The top activities to track when auditing Active Directory

Auditing Active Directory is vital because Active Directory (AD) controls the keys to your IT kingdom. Indeed, properly monitoring activity around Active Directory is critical across multiple dimensions, including business continuity, user productivity, security and regulatory compliance.

But exactly what is involved in auditing Active Directory, what activities need to be tracked, and how can you implement auditing effectively and reliably — without overburdening your limited IT resources or blowing your budget? We’ll explore all this and more.

Why is Active Directory auditing necessary?

Active Directory provides the essential authentication and authorization services required for your employees to do their jobs and your business processes to run. Active Directory security groups and other capabilities control access to your IT ecosystem and its resources, and Active Directory Group Policy governs everything from software installations and forced reboots to password requirements and authentication protocols.

Therefore, you need to ensure that Active Directory is healthy and secure. Auditing Active Directory helps you achieve this goal by collecting and analyzing data about your Active Directory configuration and activity in your environment. For example, auditing Active Directory effectively can empower you to spot any change to the membership of your highly privileged security groups or the settings of critical Group Policy objects (GPOs) before it results in costly business disruptions, user frustration, security breaches, compliance penalties and other damage.

What is needed when auditing Active Directory?

A truly effective program for auditing Active Directory includes all of the following:

• Thorough and timely data collection— To promptly spot, investigate and respond to threats, you need all the relevant details at hand, including the five Ws for each event: who, what, when, where and originating workstation.
• Data normalization— The various native logs and other sources of data about activity in your AD store information in different ways. To make sense of it all, you need to have the data standardized into a common format.
• Correlation and analysis— To spot threats and understand the broader context of incidents, it’s not enough to look at activity in each system in isolation. Rather, you need to be able to accurately correlate and analyze activity across systems. For example, to understand how much of a threat a particular user poses, you need to be able to assess all of their activity across your IT ecosystem.
• Clear and efficient reporting— To make use of that normalized data and analysis, you need to be able to easily create reports that clearly reveal effective permissions, domain controller (DC) configuration, GPO changes and more.
• Real-time alerting— The best Active Directory auditing solutions don’t wait around for you to run a report or look at a dashboard; they proactively notify you about threats and provide the key details you need to respond and contain the damage.
• Proactive measures— Some Active Directory auditing tools go even further: They enable you to block changes to critical objects (like vital GPOs and highly privileged groups) and set up automated responses to threat patterns (such as disabling an account that is performing actions associated with ransomware).

How to audit changes in Active Directory

Microsoft offers two types of audit policy settings:

• Basic audit settings— These nine settings are available in Security Settings\Local Policies\Audit Policy. They enable you control auditing of account logon events, account management, directory service access, logon events, object access, policy change, privilege use, process tracking and system events.
• Advanced policy settings— The 53 settings in Security Settings\Advanced Audit Policy Configuration enable you to define a much more granular policy for auditing Active Directory. For example, you can audit when a group administrator has changed settings on a server that contains financial information. You can access these settings through the Local Security Policy snap-in (secpol.msc) on the local device or by using Group Policy.

Caution: Microsoft advises not using both of these options together, since doing so can cause “unexpected results” in audit reporting.

What events should be tracked when auditing Active Directory?

The goal of auditing Active Directory is to spot activity that could be a threat to your organization. But since every organization has different priorities, risk tolerance, strategies, staffing and so on, there is no definitive list of exactly which events to audit or exactly how to configure the advanced policy settings. Microsoft does offer guidance on how to configure the advanced audit policy settings to meet your needs.

Here is a high-level list of the key things you want to include in the scope of your process for auditing Active Directory:

• Changes to Group Policy— Any unauthorized or incorrect change to a Group Policy object (GPO) can compromise your organization’s security, compliance and business continuity. For example, a single improper change could give adversaries unlimited attempts to guess the passwords of your powerful admin accounts, enable unidentified users to connect to a network share that stores regulated data, or permit the use of USB devices that could unleash ransomware.
• Changes to privileged groups— Active Directory includes multiple built-in privileged groups, such as Enterprise Admins and Domain Admins, that give their members significant power in the IT environment. Organizations can also create their own privileged groups to control access to sensitive data, applications and other IT assets. Therefore, it’s critical to monitor any changes to the membership or rights of any of these powerful groups.
• Activity of privileged accounts— Administrators and other privileged users can misuse their accounts, either accidentally or deliberately, and cause serious damage to your organization. Moreover, privileged accounts are a prime target for takeover by attackers. Remember to also audit the activity of all service accounts that have elevated rights.
• User account lockouts— While most user account lockouts do not signal a threat, they can disrupt business processes. And a surge in account lockouts can be a sign of a brute-force attack on your network.
• Creation of new user accounts— Organizations that are growing or changing can have a lot of legitimate account provisioning activity. Still, it’s important to remember that the creation of a new Active Directory user account opens up a lot of access doors to your IT environment and be on the lookout for unauthorized activity.
• Changes to domain controllers— Since DCs are where Active Directory actually runs, improper changes to these servers can result in everything from authentication slowdowns to catastrophic outages. Also be aware that DCs host the NTDS.dit file, which stores critical data about AD users, groups, computers, password hashes and directory configuration, so you need to watch for attempts to exfiltrate it.
• Authentication activity— Tracking user logon and logoff activity helps you understand normal user behavior and spot unusual activity that could be a threat. It’s also important to monitor use of the older and riskier NTLM authentication protocol, and spot attempts to exploit Kerberos vulnerabilities, which can indicate Golden Ticket and Pass the Ticket
• Azure AD sign-ins— In a hybrid environment, it’s also crucial to track sign-in and sign-off activity in Azure AD. Ideally, you want to have this activity correlated with on-premises logon and logoff events to provide a coherent picture that can uncover more complex threats.
• Changes to Azure AD roles— Assigning Azure AD roles to users empowers them to access and manage critical resources. It’s vital to promptly spot any unauthorized change to role membership or privileges, since it could be an adversary attempting to escalate their rights in the environment.

What alerts should I set up?

IT ecosystems are exceedingly busy places that can have millions of events every day. The advanced audit policy settings can help by enabling you to fine-tune which behaviors you want to monitor. For example, you can activity that is of little concern to you or that create an excessive number of log entries.

Still, it can be a challenge to find the truly suspicious activity in the ocean of auditing data you collect. That includes both individual high-risk anomalous events, as well as broader activity, or chains of related events, that represents a true threat.

For example, changes to powerful security groups like Enterprise Admins are inherently risky and normally rare, so it might make sense to alert on any change to those groups. But it probably does not make sense to issue an alert every time a new member is added to your Sales team — unless it is part of a larger pattern of events that indicates a possible privilege escalation as part of an Active Directory attack. Similarly, your IT teams would probably quickly be swamped if they needed to look into every deletion of content from your file shares. But you might want to alert them whenever there’s a spike in file deletions, which could signal a ransomware attack in progress or a disgruntled employee trying to damage your business.

The more flexibility you have, the better. By tailoring your advanced audit policy settings and using an Active Directory auditing solution that provides context around activity and offers customized alerts, you can zero in on true threats and avoid alert fatigue.

Is native auditing sufficient?

Microsoft provide some helpful Active Directory auditing capabilities, and they have the advantage of being free of charge. But they have a number of important limitations and drawbacks:

• Audit logs are decentralized. You’ll need to pull together the separate Security event logs from each domain controller (DC) where auditing is enabled.
• Audit data is incomplete. Native logs fail to fully capture critical aspects of Active Directory. For example, they log that a GPO change event occurred but do not record which specific settings were modified.
• Logs can be noisy and hard to interpret. A single event can generate multiple log entries. Moreover, events often have irrelevant or unclear information, such as GUIDs rather than recognizable object names.
• Log data can be gone before you even know you need it. The Security event log is highly active and regularly overwritten.
• Analysis is limited. Using the Windows Event Viewer, you can review audit data and filter it by certain criteria, such as time period, source and user. To make use of any other data in the log entries, you need to build XML queries or use PowerShell.
• Reporting and alerting are limited. Reporting and alerting can be inflexible and difficult to set up, and it is inconsistent across on-premises and cloud workloads.
• Understanding a hybrid environment requires manual correlation. To spot threats in a hybrid environment, it’s essential to gain a holistic understanding of activity across the entire IT ecosystem. With native options, this typically requires manually trying to correlate activity from two different auditing systems: the logs from your DCs and the Microsoft 365 audit stream.

What to look for in an Active Directory auditing solution

Many organizations choose to invest in a purpose-built solution for Active Directory auditing. Look for a solution that overcomes the limitations of native tools listed above. For example, it should offer independent data collection that captures audit data missing from the native logs, prebuilt dashboards and reports that simplify the job of staying on top of activity, and easy-to-configure alerts that notify you about suspicious activity in real time.

If you have a hybrid IT environment, you will want to look for a tool that can ingest audit events from both on-premises logs and the Microsoft 365 unified audit log, normalize and combine them, and deliver a unified view of the entire IT ecosystem.

Reduce your AD attack surface.

See where you’re exposed and how to remediate it.

Try Security Guardian

Beyond that, look for a solution that helps you avoid alert fatigue and quickly hone in on true threats. For instance, while a spike in file deletions might indicate ransomware, it might also simply be the legitimate result of an admin cleaning up stale files. Creation of new accounts might be perfectly routine, or it might be an adversary creating a rogue backdoor account. Alerts that can factor in whether activity is authorized can be very valuable.

In addition, check whether the solution enables you to quickly roll back unwanted changes, or even empower you to proactively prevent changes to your most critical AD objects, such as powerful groups like Domain Admins.

Finally, look for an Active Directory auditing solution that has solid defenses against being compromised or misused, including a complete record of all logins to the system, all changes to its configuration or operation, and all attempts to purge records.

Conclusion

Auditing Active Directory is vital to security, business continuity, user productivity, regulatory compliance and other organizational goals. While Microsoft provides some Active Directory auditing capabilities, investing in the right solution can pay for itself by enabling better and faster threat detection with far less time and effort from your valuable IT pros. As a result, your organization can avoid costly breaches, downtime and compliance penalties.