SlideShare a Scribd company logo

Auditing Active Directory Changes Efficiency

Netwrix Corporation
Netwrix Corporation

Change auditing is one of the key processes that must be implemented in Active Directory in order to get control of changes done by multiple IT administrators with delegated permissions. One single change can put your organization at risk, introducing security breaches and compliance issues, therefore 100% of changes must be tracked and carefully reviewed for possible violations. This white paper describes different approaches to change auditing in Active Directory, talks about their pros and cons.

Technology
1 of 9
Download to read offline
Auditing Active Directory Changes Efficiently White Paper
Auditing Active Directory Changes Efficiently—White Paper Contents Introduction ......................................................................................................................................................... 3 Change Auditing for Compliance ........................................................................................................................ 4 How Change Auditing Relates to Change Management .................................................................................... 5 Case in Point: Active Directory Changes ............................................................................................................. 7 Native Tools .................................................................................................................................................... 7 Building Versus Buying ................................................................................................................................... 7 Third-Party Software ...................................................................................................................................... 8 Success Recipe ................................................................................................................................................ 8 The Smart Choice: NetWrix Active Directory Change Reporter ......................................................................... 9 2
Introduction In the IT infrastructure of a company, change is normal. This aspect of an organization 's life cannot remain static for a number of reasons: IT components are designed to be dynamic, flexible, and capable of supporting diverse configurations. Huge volume and diversity of information. Today's enterprises rely on information technology, so a variety of completely unrelated tasks depend on the information cycle. The rate of changes, though varied across the range of tasks, is considerable. Interdependency of information. A change in a single component can necessitate a series of changes in others. For example, a new entry in the HR database means that a new Active Directory user account needs to be created, an Exchange mailbox needs to be enabled for the user, and so on. If information is allowed to become stale, operations can be disrupted. However, for the same reasons that the information flow should not be allowed to stagnate, changes should not go unwatched. Those aspects of company life that IT is entrusted with are easier to change than other structures. However, the consequences of adverse changes can be as detrimental and expensive to correct as physical damage. In addition, IT staff has to deal with compliance. SOX, HIPPA, GLBA, and FISMA compliance measures are not dictated by internal needs, but still have to be considered for the enterprise to function smoothly. How is it possible to make sure that all necessary changes are implemented and that the effects of unwanted changes are minimized? This white paper describes approaches to change auditing, explains how audit data can be used for change management, and focuses on one of the most important information structures in the enterprise today: Active Directory.
Change Auditing f or Compliance Audit data must be kept for a very long time, up to 7 years by some regulations. The scope of the stored data should be sufficient to satisfy any requests from the auditors, and be as detailed as possible. Whether an auditor needs to know who made John Smith a domain administrator or view a complete history of Jane Thompson's organizational unit membership for the past 5 years, the data should be readily available for analysis. Importantly, the data should clearly indicate who initiated the recorded change. Otherwise, the responsibility for any harm caused by the changes rests with the CIO. The more co mplete the audit data, the more certainty there is that the actual guilty party will be made responsible for damaging actions.
How Change Auditing Relates to Change Management Change management is a continuous process of deciding what kinds of changes to the IT infrastructure must and must not take place, what changes you want to watch for, and what you need to do about the changes you find. This process is impossible without a comprehensive body of audit data, which is provided by the auditing solution. The volume of change-related audit data is necessarily large, and not all of it is useful for change management. In a corporate IT environment, the aspects that require special attention are primarily related to identity configuration and security configuration. In these vital areas, not all changes deserve inspection, especially not when the volume of changes is routinely overwhelming. However, attention can be duly guided by clear-cut assessment criteria, such as those listed below. Critical versus inconsequential On the priority scale, changes vary by the consequences they cause. Clearly, the deletion of a legitimate non-empty group is a more serious issue than the modification of a group description. A still more critical change is the addition of an unauthorized user account to the Domain Admins group—this is a blatant security violation. The response time for critical changes should be as short as possible, and they should be constantly monitored. Many of such change types are well-known and easy to track; this helps reduce the number of critical changes that need special attention. Planned versus unplanned Unanticipated changes are a problem. First, they are the primary cause of outages. Secondly, if these events are frequent and are not prevented, they may be the reason for a failed security audit. Such changes should not go unmonitored. However, even planned changes should be monitored to ensure that they happen on time and without policy violations. An example of a planned change is permission delegat ion, such as the delegation of the right to reset user passwords to help desk personnel. This is a sensitive action that should never fall under the radar; care should be taken to ensure that the right level of permissions is delegated to the right people. Likewise, moving of user accounts from one organizational unit to another in accordance with changes in the company hierarchy always has to be recorded. If this is done without proper privilege management, the user account may get excessive privileges through Group Policy. A meaningful change that is not typical is most probably unplanned. It is common practice to disable rather than delete the user accounts of former employees, in case these accounts need to be enabled later. If an account is deleted, this might signal a violation of policies.
Noise versus signal Audit trails contain a percentage of events that unambiguously indicate important changes. These events are easy to track. For example, addition of a domain controller is an extremely significant event that should be immediately examined. The addition of a “rogue” domain controller by an unauthorized person can have grave consequences. However, the share of useful information found in audit trails is never big. Many events are normally logged for even minor changes, and these events may need to be correlated to find out what actually happened. This means that the same type of event may be part of the background noise, or it may accompany a critical change, depending on what other events were logged around the same time. Inadvertent versus malicious Adverse changes are not always ill-intentioned. They may be the result of mistakes or irresponsible administration, especially when there are no evident attempts to cover the tracks after such changes. Inadvertent changes like this are often reversible. It can be difficult to tell whether or not a change was intentional. For example, an organizational unit can be deleted along with all its contents. W ithout an investigation, it may not be clear whether or not this was done on purpose. To investigate the matter and restore the deleted objects, you need a detailed record of what happened. Prioritizing the changes helps you build your change management strategy.
Case in Point: Active Directory Changes Active Directory is the most critical part of today’s enterprise IT environment. W ith W indows as the dominant business platform, Active Directory is crucial for identity, security, configuration and operations management. Changes to some parts of this system can b ring the entire business process to a standstill. The tools you use for change management must be able to cope with the enormous amount of audit data that needs to be sifted through. This section lists the main approaches used in production IT environments . Native Tools W indows MMC-based native tools, such as Event Viewer, Active Directory Users and Computers, Group Policy Object Editor, Group Policy Management Console and others, are an entry-level solution. They have the advantage of requiring no customization or third-party software, but even in a mid-size IT infrastructure, they are not powerful enough to perform any meaningful change management. Even with a well-designed change management strategy, native tools cannot significantly reduce the effects of adverse changes, because of the high latency between the change and its discovery, and lack of reporting capabilities. A change is not examined until after it has caused some negative results such as service failure or slowdown of operations. Moreover, the manual examination process is inefficient and painful. Several seemingly unrelated sources sometimes need to be analyzed to put an event into context. The time between an unwarranted change and its undesirable effects can be very short, and change detection automation is very important to ensure a timely response, but if the administrator is armed with only native tools, a change-induced problem might take a week or longer to solve. Building Versus Buying The search for automation and analysis methods can lead a company to invest in in-house software. The range of technologies that can be employed is wide. PowerShell, the .NET framework , and many other programming and scripting languages have bindings for Active Directory and W indows APIs, which are extensively documented. The following tasks are well-suited for automation: Subscribing to events—watching for the events you anticipate is efficient as long as you know what kind of event you are looking for Handling event logs—backing up, archiving, and clearing logs for compliance and auditing continuity
Querying for events—centralizing search for events and making it more efficient This list can continue, depending on the needs of an organization. It can grow quite long due to the comprehensive scope of available functionality. The effectiveness of in-house development is determined not so much by what is possible to do as by what can be done in a given time with the given resources. If the company does not specialize in Active Directory software—and most do not—then the time and resources are bound to be too scarce for comfort. Even if the in-house solution is good, its development is certain to face problems: Support—the software produced in house may have many authors, which increases support difficulty; in addition, such a solution may evolve organically and is not likely to be centralized Testing—with a sensitive environment such as Active Directory, new software does not normally go into production use until it has undergone extensive tests, which require a great deal of time and expertise In-house scripts and programs may be the optimal solution for some companies, but this is a rare case in large distributed environments that have to accommodate internal and remote clients, heterogeneous systems, and so on. More often, a more cost-effective and better-quality alternative is to purchase third- party software specifically designed for Active Directory change management. Third-Party Software When it comes to choosing a third-party solution for Active Directory change auditing, a great variety of available software seems to fit the bill. The final decision can be influenced by many factors , such as: Transparency of information about the product's capabilities Quality-price ratio Cost of ownership When the choice is made, it is important to remember that the tools on their own cannot solve complex problems in Active Directory change auditing, tracking and management. Success Recipe To be effective at tracking Active Directory changes, it is important to have a sensible strategy and software tools that are flexible enough to meet all your needs but do not get in the way of your strategy. Prioritize the changes by importance, relevance and purpose. Be sure to differentiate planned and unplanned changes. For planned changes, make sure they actually take place as expected; for unplanned changes, minimize discovery time and ensure timely response where needed.
The Smart Choice: NetWrix Active Directory Change Reporter NetWrix Active Directory Change Reporter incorporates knowledge and understanding of the needs of Active Directory change auditing personnel. It is a cost-effective solution offering competitive functionality for a low price. Active Directory Change Reporter places Active Directory and Group Policy chang e information directly at the administrator's fingertips, without the need to extract it by roundabout methods. For each captured change, all possible detail is shown, including the "before" and "after" settings. Based on the data about these settings, you can perform rollback of unwanted changes. The advanced reports provided with the product are based on the SQL Server Reporting Services technology and include reports for SOX, HIPPA, GLBA, and FISMA compliance. Another feature essential for compliance is long-term archival of audit data. Active Directory Change Reporter comes in two versions: freeware and commercial. The freeware version can be used indefinitely, and it is suitable for small businesses with flexible auditing requirements. The commercial version is available as a free download. This version is as easy to use as the freeware version, but includes many advanced features. It is fully functional for a 20-day evaluation period. For details, see http://www.netwrix.com/active_directory_change_reporting.html. At this link, you will find comprehensive information about the product and comparisons of it with competitive third -party software, including an independent comparison made by W indows IT Pro magazine. ©2009 NetWrix Corporation. All rights reserved. NetWrix and Active Directory Change Reporter are trademarks of NetWrix Corporation and/or one or more of its subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners.

Recommended

Perliminary task
Perliminary taskPerliminary task
Perliminary taskzarif7861
 
Interview a grandmother
Interview a grandmotherInterview a grandmother
Interview a grandmothergrabulosa15
 
Hgth1
Hgth1Hgth1
Hgth1qu0cthangprovip95
 
24 gio hoc_flash_2267_89039819_7063-1330520798
24 gio hoc_flash_2267_89039819_7063-133052079824 gio hoc_flash_2267_89039819_7063-1330520798
24 gio hoc_flash_2267_89039819_7063-1330520798qu0cthangprovip95
 
Ode to My Pen: Ben Goss
Ode to My Pen: Ben GossOde to My Pen: Ben Goss
Ode to My Pen: Ben GossSengage
 
Photography Club(3/1/12)
Photography Club(3/1/12)Photography Club(3/1/12)
Photography Club(3/1/12)ppchsphotographyclub
 
Presentation
PresentationPresentation
Presentationladyraiders
 
Songs of-kabir - tradus de tagore
Songs of-kabir - tradus de tagoreSongs of-kabir - tradus de tagore
Songs of-kabir - tradus de tagoreValeriu Cismas
 

Recommended

Perliminary task
Perliminary taskPerliminary task
Perliminary taskzarif7861
 
Interview a grandmother
Interview a grandmotherInterview a grandmother
Interview a grandmothergrabulosa15
 
Hgth1
Hgth1Hgth1
Hgth1qu0cthangprovip95
 
24 gio hoc_flash_2267_89039819_7063-1330520798
24 gio hoc_flash_2267_89039819_7063-133052079824 gio hoc_flash_2267_89039819_7063-1330520798
24 gio hoc_flash_2267_89039819_7063-1330520798qu0cthangprovip95
 
Ode to My Pen: Ben Goss
Ode to My Pen: Ben GossOde to My Pen: Ben Goss
Ode to My Pen: Ben GossSengage
 
Photography Club(3/1/12)
Photography Club(3/1/12)Photography Club(3/1/12)
Photography Club(3/1/12)ppchsphotographyclub
 
Presentation
PresentationPresentation
Presentationladyraiders
 
Songs of-kabir - tradus de tagore
Songs of-kabir - tradus de tagoreSongs of-kabir - tradus de tagore
Songs of-kabir - tradus de tagoreValeriu Cismas
 
Working together
Working togetherWorking together
Working togetherhimaye
 
Portfolio 2011 2
Portfolio 2011 2Portfolio 2011 2
Portfolio 2011 2DavidSoto_Graphic
 
Teresita examen informatica 4to semestre
Teresita examen informatica 4to semestreTeresita examen informatica 4to semestre
Teresita examen informatica 4to semestrenenavirgo
 
Altom Wrocław
Altom WrocławAltom Wrocław
Altom WrocławsalonyVi
 
Anikea presentation1
Anikea presentation1Anikea presentation1
Anikea presentation1CollegeStartup
 
Prezentacja
PrezentacjaPrezentacja
PrezentacjaPaweł Sikorski
 
Photography Club(3/22/12)
Photography Club(3/22/12)Photography Club(3/22/12)
Photography Club(3/22/12)ppchsphotographyclub
 
Content Marketing, Content Creation and Content Curation presentation
Content Marketing, Content Creation and Content Curation presentationContent Marketing, Content Creation and Content Curation presentation
Content Marketing, Content Creation and Content Curation presentationSue Duris, MBA
 
The Business Case for Account Lockout Management
The Business Case for Account Lockout ManagementThe Business Case for Account Lockout Management
The Business Case for Account Lockout ManagementNetwrix Corporation
 
Active Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseActive Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseNetwrix Corporation
 
Progress report orientation
Progress report orientationProgress report orientation
Progress report orientationAdam Caplan
 
Dieci idee 5 indivisuality
Dieci idee 5 indivisuality Dieci idee 5 indivisuality
Dieci idee 5 indivisuality Gaia Zanini
 
Documentación Divi Elegant themes
Documentación Divi Elegant themes Documentación Divi Elegant themes
Documentación Divi Elegant themes Arsenio Martínez Urquiola
 
Kabir 2012 5
Kabir 2012 5Kabir 2012 5
Kabir 2012 5Valeriu Cismas
 
Estefania Acosta Lesson 8 step by step
Estefania Acosta Lesson 8 step by stepEstefania Acosta Lesson 8 step by step
Estefania Acosta Lesson 8 step by stepeacosta007
 
File system auditing who accessed what files and where
File system auditing who accessed what files and whereFile system auditing who accessed what files and where
File system auditing who accessed what files and whereNetwrix Corporation
 
Top 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureTop 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureNetwrix Corporation
 
Top 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsTop 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsNetwrix Corporation
 
Top 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryTop 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryNetwrix Corporation
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetwrix Corporation
 
Auditing Active Directory to Comply with State and Federal Regulations
Auditing Active Directory to Comply with State and Federal RegulationsAuditing Active Directory to Comply with State and Federal Regulations
Auditing Active Directory to Comply with State and Federal RegulationsNetwrix Corporation
 

More Related Content

Viewers also liked

Working together
Working togetherWorking together
Working togetherhimaye
 
Teresita examen informatica 4to semestre
Teresita examen informatica 4to semestreTeresita examen informatica 4to semestre
Teresita examen informatica 4to semestrenenavirgo
 
Altom Wrocław
Altom WrocławAltom Wrocław
Altom WrocławsalonyVi
 
Content Marketing, Content Creation and Content Curation presentation
Content Marketing, Content Creation and Content Curation presentationContent Marketing, Content Creation and Content Curation presentation
Content Marketing, Content Creation and Content Curation presentationSue Duris, MBA
 
The Business Case for Account Lockout Management
The Business Case for Account Lockout ManagementThe Business Case for Account Lockout Management
The Business Case for Account Lockout ManagementNetwrix Corporation
 
Active Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseActive Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseNetwrix Corporation
 
Progress report orientation
Progress report orientationProgress report orientation
Progress report orientationAdam Caplan
 
Dieci idee 5 indivisuality
Dieci idee 5 indivisuality Dieci idee 5 indivisuality
Dieci idee 5 indivisuality Gaia Zanini
 
Estefania Acosta Lesson 8 step by step
Estefania Acosta Lesson 8 step by stepEstefania Acosta Lesson 8 step by step
Estefania Acosta Lesson 8 step by stepeacosta007
 

Viewers also liked (15)

Working together
Working togetherWorking together
Working together
 
Portfolio 2011 2
Portfolio 2011 2Portfolio 2011 2
Portfolio 2011 2
 
Teresita examen informatica 4to semestre
Teresita examen informatica 4to semestreTeresita examen informatica 4to semestre
Teresita examen informatica 4to semestre
 
Altom Wrocław
Altom WrocławAltom Wrocław
Altom Wrocław
 
Anikea presentation1
Anikea presentation1Anikea presentation1
Anikea presentation1
 
Prezentacja
PrezentacjaPrezentacja
Prezentacja
 
Photography Club(3/22/12)
Photography Club(3/22/12)Photography Club(3/22/12)
Photography Club(3/22/12)
 
Content Marketing, Content Creation and Content Curation presentation
Content Marketing, Content Creation and Content Curation presentationContent Marketing, Content Creation and Content Curation presentation
Content Marketing, Content Creation and Content Curation presentation
 
The Business Case for Account Lockout Management
The Business Case for Account Lockout ManagementThe Business Case for Account Lockout Management
The Business Case for Account Lockout Management
 
Active Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseActive Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the Enterprise
 
Progress report orientation
Progress report orientationProgress report orientation
Progress report orientation
 
Dieci idee 5 indivisuality
Dieci idee 5 indivisuality Dieci idee 5 indivisuality
Dieci idee 5 indivisuality
 
Documentación Divi Elegant themes
Documentación Divi Elegant themes Documentación Divi Elegant themes
Documentación Divi Elegant themes
 
Kabir 2012 5
Kabir 2012 5Kabir 2012 5
Kabir 2012 5
 
Estefania Acosta Lesson 8 step by step
Estefania Acosta Lesson 8 step by stepEstefania Acosta Lesson 8 step by step
Estefania Acosta Lesson 8 step by step
 

More from Netwrix Corporation

File system auditing who accessed what files and where
File system auditing who accessed what files and whereFile system auditing who accessed what files and where
File system auditing who accessed what files and whereNetwrix Corporation
 
Top 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureTop 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureNetwrix Corporation
 
Top 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsTop 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsNetwrix Corporation
 
Top 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryTop 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryNetwrix Corporation
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetwrix Corporation
 
Auditing Active Directory to Comply with State and Federal Regulations
Auditing Active Directory to Comply with State and Federal RegulationsAuditing Active Directory to Comply with State and Federal Regulations
Auditing Active Directory to Comply with State and Federal RegulationsNetwrix Corporation
 
Auditing Solution Enables Coaching of Staff and Pleases Auditors
Auditing Solution Enables Coaching of Staff and Pleases AuditorsAuditing Solution Enables Coaching of Staff and Pleases Auditors
Auditing Solution Enables Coaching of Staff and Pleases AuditorsNetwrix Corporation
 
Automated De-provisioning of Inactive Users Accounts
Automated De-provisioning of Inactive Users AccountsAutomated De-provisioning of Inactive Users Accounts
Automated De-provisioning of Inactive Users AccountsNetwrix Corporation
 
USB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines ComplianceUSB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines ComplianceNetwrix Corporation
 
How the World's Largest Date Agriculture Company "Planted" File Server Auditing
How the World's Largest Date Agriculture Company "Planted" File Server AuditingHow the World's Largest Date Agriculture Company "Planted" File Server Auditing
How the World's Largest Date Agriculture Company "Planted" File Server AuditingNetwrix Corporation
 
Ensuring Data Protection by controlling the Use of Removable Media
Ensuring Data Protection by controlling the Use of Removable MediaEnsuring Data Protection by controlling the Use of Removable Media
Ensuring Data Protection by controlling the Use of Removable MediaNetwrix Corporation
 
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...Netwrix Corporation
 
Extending Change Auditing to Exchange Server
Extending Change Auditing to Exchange ServerExtending Change Auditing to Exchange Server
Extending Change Auditing to Exchange ServerNetwrix Corporation
 
Staying Abreast of Group Policy Changes
Staying Abreast of Group Policy ChangesStaying Abreast of Group Policy Changes
Staying Abreast of Group Policy ChangesNetwrix Corporation
 
Exchange Auditing in the Enterprise
Exchange Auditing in the EnterpriseExchange Auditing in the Enterprise
Exchange Auditing in the EnterpriseNetwrix Corporation
 

More from Netwrix Corporation (18)

File system auditing who accessed what files and where
File system auditing who accessed what files and whereFile system auditing who accessed what files and where
File system auditing who accessed what files and where
 
Top 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureTop 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructure
 
Top 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsTop 5 identity management challenges and solutions
Top 5 identity management challenges and solutions
 
Top 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryTop 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directory
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT Infrastructure
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don Jones
 
Auditing Active Directory to Comply with State and Federal Regulations
Auditing Active Directory to Comply with State and Federal RegulationsAuditing Active Directory to Comply with State and Federal Regulations
Auditing Active Directory to Comply with State and Federal Regulations
 
Auditing Solution Enables Coaching of Staff and Pleases Auditors
Auditing Solution Enables Coaching of Staff and Pleases AuditorsAuditing Solution Enables Coaching of Staff and Pleases Auditors
Auditing Solution Enables Coaching of Staff and Pleases Auditors
 
Automated De-provisioning of Inactive Users Accounts
Automated De-provisioning of Inactive Users AccountsAutomated De-provisioning of Inactive Users Accounts
Automated De-provisioning of Inactive Users Accounts
 
USB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines ComplianceUSB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines Compliance
 
How the World's Largest Date Agriculture Company "Planted" File Server Auditing
How the World's Largest Date Agriculture Company "Planted" File Server AuditingHow the World's Largest Date Agriculture Company "Planted" File Server Auditing
How the World's Largest Date Agriculture Company "Planted" File Server Auditing
 
Ensuring Data Protection by controlling the Use of Removable Media
Ensuring Data Protection by controlling the Use of Removable MediaEnsuring Data Protection by controlling the Use of Removable Media
Ensuring Data Protection by controlling the Use of Removable Media
 
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
 
Extending Change Auditing to Exchange Server
Extending Change Auditing to Exchange ServerExtending Change Auditing to Exchange Server
Extending Change Auditing to Exchange Server
 
Staying Abreast of Group Policy Changes
Staying Abreast of Group Policy ChangesStaying Abreast of Group Policy Changes
Staying Abreast of Group Policy Changes
 
Exchange Auditing in the Enterprise
Exchange Auditing in the EnterpriseExchange Auditing in the Enterprise
Exchange Auditing in the Enterprise
 
File Auditing in the Enterprise
File Auditing in the EnterpriseFile Auditing in the Enterprise
File Auditing in the Enterprise
 
File auditing on NetApp Filer
File auditing on NetApp Filer File auditing on NetApp Filer
File auditing on NetApp Filer
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Auditing Active Directory Changes Efficiency

  • 1. Auditing Active Directory Changes Efficiently White Paper
  • 2. Auditing Active Directory Changes Efficiently—White Paper Contents Introduction ......................................................................................................................................................... 3 Change Auditing for Compliance ........................................................................................................................ 4 How Change Auditing Relates to Change Management .................................................................................... 5 Case in Point: Active Directory Changes ............................................................................................................. 7 Native Tools .................................................................................................................................................... 7 Building Versus Buying ................................................................................................................................... 7 Third-Party Software ...................................................................................................................................... 8 Success Recipe ................................................................................................................................................ 8 The Smart Choice: NetWrix Active Directory Change Reporter ......................................................................... 9 2
  • 3. Introduction In the IT infrastructure of a company, change is normal. This aspect of an organization 's life cannot remain static for a number of reasons: IT components are designed to be dynamic, flexible, and capable of supporting diverse configurations. Huge volume and diversity of information. Today's enterprises rely on information technology, so a variety of completely unrelated tasks depend on the information cycle. The rate of changes, though varied across the range of tasks, is considerable. Interdependency of information. A change in a single component can necessitate a series of changes in others. For example, a new entry in the HR database means that a new Active Directory user account needs to be created, an Exchange mailbox needs to be enabled for the user, and so on. If information is allowed to become stale, operations can be disrupted. However, for the same reasons that the information flow should not be allowed to stagnate, changes should not go unwatched. Those aspects of company life that IT is entrusted with are easier to change than other structures. However, the consequences of adverse changes can be as detrimental and expensive to correct as physical damage. In addition, IT staff has to deal with compliance. SOX, HIPPA, GLBA, and FISMA compliance measures are not dictated by internal needs, but still have to be considered for the enterprise to function smoothly. How is it possible to make sure that all necessary changes are implemented and that the effects of unwanted changes are minimized? This white paper describes approaches to change auditing, explains how audit data can be used for change management, and focuses on one of the most important information structures in the enterprise today: Active Directory.
  • 4. Change Auditing f or Compliance Audit data must be kept for a very long time, up to 7 years by some regulations. The scope of the stored data should be sufficient to satisfy any requests from the auditors, and be as detailed as possible. Whether an auditor needs to know who made John Smith a domain administrator or view a complete history of Jane Thompson's organizational unit membership for the past 5 years, the data should be readily available for analysis. Importantly, the data should clearly indicate who initiated the recorded change. Otherwise, the responsibility for any harm caused by the changes rests with the CIO. The more co mplete the audit data, the more certainty there is that the actual guilty party will be made responsible for damaging actions.
  • 5. How Change Auditing Relates to Change Management Change management is a continuous process of deciding what kinds of changes to the IT infrastructure must and must not take place, what changes you want to watch for, and what you need to do about the changes you find. This process is impossible without a comprehensive body of audit data, which is provided by the auditing solution. The volume of change-related audit data is necessarily large, and not all of it is useful for change management. In a corporate IT environment, the aspects that require special attention are primarily related to identity configuration and security configuration. In these vital areas, not all changes deserve inspection, especially not when the volume of changes is routinely overwhelming. However, attention can be duly guided by clear-cut assessment criteria, such as those listed below. Critical versus inconsequential On the priority scale, changes vary by the consequences they cause. Clearly, the deletion of a legitimate non-empty group is a more serious issue than the modification of a group description. A still more critical change is the addition of an unauthorized user account to the Domain Admins group—this is a blatant security violation. The response time for critical changes should be as short as possible, and they should be constantly monitored. Many of such change types are well-known and easy to track; this helps reduce the number of critical changes that need special attention. Planned versus unplanned Unanticipated changes are a problem. First, they are the primary cause of outages. Secondly, if these events are frequent and are not prevented, they may be the reason for a failed security audit. Such changes should not go unmonitored. However, even planned changes should be monitored to ensure that they happen on time and without policy violations. An example of a planned change is permission delegat ion, such as the delegation of the right to reset user passwords to help desk personnel. This is a sensitive action that should never fall under the radar; care should be taken to ensure that the right level of permissions is delegated to the right people. Likewise, moving of user accounts from one organizational unit to another in accordance with changes in the company hierarchy always has to be recorded. If this is done without proper privilege management, the user account may get excessive privileges through Group Policy. A meaningful change that is not typical is most probably unplanned. It is common practice to disable rather than delete the user accounts of former employees, in case these accounts need to be enabled later. If an account is deleted, this might signal a violation of policies.
  • 6. Noise versus signal Audit trails contain a percentage of events that unambiguously indicate important changes. These events are easy to track. For example, addition of a domain controller is an extremely significant event that should be immediately examined. The addition of a “rogue” domain controller by an unauthorized person can have grave consequences. However, the share of useful information found in audit trails is never big. Many events are normally logged for even minor changes, and these events may need to be correlated to find out what actually happened. This means that the same type of event may be part of the background noise, or it may accompany a critical change, depending on what other events were logged around the same time. Inadvertent versus malicious Adverse changes are not always ill-intentioned. They may be the result of mistakes or irresponsible administration, especially when there are no evident attempts to cover the tracks after such changes. Inadvertent changes like this are often reversible. It can be difficult to tell whether or not a change was intentional. For example, an organizational unit can be deleted along with all its contents. W ithout an investigation, it may not be clear whether or not this was done on purpose. To investigate the matter and restore the deleted objects, you need a detailed record of what happened. Prioritizing the changes helps you build your change management strategy.
  • 7. Case in Point: Active Directory Changes Active Directory is the most critical part of today’s enterprise IT environment. W ith W indows as the dominant business platform, Active Directory is crucial for identity, security, configuration and operations management. Changes to some parts of this system can b ring the entire business process to a standstill. The tools you use for change management must be able to cope with the enormous amount of audit data that needs to be sifted through. This section lists the main approaches used in production IT environments . Native Tools W indows MMC-based native tools, such as Event Viewer, Active Directory Users and Computers, Group Policy Object Editor, Group Policy Management Console and others, are an entry-level solution. They have the advantage of requiring no customization or third-party software, but even in a mid-size IT infrastructure, they are not powerful enough to perform any meaningful change management. Even with a well-designed change management strategy, native tools cannot significantly reduce the effects of adverse changes, because of the high latency between the change and its discovery, and lack of reporting capabilities. A change is not examined until after it has caused some negative results such as service failure or slowdown of operations. Moreover, the manual examination process is inefficient and painful. Several seemingly unrelated sources sometimes need to be analyzed to put an event into context. The time between an unwarranted change and its undesirable effects can be very short, and change detection automation is very important to ensure a timely response, but if the administrator is armed with only native tools, a change-induced problem might take a week or longer to solve. Building Versus Buying The search for automation and analysis methods can lead a company to invest in in-house software. The range of technologies that can be employed is wide. PowerShell, the .NET framework , and many other programming and scripting languages have bindings for Active Directory and W indows APIs, which are extensively documented. The following tasks are well-suited for automation: Subscribing to events—watching for the events you anticipate is efficient as long as you know what kind of event you are looking for Handling event logs—backing up, archiving, and clearing logs for compliance and auditing continuity
  • 8. Querying for events—centralizing search for events and making it more efficient This list can continue, depending on the needs of an organization. It can grow quite long due to the comprehensive scope of available functionality. The effectiveness of in-house development is determined not so much by what is possible to do as by what can be done in a given time with the given resources. If the company does not specialize in Active Directory software—and most do not—then the time and resources are bound to be too scarce for comfort. Even if the in-house solution is good, its development is certain to face problems: Support—the software produced in house may have many authors, which increases support difficulty; in addition, such a solution may evolve organically and is not likely to be centralized Testing—with a sensitive environment such as Active Directory, new software does not normally go into production use until it has undergone extensive tests, which require a great deal of time and expertise In-house scripts and programs may be the optimal solution for some companies, but this is a rare case in large distributed environments that have to accommodate internal and remote clients, heterogeneous systems, and so on. More often, a more cost-effective and better-quality alternative is to purchase third- party software specifically designed for Active Directory change management. Third-Party Software When it comes to choosing a third-party solution for Active Directory change auditing, a great variety of available software seems to fit the bill. The final decision can be influenced by many factors , such as: Transparency of information about the product's capabilities Quality-price ratio Cost of ownership When the choice is made, it is important to remember that the tools on their own cannot solve complex problems in Active Directory change auditing, tracking and management. Success Recipe To be effective at tracking Active Directory changes, it is important to have a sensible strategy and software tools that are flexible enough to meet all your needs but do not get in the way of your strategy. Prioritize the changes by importance, relevance and purpose. Be sure to differentiate planned and unplanned changes. For planned changes, make sure they actually take place as expected; for unplanned changes, minimize discovery time and ensure timely response where needed.
  • 9. The Smart Choice: NetWrix Active Directory Change Reporter NetWrix Active Directory Change Reporter incorporates knowledge and understanding of the needs of Active Directory change auditing personnel. It is a cost-effective solution offering competitive functionality for a low price. Active Directory Change Reporter places Active Directory and Group Policy chang e information directly at the administrator's fingertips, without the need to extract it by roundabout methods. For each captured change, all possible detail is shown, including the "before" and "after" settings. Based on the data about these settings, you can perform rollback of unwanted changes. The advanced reports provided with the product are based on the SQL Server Reporting Services technology and include reports for SOX, HIPPA, GLBA, and FISMA compliance. Another feature essential for compliance is long-term archival of audit data. Active Directory Change Reporter comes in two versions: freeware and commercial. The freeware version can be used indefinitely, and it is suitable for small businesses with flexible auditing requirements. The commercial version is available as a free download. This version is as easy to use as the freeware version, but includes many advanced features. It is fully functional for a 20-day evaluation period. For details, see http://www.netwrix.com/active_directory_change_reporting.html. At this link, you will find comprehensive information about the product and comparisons of it with competitive third -party software, including an independent comparison made by W indows IT Pro magazine. ©2009 NetWrix Corporation. All rights reserved. NetWrix and Active Directory Change Reporter are trademarks of NetWrix Corporation and/or one or more of its subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners.