Mickey Bresman CEO, Semperis

This blog series addresses why Active Directory auditing is necessary, deep dives into auditing methodology and suggests best practices for comprehensive AD auditing.

Who Moved My Object and Other AD Mysteries

Active Directory was created to simplify identity services in the enterprise, and ease the lives of sys admins everywhere, but lack of visibility into AD operations continues to be a major pain point. For someone in charge of maintaining AD, there is nothing more frustrating than not being able to understand who made a change in Active Directory and what that change was. You could literally spend hours trying to understand why a Group Policy Object is in a warning state and never actually find the root cause. In addition, if excessive privilege is common in an environment, and more users have Domain Admin rights, it leads to more questions on who did what in Active Directory. More recently, bad actors wanting to infiltrate your network are increasingly using Active Directory as a pivot point for more persistent types of attacks.

Related reading

Aside from the nuisance factor, not auditing your Active Directory environment puts your organization at risk from both an operational and legal perspective.

Here are just a few reasons why it’s crucial to audit Active Directory:

  • System Status: Active Directory has no native alerting tools in place to update you on the health of your system. If one of the many replication functions in AD is degraded, you might not find out until end users are being impacted. Proactive monitoring of system health provides real-time alerting so you can take action before anyone notices.
  • Suspicious Activity: Threat actors often reside in an environment for months prior to carrying out a cyberattack. If you’re actively auditing your Active Directory environment, there’s a good chance you’ll get alerted to suspicious activity prior to a full-blown attack.
  • Compliance: For some institutions, it’s now the law that you must audit your Active Directory services. Regulations, such as SOX 404, mandate that organizations implement controls to ensure that application errors are identified and corrected.

The Active Directory Auditing Wizard Behind the Curtain

Most Active Directory auditing solutions simply monitor changes made in the system, however this type of auditing is not comprehensive for two reasons:

  1. If tracking is disabled for just a minute, whether it’s accidental or intentional, you could lose sight of critical events taking place in Active Directory.
  2. If a cyberattacker gets access to AD, they could modify or clear security logs and hide their tracks. Post-mortem investigations into the Target and Sony breaches showed that the attackers modified security logs, which allowed them to remain undetected in the system for over 200 days.

More detail to come on Active Directory auditing methodology in part two of this blog series, but it’s important that you consider more than just a change tracking mechanism for your AD auditing purposes. The Semperis AD State Manager (ADSM) provides a reliable view of your Active Directory modifications, correlating information from two different sources and comparing states in real time to ensure that no events go unnoticed. The events are then committed to the backend database, so you can perform free-text searches, and can see a running “ticker” of all the activities that took place in the desired time period.

The State Manager also features point-in-time recovery, so you can quickly revert Active Directory to a previous state when necessary. Whether you need to undo a mass security group change that has wreaked havoc on your applications, or you need to restore a deleted AD site that has wrecked AD replication, ADSM can make these processes as easy as a mouse click.

Gaining Visibility into Your Active Directory Services

Microsoft designed Active Directory to accommodate many changes throughout an organization, and it’s critical to detect and record those changes for a well-managed, secure deployment. A comprehensive Active Directory auditing solution will not only provide visibility into changes made in AD, it will also make your organization more efficient by alerting you to degraded operations and eliminate hours spent on root cause analysis and restoration. And, in addition to visibility and efficiency, auditing Active Directory is essential for maintaining compliance in many industries.

Up Next: Active Directory Auditing Methodology and Best Practices