Your SlideShare is downloading. ×

Active Directory Change Auditing in the Enterprise

418

Published on

Changes can introduce untested conditions, or produce unpredictable errors and problems. Change auditing is a means whereby both IT administrators and management can readily distribute, secure and …

Changes can introduce untested conditions, or produce unpredictable errors and problems. Change auditing is a means whereby both IT administrators and management can readily distribute, secure and manage resources to ensure accountability and operational stability. This white paper explains why change auditing is important and covers features required for Active Directory change auditing.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
418
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Active Directory Change Auditing in the Enterprise White PaperWritten by Chris Rich, Senior Director of Product Management
  • 2. Active Directory Change Auditing in the Enterprise WhitepaperTable of contentsWhat is Change Auditing? ....................................................................................................................................... 3Why is Change Auditing Important? ....................................................................................................................... 4 Change Auditing: A Real-World Example ............................................................................................................ 4 Change Auditing to Reduce Risk ......................................................................................................................... 4 Change Auditing to Improve Security ................................................................................................................. 5 Change Auditing to Sustain Compliance ............................................................................................................. 5 Change Auditing to Improve Manageability ....................................................................................................... 5Required Features for Active Directory Change Auditing ...................................................................................... 7 Automatic Data Collection .................................................................................................................................. 7 Efficient and Centralized Data Storage ............................................................................................................... 7 Scalability............................................................................................................................................................. 8 Advanced Reporting Capabilities ........................................................................................................................ 8 Real-Time Alerts .................................................................................................................................................. 9 Robust Disaster Recovery Options ...................................................................................................................... 9 Additional Considerations ................................................................................................................................... 9SIEM, IT Governance, Risk-Management and Active Directory Change Auditing ................................................ 10NetWrix approach to Active Directory auditing ................................................................................................... 11About NetWrix Corporation.................................................................................................................................. 11About the Author .................................................................................................................................................. 12Additional Resources ............................................................................................................................................ 12 2
  • 3. Active Directory Change Auditing in the Enterprise WhitepaperWhat is Change Auditing? Change Auditing is an auditing procedure for mitigating risks associated with the changes to IT systems,services and applications. Limiting unauthorized or undesired changes and having appropriate segregation ofduties and management controls in place is essential to reduce the risks associated with implementing ITchanges in production environments. Changes can introduce untested conditions, or produce unpredictableerrors and problems. Proper change auditing can reduce the risk of security features being disabled or turnedoff, harmful code distributed to end-users, sensitive data loss or compromise, and non-compliance withinternal and external regulatory requirements. Proper change auditing is determined by measuring the risksassociated with managing a production IT environment and addressing those risks in a secure and controlledaudit trail of all changes across the entire enterprise 24x7x365. Change auditing is a means whereby both ITadministrators and management can readily distribute, secure and manage resources to ensure accountabilityand operational stability. 3
  • 4. Active Directory Change Auditing in the Enterprise Whitepaper Why is Change Auditing Important? Change Auditing: A Real-World Example The importance of change auditing is best illustrated by a real-world example. Consider a company thatrecently relocated an employee. This employee was provided with extensive access to important systems andinformation as part of their past duties, however they are no longer appropriate in their new role. Uponrelocation, their access should have been modified to remove prior privileges and access, however, no formalprocess existed to secure resources following an employee experiencing a relocation. Four months later, theemployee, still with extensive rights, gains unauthorized access to the environment remotely. Having priorknowledge of the company’s systems and resources, they navigate to a server housing the company’s financialdata secured by Active Directory to resolve a technical issue they were experiencing, modifying a number ofimportant settings. As a result, the company’s financial data becomes unavailable causing anger, frustration,panic, and finger-pointing. After many hours of investigation, the inappropriate modifications are discoveredand corrected in Active Directory. Unfortunately, the damage was done and now IT must spend more timecorrecting the problem. This type of situation is rare but does happen. Without change auditing, there was no way for the companyto protect itself. Even if there had been a procedure in place, a human had to follow that procedure. Humanerror can occur and that is to be expected, however, without a proper change audit solution in place toconfirm access and permissions in Active Directory had been adjusted properly, the company suffered seriousharm. Change auditing is important primarily because without it, an organization is incapable of reducing therisks of human behavior. Change Auditing to Reduce Risk Change auditing provides accountability thereby reducing risk through detailed collection and analysis ofevent information. A setting made today may not be appropriate at some point in the future. Change auditingis the vehicle by which changes made to the environment today can be measured against predetermined riskfactors and mitigated accordingly. Establishing risk factors is the single most important step in securing any ITenvironment. Doing so will ensure that everyone involved from end-users to senior management understandswhat is at risk. This creates a conscious awareness of all things critical to sustaining normal businessoperations. Regularly revisiting these risk factors will serve to adjust them as needs and conditions change. Once the risk factors have been identified, the next step is to secure them. For Active Directory, users areprovided with rights to access data and applications locally and remotely. Group memberships and policies aresetup to control specific behaviors when accessing data and applications. Effectively managing every aspect ofuser interaction with the environment reduces risk while granting the appropriate access needed to performjob responsibilities. Change may sometimes have unpredictable results, one of which is unintentionally 4
  • 5. Active Directory Change Auditing in the Enterprise Whitepaperincreasing risk to IT assets. Active Directory change auditing provides actionable and historical forensicinformation to ensure risk factors are managed appropriately while delivering services to operationally diverseend-user populations. Change Auditing to Improve Security Accountability will always keep the honest users and administrators honest, however, internal threatspose a more immediate danger than those external to the organization because of trust. Change auditingprovides the ability to establish a robust check-and-balance record for all Active Directory changes. Securityimprovements in Active Directory are most often reactionary. Flaws and holes are discovered after the factand the reason for this is that without auditing daily activity there is no way to predict how a change willimpact the environment. Environments that rely on tickets, or other change approval processes may stillexperience security problems if the information submitted is later found to have been inaccurate orintentionally misleading. The only way to know security has been compromised is to extract change andsetting information directly from Active Directory. Change Auditing to Sustain Compliance Regulations such as SOX, PCI, FISMA, HIPAA each have their own detailed explanations of what needs to betracked and recorded. They also will explicitly define how information is to be accessed and by whom. Theseregulations exist to establish (IT) change auditing standards to protect both business and consumers. At theend of the day, these regulations and their enforcement want to confirm the organization is recording andmonitoring events that control access to sensitive information such as banking information, social securitynumbers, and health records. Demonstrating compliance is an exercise in presenting this information toauditors upon request and to the level of details as is interpreted by the law or standard and subject to theindividual auditor’s discretion. Change auditing in Active Directory provides the Who, What, When, and Whereinformation most frequently requested by auditors and almost equally important is the need to store thisinformation for sometimes up to 7 years or more to be considered compliant. For Active Directory, this isextremely difficult with native tools and thus gives rise to the demand for additional tools. Change Auditing to Improve Manageability Making changes to Active Directory is performed easily when provided sufficient access. The consequencesof changes however require thought and planning to avoid problems. Even if a lab environment is used to testchanges, unexpected results can still occur, making the need for change auditing essential to effectivelymanaging Active Directory. Change auditing offers the opportunity to see before and new values for modifiedconfiguration settings and permissions that can greatly improve an administrator’s ability to recover fromchanges that result in harm or that introduce unnecessary risks. Additionally, by maintaining an historicalrecord of changes over time, further analysis can be used to uncover hidden problems that may not be 5
  • 6. Active Directory Change Auditing in the Enterprise Whitepaperobvious during normal Active Directory activities. Being able to make changes is necessary to adjust to meetbusiness and operational goals however, the ability to look back at the impact those changes had is thedifference between ensuring a consistent, stable and safe environment for users and loosing visibility andcontrol over mission critical resources and sensitive data. The ease with which changes are made can create afalse sense of security with regards to the impacts those changes may bring and thus reinforces the need tohave robust change auditing policies, procedures and tools to improve overall Active Directory manageability. 6
  • 7. Active Directory Change Auditing in the Enterprise Whitepaper Required Features for Active Directory Change Auditing Change auditing for Active Directory is the process of gathering information, reporting the information,analyzing the information, taking action and evaluation. Active Directory natively has the capability to outputaudit information. This information however is stored local to each domain controller and is not centrallystored. Reporting is also unavailable for audit data making the collection and reporting steps of changeauditing for Active Directory difficult and time consuming. There is also a risk of losing audit data if event logsettings are not set properly to handle the volume of information logged and running out of disk space ondomain controllers if too much information is being captured and not cleared after it’s been archived properly.Once native information is analyzed by an administrator experienced with system events and messages, theinterpretation then would need to result in a decision to act or, accept the change and information as havingmet the intended goal and did not result in a deficiency or unacceptable compromise. Evaluating using nativeresources requires the same activity as collecting the information and thus requires similar investments intime. Combine these factors and the result is native change auditing is not feasible except for very smallenvironments with a handful of servers and under 100 users. The following information is a collection of therequired features change auditing for Active Directory in the Enterprise must have. Additional deploymentconsiderations are provided as well. Automatic Data Collection In order to maximize the efficiency of collecting audit information, the process must be automatedthrough scripting or 3rd-party tools. Without it, collecting the information in a timely manner is not feasible.This is especially true as the size of the organization will have a great impact on the raw volume of informationcollected. Special steps must also be taken on servers and domain controllers throughout the environment tofacilitate auditing of the information which is by default not enabled. Additional scripting and 3 rd-party toolsmay also be employed to pre-configure systems in preparation of collecting event data. Furthermore, if auditdata is not collected regularly, there is a risk of losing this information due to event log automatic overwritesor disk space issues. This is an important required feature to change auditing because without it, timelyauditing is not feasible. Efficient and Centralized Data Storage Automation of any kind typically requires additional resources and may negatively impact systemperformance which can lead to bigger problems. For this reason, it’s important that the impact of the methodemployed to automatically collect data is minimal. Furthermore, storage of data must also be a considerationduring implementation. While it is possible to store event and audit data exclusively on the local system wherethe events are taking place, the preferred method will be to centralize the information. This will lead to 7
  • 8. Active Directory Change Auditing in the Enterprise Whitepapernumerous additional benefits over time as the need to analyze and report on this information becomes part ofdaily routine for the IT administrator or group responsible. Collection of information must also be reliable. Occasionally, each piece of the change auditing systemshould have a periodic check to ensure information is consistent when collected. The most advanced methodsof reliably collecting this information will also have the ability to pre-screen data and filter for only essentialdata and the ability to compress this information to further add to overall efficiency. During collection,preference should be given to methods that leverage the existing Windows Event Log and audit information asopposed to injected agents or modified core system code for event extraction. Doing so will eliminate anypotential system stability issues or future incompatibility problems. Relying solely on event log data introducesproblems because this information is frequently incomplete. To completely understand an event, informationfrom all sources involved must be aggregated and analyzed as a whole. Securing this information for short andlong-term storage is also an important consideration and thus best-practices for securing audit data should beincluded pre-deployment such that no single power-user has access to or the ability to delete or tamper withinformation. Access to this information should be heavily restricted and monitored. Scalability Change auditing for Active Directory must be scalable to adjust to changes without the need for dramaticor drastic steps. Implementation and ongoing use of change auditing will be simplified when no additionalsoftware or extensive reconfigurations are required to accommodate changes within the organization.Auditing should keep pace with all granular changes as the overall topology of the network and ActiveDirectory changes it to ensure consistent optimal configuration to best serve end-users and be administeredby IT and Help Desk staff. Advanced Reporting Capabilities Once data collection is automated, reliable and stored securely, change auditing for Active Directory canassume a proactive posture. Advanced reporting is necessary to provide IT administrators, management andauditors with summarized information on any aspect of the Active Directory deployment and for any timeperiod. Without the ability to produce clear information on change history for day-to-day modifications toActive Directory, sustaining compliance will be impossible and many opportunities will be lost to better securethe environment. For Windows environments, using SQL to store data and leverage Advanced ReportingServices are obvious choices for storing and reporting on data. SQL Server with Advanced Reporting can bedownloaded for free from Microsoft. The ability to customize ad-hoc and predefined 3rd-party reports willaccelerate an effective change auditing implementation by saving time and providing configuration options tosuit the majority of needs. Using reports on a daily basis ensures complete visibility over the entire IT infrastructure providingopportunities to improve security and sustain compliance. Additional reporting services including e-mail 8
  • 9. Active Directory Change Auditing in the Enterprise Whitepapersubscription capabilities, and the ability to produce Active Directory snapshot reports will also add to theimpact advanced reporting will have on overall systems management effectiveness. Once established,advanced reporting will be the main driver behind sustained Active Directory change auditing success and willbecome an important part of day-to-day management of the IT environment. Real-Time Alerts Closely related to advanced reporting, Real-Time Alerts offer instant awareness to changes made oncritical objects or data. Having the ability to dispense real-time alerts empower administrators to proactivelyrespond to potentially harmful incidents that were previously unavailable. Before Active Directory changeauditing, knowledge of a harmful change would come in the form of an administrator or end user stumblingupon it as part of their daily activities. In many cases, bad changes have led to unscheduled downtime,financial losses, and legal liabilities. Having a real-time alert capability will further reduce the risk of badchanges having costly consequences and may even prevent them entirely. Real-time alerting should be arequired feature for any Active Directory change auditing implementation. Robust Disaster Recovery Options Active Directory offers a number of restore functions though they require reboots and backup resources tofunction properly and also carry the added requirement of testing these options in the event a restoration isneeded. Change auditing for Active Directory needs a more robust solution in order to recover from adamaging change therefore is a required feature to any implementation. Furthermore, native restore featuresare limited in the level of detail with which objects can be restored. For example, modified attributes are notrestorable unless a backup is available. Having a granular restore capability that can reverse unwantedchanges to include attribute-level detail is necessary to ensure systems stability and service availability. Thiswill enable the administrator to undo a change completely without the need for a backup or having to shutdown a domain controller to minimize impact. Having a robust and granular restore function is an invaluableasset to have when managing Active Directory. An example of this would be when there is a need to restorespecific security group memberships recently modified to their original states while retaining other recent andapproved modifications. Additional Considerations Most Windows environments contain systems that are capable of utilizing Active Directory for a variety offunctions and these too must be considered as part of overall IT governance and risk-management directives.For this reason, it is important to consider what options are available to integrate these systems into a largerrole of change auditing in the enterprise. Preferred solutions (and providers) should offer plug-in or add-onmodules and software to help form a cohesive and comprehensive management suite to make the most of 9
  • 10. Active Directory Change Auditing in the Enterprise Whitepaperchange auditing. Some additional types of systems may include firewalls, switches, database servers, SANs,storage appliances and other Microsoft technologies such as Exchange and SharePoint. SIEM, IT Governance, Risk-Management and Active Directory Change Auditing These common buzzwords appear frequently when discussing security and change auditing and representa broader view of IT management. SIEM, which stands for Security Information and Event Management isrelated to change auditing, however, with some important differentiators. SIEM encompasses real-timeanalysis of security alerts and events generated through the entire enterprise, extending to all applicationsand devices at all corners of the organization. Change auditing is a critical information collection and reportinglayer to overall SIEM objectives and must have a high level of interoperability with SIEM systems and servicesin order to achieve maximum effectiveness. SIEM implementations range from in-house, customized systemsto massive modular deployments providing management capabilities for nearly all IT resources in anenvironment. IT Governance is a term often used to describe the overall mission of an IT organization withinthe broader context of the organization as a whole. It’s meant to provide a means by which core activities andservices provided by IT align with overall organizational directives and goals. Risk-Management is a term foundmore and more frequently in press and publications to challenge the status of security for appropriatelydescribing how organizations approach keeping their resources stable and secure. More recently, theincreased visibility of mobile devices and cloud computing as part of an organization’s IT strategy present newchallenges to traditional models of thought on security and how best to provide that in an increasingly mobileworld where borders to IT infrastructure have blurred greatly. Keeping these new terms in mind whileapproaching Active Directory change auditing will help keep IT objectives in line with organizational objectivesand needs as requirements change. 10
  • 11. Active Directory Change Auditing in the Enterprise Whitepaper NetWrix Approach to Active Directory Auditing The NetWrix approach incorporates all the necessary features for achieving effective Active Directoryauditing in a software solution. NetWrix Active Directory Change Reporter is an Active Directory auditing toolthat tracks changes made to the Active Directory across the entire organization. It generates audit reports andreal-time e-mail alerts that include the four W’s: Who, What, When, and Where for every audited AD changeincluding users, OUs, groups, domain controller, configuration, schema partition, and all other change activity.In addition, it automatically provides before and new setting values for each AD object change to improvesecurity and AD change control. The automatic collection and reporting on Active Directory changes not onlysurpasses native capabilities in Windows but expands upon them eliminating the time and effort spentcollecting AD change audit information manually or through complex scripting thereby makes this informationactionable. Furthermore, it has the ability to sustain compliance through historical reporting for up to 7 yearsand more and extent AD auditing into SIEM systems such as SCOM for improved IT control.Download free 20 day trial of NetWrix Active Directory Change Reporter to see how NetWrix can help withyour auditing and compliance needs. Download link: http://www.netwrix.com/requeste.html?product=adcrAbout NetWrix Corporation NetWrix Corporation is a highly specialized provider of solutions for IT infrastructure change auditing. Change auditing is the core competency of NetWrix and no other vendor focuses on this more extensively. With the broadest platform coverage available in the industry, innovative technology and strategic roadmap aiming to support different types of IT systems, devices and applications, NetWrixoffers award-winning change auditing solutions at very competitive prices, matched with great customerservice. Founded in 2006, NetWrix has evolved as #1 for Change Auditing as evidenced by thousands ofsatisfied customers worldwide. The company is headquartered in Paramus, NJ, and has regional offices in LosAngeles and Boston. 11
  • 12. Active Directory Change Auditing in the Enterprise WhitepaperAbout the Author As Senior Director of Product Management for NetWrix, located in the Boston office, I oversee all aspects of product management for the NetWrix family of products. I have been involved in numerous aspects of IT for over 16 years including help desk, systems administration, network management, network architecture, telecom and software sales and sales engineering, and product management. I am also a certified technical trainer, MCSA, Certified IBM DominoAdministrator, avid runner, musician and happily married father of two.Additional ResourcesInformation security professionals and trends - www.infosecisland.comArticles and commentary on a wide array of IT related topics - www.techrepublic.comCommunity focused on Windows technologies - www.windowsitpro.comEditorial resource for technology professionals - www.redmondmag.comInnovative tool and active community of IT practitioners - www.spiceworks.comFocused community on Windows security needs, trends, and information -www.windowssecurity.com10 Immutable Laws of Security - http://technet.microsoft.com/en-us/library/cc722487.aspxPopular explanation and resources for Change Management and Change Auditing concepts and terminology -http://en.wikipedia.org/wiki/Change_management_auditingExcellent resource for Windows Administrators - www.petri.co.ilNetWrix Corporate Blog - http://blog.netwrix.com©2011 All rights reserved. NetWrix is trademark of NetWrix Corporation and/or one or more of its subsidiaries and may be registered in the U.S. Patent andTrademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners. 12

×