Active Directory auditing: What it entails and how to implement it effectively

Active Directory auditing is essential for one simple reason: Active Directory (AD) controls the keys to your IT kingdom. Without solid Active Directory auditing, your organization is at increased risk of costly security breaches, business disruptions and compliance failures.

But exactly what is involved in truly effective Active Directory auditing, and how can you achieve it without overburdening your limited IT resources or blowing your budget? This blog provides the answers you need.

What is Active Directory auditing and why it is important?

Active Directory stores critical data about your users and computers and their permissions, and provides crucial authentication and authorization services that control access to your IT ecosystem and its resources. Moreover, Active Directory Group Policy enables centralized management of users and computers, controlling everything from Windows updates to password requirements to allowed authentication protocols.

Therefore, it’s not hyperbole to say that keeping Active Directory healthy and secure is vital to your business itself. Just one improper deletion of a user account, errant change to group membership or unauthorized modification of Group Policy could lead to costly consequences: a security breach, data loss, business disruptions, compliance penalties and more.

Effective Active Directory auditing is the key to avoiding those unpleasant outcomes. For example, being able to promptly spot unusual activity by a privileged account or a spike in account lockouts can mean the difference between blocking an attack and suffering a serious security incident. Key components of a solid Active Directory auditing strategy include:

• Complete and timely data collection — Having all the relevant details at hand immediately is essential for promptly spotting, investigating and responding to threats. In particular, it’s important to have the five Ws for each event: who, what, when, where and originating workstation.
• Data normalization — Having data from various sources standardized into a common format speeds incident detection and investigation.
• Correlation and analysis — Because modern IT ecosystems are complex and dynamic, making sense of what’s happening can be very challenging. To be able to identify true threats in the vast ocean of activity, IT pros need to be able to quickly and accurately correlate and analyze activity across systems, for example, to understand what a particular user is doing and how much of a threat they pose.
• Clear and efficient reporting — To be able to properly audit Active Directory, IT pros need to be able to quickly create easy-to-understand reports on a wide range of topics: effective permissions, domain controller configuration, GPO changes and much more.
• Real-time alerting — Knowing about threats promptly is critical to containing the damage. Ideally, alerts should be paired with proactive measures, such as prevention of changes to critical objects and automated response to known threat patterns, such as disabling an account that exhibits behavior associated with ransomware.

Does Active Directory auditing matter in a hybrid environment?

Yes! Many organizations today use a hybrid model in which their on-premises Active Directory is synched to the cloud using Azure AD Connect. In those situations, improper changes or activity in Active Directory can definitely impact not just your on-prem environment but your cloud IT ecosystem as well.

Examples are easy to come by. If a user account is deleted from your on-prem AD, that deletion will be synched to the cloud, and the user’s Azure AD account will soon also cease to exist, leaving them unable to access SharePoint Online, Teams and so on. A successful on-prem password spraying attack can enable attackers to gain a foothold in Azure AD. And an on-prem service account that is made hybrid can be used to compromise Azure AD. Effective Active Directory auditing can help you spot these unwanted events and take action before you suffer business disruption or a breach.

So, how do I enable Active Directory auditing?

Starting in Windows 2000, Microsoft has offered nine basic audit settings (Local Policies\Audit Policy), and those settings continue to be available. However, advanced audit policy settings were introduced in Windows Vista and Windows Server 2008 (Security Settings\Advanced Audit Policy Configuration); using the 53 advanced policy settings, you can define a much more granular audit policy.

Important: Microsoft advises not to use both the basic audit policy settings and the advanced settings, since doing so can cause “unexpected results” in audit reporting.

You can access the advanced audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local device or by using Group Policy. The advanced audit policy settings are divided into the following categories:

• Account Logon
• Account Management
• Detailed Tracking
• DS Access
• Logon/Logoff
• Object Access
• Policy Change
• Privilege Use
• System
• Global Object Access Auditing

What data should be included in an Active Directory auditing strategy?

Because organizations have different priorities and strategies, there is no definitive list of specific things you need to include in your Active Directory auditing. However, the overarching goal is to spot activity that could be a threat to your organization, which means watching for activity that could have serious repercussions, falls outside of your normal baseline or violates your established policies. At the same time, alert fatigue is a very real risk, so you need to ensure you’re focusing on the small subset of events that truly matter in the vast sea of activity occurring in your IT environment every day.

For example, changes to powerful administrative groups like Enterprise Admins are inherently risky, and they are also normally quite infrequent. Therefore, it might make sense to closely audit every change to those groups. Other groups, like those created to ensure consistent provisioning of teams in various departments, might warrant more nuanced auditing, with alerts on only truly unusual modifications. Similarly, your IT teams would probably quickly be swamped if they needed to look into every deletion of content from your file shares, but a spike in file deletions is definitely worth auditing, since it could indicate ransomware or another attack in progress.

At a high level, here are some of the key things you want to include in the scope of your Active Directory auditing:

• Changes to Group Policy — A single improper change to a Group Policy object (GPO) can open a huge gap in your security posture, for example, by allowing unlimited attempts to guess an account password, enabling use of the command prompt on users’ devices, or allowing unidentified users on remote computers to connect to a network share.
• Changes to privileged groups — Membership in Active Directory’s built-in privileged groups, such as Enterprise Admins or Domain Admins, gives a user enormous power in the environment. Most organizations also create their own privileged groups to administer highly sensitive data or applications. Clearly, it’s essential to monitor any changes to the membership or rights of any of these groups.
• Activity of privileged accounts — Of course, it’s not enough to monitor privileged groups themselves; you also need to audit what members of those groups are actually doing. Administrators can accidentally or deliberately misuse their accounts to cause serious damage to your organization. Moreover, privileged accounts are a prime target for takeover by attackers. In addition to user accounts, be sure to keep a close eye on all service accounts that have elevated rights.
• User account lockouts — User account lockouts can bring critical business processes to a halt. Moreover, a surge in account lockouts can be a sign of a brute-force attack on your network.
• Creation of new user accounts — The creation of a new Active Directory user account opens up a lot of access doors to your IT environment, including your cloud resources if you’re synching your on-premises AD to Azure AD.
• Domain controller changes — Domain controllers (DCs) are where Active Directory actually runs. Improper changes can lead to slow logons, poor performance and even catastrophic outages. Moreover, DCs store the critical NTDS.dit file, which records critical AD data, including your users, groups, computers, password hashes and directory configuration, so you need to watch for attempts to exfiltrate it.
• Active Directory logon activity — Tracking user logon/logoff activity is essential for both security and compliance. It’s also important to be able to monitor use of the older and riskier NTLM authentication protocol, as well as to be able to spot attempts to exploit Kerberos vulnerabilities, which can indicate Golden Ticket and Pass-the-Ticket attacks.
• Azure AD sign-ins — If you have a hybrid environment, you’ll also need to track Azure AD sign-in activity. Ideally, you want easy correlation that empowers you to understand all the logon and sign-in activity across your on-prem and cloud IT ecosystem.
• Azure AD role changes — Azure AD roles, such as Global Administrator, Conditional Access Administrator and Teams Administrator, empower users to manage critical Azure AD resources. Turning on Azure AD Multi-Factor Authentication (MFA) for all users who are assigned to these roles is a best practice, but it’s not sufficient; you also need to keep a close eye on changes to Azure AD roles in case rogue admins or hackers try to claim them to escalate their privileges.

Microsoft provides guidance on how to implement specific advanced audit policy settings to collect the Active Directory auditing data you need.

Are the native auditing tools sufficient?

Microsoft does provide useful Active Directory auditing capabilities. Because they are free, they are widely used. However, they have limitations in all three areas described above: data collection; data normalization, correlation and analysis; and reporting and alerting. Here are some of the key drawbacks:

• Audit logs are very decentralized. To get an accurate picture of Active Directory activity, administrators must analyze the Security event log on each domain controller where auditing is enabled.
• Audit logs are incomplete. Critical aspects of Active Directory, such as Group Policy, are either partially audited or not audited at all. For example, the native event logs record that a GPO was modified but do not capture which specific settings were changed.
• The log data can be noisy and hard to interpret. Events often contain irrelevant or obfuscated information, such as GUIDs rather than recognizable object names. Plus, a single audited event can generate multiple events in the log.
• Log data can be short-lived. Directory auditing information is written into the Security event log, which is highly active and regularly overwritten.
• The Event Viewer is limited. You can review the data collected by your Active Directory auditing policy using the Windows Event Viewer. You can filter the events, but only by certain set criteria, such as time period, source, ID, user and computer. To make use of any other data in the event entries, you’ll need to spend time building an XML query. You can also use PowerShell to explore the audit data; of course, that option also requires significant time and expertise.
• Reporting and alerting are limited. With native tools, alerting is inconsistent across on-premises and cloud workloads, inflexible, and difficult to set up.
• Understanding a hybrid environment requires manual correlation. As explained earlier, Active Directory can affect Azure Active Directory, so it’s essential to understand activity across the entire IT ecosystem. With native options, this typically requires manually trying to correlate activity from two different auditing systems: the Active Directory domain controller logs and the Microsoft 365 audit stream.

Can a SIEM help with Active Directory auditing?

Security information and event management (SIEM) tools, such as Splunk and Microsoft Azure Sentinel, are powerful systems designed to aggregate and analyze security data from many different sources. For example, they can often accept and correlate data from network devices, low-level endpoint auditing tools like Sysmon,  on-premises Active Directory audit logs, and data about activity in the Microsoft 365 platform.

However, SIEM systems can be very expensive, complex to configure and challenging to operate. Moreover, in larger organizations, they are often managed exclusively by security teams, so AD administrators have little or no access to the data.

In additional, SIEM systems aggregate and analyze security events, but they don’t produce them. As a result, they suffer from the same noise issues and blind spots inherent in native Active Directory auditing.

Are there other options for Active Directory auditing?

Yes! Many organizations choose to invest in a purpose-built solution for Active Directory auditing. These systems often produce independent audit information from on-premises Active Directory in order to overcome the gaps in native audit data collection. For example, they can provide details about the before and after values for changes, and pinpoint users or applications that are still using the older NTLM protocol so you can configure them to use the stronger Kerberos protocol instead.

In addition, third-party solutions often provide prebuilt dashboards and reports that simplify the job of staying on top of activity, as well as easy-to-configure alerts that notify you about suspicious activity in real time. Many enable you to quickly roll back unwanted changes to close security gaps and avoid business disruptions. Some solutions even empower you to proactively prevent changes to your most critical AD objects, such as powerful groups like Domain Admins.

Organizations with a hybrid IT environment will want to look for a solution that can ingest audit events from both on-premises Active Directory logs and the Microsoft 365 unified audit log, normalize and combine them into a single audit stream, and deliver a unified view of the entire IT ecosystem.

Moreover, third-party solutions can also help you avoid alert fatigue and quickly hone in on true threats to your business. For instance, in today’s highly dynamic organizations, new employees might be hired every day. You don’t want to waste valuable IT team time checking into every new account — but it’s vital to spot the creation of a rogue backdoor account. With a third-party solution, you may be able to create an alert that excludes the legitimate activity of the service account tasked with provisioning work, instantly focusing your attention on suspicious user account creation.

Finally, if you use a purpose-built Active Directory auditing solution, make sure you can ensure that the tool itself is not compromised or misused. For example, you don’t want a malicious actor who gains access to the tool’s administrative account to be able to make changes to your IT ecosystem and then cover their tracks by altering or erasing the records in your auditing solution. Therefore, make sure the solution you choose has solid defenses, including a clear log of all logins to the system, all changes to its configuration or operation, and all attempts to purge records.

Conclusion

Active Directory auditing is a multi-faceted challenge, but it’s absolutely essential to security, business continuity, user productivity, regulatory compliance and other critical business goals. While Microsoft provides valuable free Active Directory auditing capabilities, investing in the right third-party solution can pay for itself by saving valuable IT team time while enabling far better and faster threat detection that helps the business avoid breaches, downtime and compliance penalties.