. Linking and unlinking of GPOs to organizational units
  11. Creation and deletion of service connection points
  12. Changing a service connection point keywords

These tasks are all sensitive in that if someone could carry out these tasks with malicious motives, they could negatively impact the security of your Active Directory and thus the security of your IT infrastructure.

You can enable auditing of these tasks by modifying  the SACL on Active Directory object, which by the way can be accessed by viewing the security descriptor of Active Directory objects.


Tuesday, May 11, 2010

Auditing access in Active Directory

Auditing is a very important aspect of IT security, and for many organizations, it is essential to maintaining security and demonstrating regulatory compliance.

In Windows Server deployments, auditing for identity and access management tasks is done in the Active Directory, and audit entries are generated in audit logs on domain controllers.

In this blog, we take an indepth look at to audit important tasks in Active Directory, how to decipher audit events, and how to collect data from audit logs on different domain controllers.

If you're into IT and Windows security, you'll find this to be helpful and useful.