Wednesday, June 30, 2010

Which administrative tasks to audit in Active Directory

As you may know, auditing for identity and access management is actually configured in the Active Directory, and in fact audit entries are generated in the audit logs on domain controllers.

It is important to ensure that you audit the enactment of all vital administrative tasks, but at the same time it is also important to ensure that you do not go overboard so as to result in the unnecessary excessive filling up of your audit logs.

With that in mind, here is a list of some of the most important administrative tasks that you should audit for in your Active Directory -
  1. Creation and deletion of domain user accounts
  2. Resetting domain user account passwords
  3. Disabling and enabling of domain user accounts
  4. Unlocking domain user accounts
  5. Creation and deletion of domain security groups
  6. Changing domain security group memberships
  7. Changing domain security group scopes
  8. Changing domain security group types
  9. Creation and deletion of organizational units
  10. Linking and unlinking of GPOs to organizational units
  11. Creation and deletion of service connection points
  12. Changing a service connection point keywords

These tasks are all sensitive in that if someone could carry out these tasks with malicious motives, they could negatively impact the security of your Active Directory and thus the security of your IT infrastructure.

You can enable auditing of these tasks by modifying  the SACL on Active Directory object, which by the way can be accessed by viewing the security descriptor of Active Directory objects.