SlideShare a Scribd company logo

Active Directory Auditing

Download as PPTX, PDF
WILLA REYES
WILLA REYES

This was my most recent research project reported in front of the class under MCTS WInsServ 2008 Active Directory #700-640

Technology
1 of 17
ACTIVE DIRECTORY AUDITING Willa Reyes
Introduction When talking about effective access control to Active Directory objects and resources AUDITING is another important aspect of controlling access and improving security, which requires organize planning of what to audit and where to configure such audit services on policies and permissions. Also when auditing a network, an administrator has to consider how to collect the analyze data, and determine the storage of the collected data that can affect the systems performance.
What is Auditing? Auditing is a process of recording deviations from a security policy and is extremely important for any business network, because audit logs provide not only an indication of occurrences of security breach through recording changes on file permissions, installation of programs, and escalation of privileges.
How auditing works? Whenever a user perform certain action made on the computer, an event is being generated which is log in the Event Viewer.
Where to find event viewer?
Importance of Auditing Establishing audit policy is an important feature of security. Monitoring the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach. Advantages o Allows you to target specific activities o Reducing the auditing options to just what you need will reduce the load on the computer, allowing it to provide more resources to other activities Disadvantages o auditing data can accumulate quickly and can fill up available disk space o Difficult to determine what occurred events during security incident was made if audit settings are not configured properly
Audit Policy Settings Success. An audit event is generated when the requested action succeeds. Failure. An audit event is generated when the requested action fails. Not defined. No audit event is generated for the associated action. Where to Find Audit Policy  Start Menu > Administrative Tools > GPME> Computer Configuration > Windows Settings>Security Settings> Local Policies> Audit Policy
Audit Events Audit Policy Setting Setting 1. Description Account Logon (username/password)Authentication/validation WinSrv 2008 R2 Settings/ XP or Vista success 2. Account Management 3. Directory Service Access 4. Logon events Changes to accounts/password resets success Changes to active directory accounts success login or connections are made success 5. Object Access non-active directory objects(files/folders) 6. Policy Change user-rights assignment, auditing, account and trust policies 7. Privilege Use taking ownership none 8. Process tracking process creation, termination none 9. System Events Boot-up, shutdown, time changes none success success
Audit Events Directory service access: through SACL
Audit Events Audit Policy Setting Setting 1. Description Account Logon (username/password)Authentication/validation WinSrv 2008 R2 Settings/ XP or Vista success 2. Account Management 3. Directory Service Access 4. Logon events Changes to accounts/password resets success Changes to active directory accounts success login or connections are made success 5. Object Access non-active directory objects(files/folders) 6. Policy Change user-rights assignment, auditing, account and trust policies 7. Privilege Use taking ownership none 8. Process tracking process creation, termination none 9. System Events Boot-up, shutdown, time changes none success success
Audit Events Sample policy Object Access : files /folders Enable setting: success or failure or both
Audit Events Audit Policy Setting Setting 1. Description Account Logon (username/password)Authentication/validation WinSrv 2008 R2 Settings/ XP or Vista success 2. Account Management 3. Directory Service Access 4. Logon events Changes to accounts/password resets success Changes to active directory accounts success login or connections are made success 5. Object Access non-active directory objects(files/folders) 6. Policy Change user-rights assignment, auditing, account and trust policies 7. Privilege Use taking ownership none 8. Process tracking process creation, termination none 9. System Events Boot-up, shutdown, time changes none success success
Audit Events Sample log for User privileges
Audit Events Audit Policy Setting Setting 1. Description Account Logon (username/password)Authentication/validation WinSrv 2008 R2 Settings/ XP or Vista success 2. Account Management 3. Directory Service Access 4. Logon events Changes to accounts/password resets success Changes to active directory accounts success login or connections are made success 5. Object Access non-active directory objects(files/folders) 6. Policy Change user-rights assignment, auditing, account and trust policies 7. Privilege Use taking ownership none 8. Process tracking process creation, termination none 9. System Events Boot-up, shutdown, time changes none success success
Conclusion (Say in front)
Active Directory Auditing
Active Directory Auditing

Recommended

Best Practices for Implementing Robust Governance Processes in Office 365
Best Practices for Implementing Robust Governance Processes in Office 365Best Practices for Implementing Robust Governance Processes in Office 365
Best Practices for Implementing Robust Governance Processes in Office 365Montrium
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information SecurityJohnHPazEMCPMPITIL5G
 
Active Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseActive Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseNetwrix Corporation
 
Governance Strategies for Office 365
Governance Strategies for Office 365Governance Strategies for Office 365
Governance Strategies for Office 365Montrium
 
Blancco Management Console
Blancco Management ConsoleBlancco Management Console
Blancco Management ConsoleJemma Elliott
 
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 ChecklistISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 ChecklistLloyd's Register Quality Assurance Nederland
 
File Auditing in the Enterprise
File Auditing in the EnterpriseFile Auditing in the Enterprise
File Auditing in the EnterpriseNetwrix Corporation
 
AGSL brochure
AGSL brochureAGSL brochure
AGSL brochureMark Steel
 

Recommended

Best Practices for Implementing Robust Governance Processes in Office 365
Best Practices for Implementing Robust Governance Processes in Office 365Best Practices for Implementing Robust Governance Processes in Office 365
Best Practices for Implementing Robust Governance Processes in Office 365Montrium
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information SecurityJohnHPazEMCPMPITIL5G
 
Active Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseActive Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseNetwrix Corporation
 
Governance Strategies for Office 365
Governance Strategies for Office 365Governance Strategies for Office 365
Governance Strategies for Office 365Montrium
 
Blancco Management Console
Blancco Management ConsoleBlancco Management Console
Blancco Management ConsoleJemma Elliott
 
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 ChecklistISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 ChecklistLloyd's Register Quality Assurance Nederland
 
File Auditing in the Enterprise
File Auditing in the EnterpriseFile Auditing in the Enterprise
File Auditing in the EnterpriseNetwrix Corporation
 
AGSL brochure
AGSL brochureAGSL brochure
AGSL brochureMark Steel
 
ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsManoj Vakekattil
 
What Data Center Compliance Means for Your Business
What Data Center Compliance Means for Your BusinessWhat Data Center Compliance Means for Your Business
What Data Center Compliance Means for Your BusinessData Foundry
 
ISO / IEC 27001:2005 – An Intorduction
ISO / IEC 27001:2005 – An IntorductionISO / IEC 27001:2005 – An Intorduction
ISO / IEC 27001:2005 – An Intorductionn|u - The Open Security Community
 
Documents system
Documents systemDocuments system
Documents systemDeepak Amoli
 
Atris SIEM Service Datasheet NoBleed - HIPAA
Atris SIEM Service Datasheet NoBleed - HIPAAAtris SIEM Service Datasheet NoBleed - HIPAA
Atris SIEM Service Datasheet NoBleed - HIPAAKristopher Mann
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
 
WITDOM Data Protection Orchestrator
WITDOM Data Protection OrchestratorWITDOM Data Protection Orchestrator
WITDOM Data Protection OrchestratorElsa Prieto
 
Managing security settings in windows server with group policy
Managing security settings in windows server with group policyManaging security settings in windows server with group policy
Managing security settings in windows server with group policyMiguel de la Cruz
 
OER UNIT 5 Audit
OER UNIT 5 AuditOER UNIT 5 Audit
OER UNIT 5 AuditGirija Muscut
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 
Less11 Security
Less11 SecurityLess11 Security
Less11 Securityvivaankumar
 
Building Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBuilding Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBoni Yeamin
 
Database auditing models
Database auditing models Database auditing models
Database auditing models ERSHUBHAM TIWARI
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 
Securing Information Servicesv1.0
Securing Information Servicesv1.0Securing Information Servicesv1.0
Securing Information Servicesv1.0Vibi Abraham
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsEryk Budi Pratama
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixNix Inc.,
 
SharePoint Governance and Compliance
SharePoint Governance and ComplianceSharePoint Governance and Compliance
SharePoint Governance and ComplianceSPC Adriatics
 
SharePoint Governance and Compliance
SharePoint Governance and ComplianceSharePoint Governance and Compliance
SharePoint Governance and ComplianceAlistair Pugin
 
Software configuration management
Software configuration managementSoftware configuration management
Software configuration managementThilini munasinghe
 
Implementing Auditing in SQL Server
Implementing Auditing in SQL ServerImplementing Auditing in SQL Server
Implementing Auditing in SQL ServerDavid Dye
 

More Related Content

What's hot

ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsManoj Vakekattil
 
What Data Center Compliance Means for Your Business
What Data Center Compliance Means for Your BusinessWhat Data Center Compliance Means for Your Business
What Data Center Compliance Means for Your BusinessData Foundry
 
Atris SIEM Service Datasheet NoBleed - HIPAA
Atris SIEM Service Datasheet NoBleed - HIPAAAtris SIEM Service Datasheet NoBleed - HIPAA
Atris SIEM Service Datasheet NoBleed - HIPAAKristopher Mann
 
WITDOM Data Protection Orchestrator
WITDOM Data Protection OrchestratorWITDOM Data Protection Orchestrator
WITDOM Data Protection OrchestratorElsa Prieto
 

What's hot (7)

ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and records
 
What Data Center Compliance Means for Your Business
What Data Center Compliance Means for Your BusinessWhat Data Center Compliance Means for Your Business
What Data Center Compliance Means for Your Business
 
ISO / IEC 27001:2005 – An Intorduction
ISO / IEC 27001:2005 – An IntorductionISO / IEC 27001:2005 – An Intorduction
ISO / IEC 27001:2005 – An Intorduction
 
Documents system
Documents systemDocuments system
Documents system
 
Atris SIEM Service Datasheet NoBleed - HIPAA
Atris SIEM Service Datasheet NoBleed - HIPAAAtris SIEM Service Datasheet NoBleed - HIPAA
Atris SIEM Service Datasheet NoBleed - HIPAA
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
WITDOM Data Protection Orchestrator
WITDOM Data Protection OrchestratorWITDOM Data Protection Orchestrator
WITDOM Data Protection Orchestrator
 

Similar to Active Directory Auditing

Managing security settings in windows server with group policy
Managing security settings in windows server with group policyManaging security settings in windows server with group policy
Managing security settings in windows server with group policyMiguel de la Cruz
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 
Building Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBuilding Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBoni Yeamin
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 
Securing Information Servicesv1.0
Securing Information Servicesv1.0Securing Information Servicesv1.0
Securing Information Servicesv1.0Vibi Abraham
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsEryk Budi Pratama
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixNix Inc.,
 
SharePoint Governance and Compliance
SharePoint Governance and ComplianceSharePoint Governance and Compliance
SharePoint Governance and ComplianceSPC Adriatics
 
SharePoint Governance and Compliance
SharePoint Governance and ComplianceSharePoint Governance and Compliance
SharePoint Governance and ComplianceAlistair Pugin
 
Software configuration management
Software configuration managementSoftware configuration management
Software configuration managementThilini munasinghe
 
Implementing Auditing in SQL Server
Implementing Auditing in SQL ServerImplementing Auditing in SQL Server
Implementing Auditing in SQL ServerDavid Dye
 
Importance of sharepoint to create QMS (Quality Management System)
Importance of sharepoint to create QMS (Quality Management System)Importance of sharepoint to create QMS (Quality Management System)
Importance of sharepoint to create QMS (Quality Management System)BizPortals Solutions
 
Importance of sharepoint to create QMS (Quality Management System)
Importance of sharepoint to create QMS (Quality Management System)Importance of sharepoint to create QMS (Quality Management System)
Importance of sharepoint to create QMS (Quality Management System)BizPortals Solutions
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyMichael Gough
 
Presentation AD Audit Plus ManageEngine .pptx
Presentation AD Audit Plus ManageEngine .pptxPresentation AD Audit Plus ManageEngine .pptx
Presentation AD Audit Plus ManageEngine .pptxAbdoulayeSoulama1
 
Compliance
ComplianceCompliance
ComplianceNetBR
 

Similar to Active Directory Auditing (20)

Managing security settings in windows server with group policy
Managing security settings in windows server with group policyManaging security settings in windows server with group policy
Managing security settings in windows server with group policy
 
OER UNIT 5 Audit
OER UNIT 5 AuditOER UNIT 5 Audit
OER UNIT 5 Audit
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?
 
Less11 Security
Less11 SecurityLess11 Security
Less11 Security
 
Building Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBuilding Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
 
Database auditing models
Database auditing models Database auditing models
Database auditing models
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Inc
 
Securing Information Servicesv1.0
Securing Information Servicesv1.0Securing Information Servicesv1.0
Securing Information Servicesv1.0
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOps
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A Glance
 
SharePoint Governance and Compliance
SharePoint Governance and ComplianceSharePoint Governance and Compliance
SharePoint Governance and Compliance
 
SharePoint Governance and Compliance
SharePoint Governance and ComplianceSharePoint Governance and Compliance
SharePoint Governance and Compliance
 
Software configuration management
Software configuration managementSoftware configuration management
Software configuration management
 
Implementing Auditing in SQL Server
Implementing Auditing in SQL ServerImplementing Auditing in SQL Server
Implementing Auditing in SQL Server
 
Importance of sharepoint to create QMS (Quality Management System)
Importance of sharepoint to create QMS (Quality Management System)Importance of sharepoint to create QMS (Quality Management System)
Importance of sharepoint to create QMS (Quality Management System)
 
Importance of sharepoint to create QMS (Quality Management System)
Importance of sharepoint to create QMS (Quality Management System)Importance of sharepoint to create QMS (Quality Management System)
Importance of sharepoint to create QMS (Quality Management System)
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
 
Presentation AD Audit Plus ManageEngine .pptx
Presentation AD Audit Plus ManageEngine .pptxPresentation AD Audit Plus ManageEngine .pptx
Presentation AD Audit Plus ManageEngine .pptx
 
Compliance
ComplianceCompliance
Compliance
 

Recently uploaded

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 

Recently uploaded (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 

Active Directory Auditing

  • 2. Introduction When talking about effective access control to Active Directory objects and resources AUDITING is another important aspect of controlling access and improving security, which requires organize planning of what to audit and where to configure such audit services on policies and permissions. Also when auditing a network, an administrator has to consider how to collect the analyze data, and determine the storage of the collected data that can affect the systems performance.
  • 3. What is Auditing? Auditing is a process of recording deviations from a security policy and is extremely important for any business network, because audit logs provide not only an indication of occurrences of security breach through recording changes on file permissions, installation of programs, and escalation of privileges.
  • 4. How auditing works? Whenever a user perform certain action made on the computer, an event is being generated which is log in the Event Viewer.
  • 5. Where to find event viewer?
  • 6. Importance of Auditing Establishing audit policy is an important feature of security. Monitoring the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach. Advantages o Allows you to target specific activities o Reducing the auditing options to just what you need will reduce the load on the computer, allowing it to provide more resources to other activities Disadvantages o auditing data can accumulate quickly and can fill up available disk space o Difficult to determine what occurred events during security incident was made if audit settings are not configured properly
  • 7. Audit Policy Settings Success. An audit event is generated when the requested action succeeds. Failure. An audit event is generated when the requested action fails. Not defined. No audit event is generated for the associated action. Where to Find Audit Policy  Start Menu > Administrative Tools > GPME> Computer Configuration > Windows Settings>Security Settings> Local Policies> Audit Policy
  • 8. Audit Events Audit Policy Setting Setting 1. Description Account Logon (username/password)Authentication/validation WinSrv 2008 R2 Settings/ XP or Vista success 2. Account Management 3. Directory Service Access 4. Logon events Changes to accounts/password resets success Changes to active directory accounts success login or connections are made success 5. Object Access non-active directory objects(files/folders) 6. Policy Change user-rights assignment, auditing, account and trust policies 7. Privilege Use taking ownership none 8. Process tracking process creation, termination none 9. System Events Boot-up, shutdown, time changes none success success
  • 9. Audit Events Directory service access: through SACL
  • 10. Audit Events Audit Policy Setting Setting 1. Description Account Logon (username/password)Authentication/validation WinSrv 2008 R2 Settings/ XP or Vista success 2. Account Management 3. Directory Service Access 4. Logon events Changes to accounts/password resets success Changes to active directory accounts success login or connections are made success 5. Object Access non-active directory objects(files/folders) 6. Policy Change user-rights assignment, auditing, account and trust policies 7. Privilege Use taking ownership none 8. Process tracking process creation, termination none 9. System Events Boot-up, shutdown, time changes none success success
  • 11. Audit Events Sample policy Object Access : files /folders Enable setting: success or failure or both
  • 12. Audit Events Audit Policy Setting Setting 1. Description Account Logon (username/password)Authentication/validation WinSrv 2008 R2 Settings/ XP or Vista success 2. Account Management 3. Directory Service Access 4. Logon events Changes to accounts/password resets success Changes to active directory accounts success login or connections are made success 5. Object Access non-active directory objects(files/folders) 6. Policy Change user-rights assignment, auditing, account and trust policies 7. Privilege Use taking ownership none 8. Process tracking process creation, termination none 9. System Events Boot-up, shutdown, time changes none success success
  • 13. Audit Events Sample log for User privileges
  • 14. Audit Events Audit Policy Setting Setting 1. Description Account Logon (username/password)Authentication/validation WinSrv 2008 R2 Settings/ XP or Vista success 2. Account Management 3. Directory Service Access 4. Logon events Changes to accounts/password resets success Changes to active directory accounts success login or connections are made success 5. Object Access non-active directory objects(files/folders) 6. Policy Change user-rights assignment, auditing, account and trust policies 7. Privilege Use taking ownership none 8. Process tracking process creation, termination none 9. System Events Boot-up, shutdown, time changes none success success