ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to select a good audit tool for Active Directory


Member

Posts: 16
Date: Jun 1, 2011
How to select a good audit tool for Active Directory
Permalink  
 


Hi All, I am tasked with performing a security audit of our Active Directory, covering the all salient aspects, such as account management, group management, OU management, and management of delegated access rights in Active Directory.

This obviously is not that easy an undertaking and our team simply does ont have the time or the resources to come up with in-house scripts or  the like to perform our audit. We also do not know yet exactly what all we should be covering but are starting to build a list.

It would be quite beneficial to have some sort of a dedicated automated solution that we can use to perform such audits, especially on a frequent basis, and so I thought of tapping into this forum to get some experience based suggestions on what might be some criteria on which to select a good audit tool for Active Directory.

One of the reasons for my question is that there appears to be so much choice, and while so many vendors promise the sky, come evaluation time, there tools barely deliver. We don't have too much to look for the right tools, so thought of tapping into this forum with the hope of hearing from others in a similar boat.

Thanks.



__________________


Member

Posts: 21
Date: Jun 15, 2011
How to select a good audit tool for Active Directory
Permalink  
 


John,

Shalom. As IT admins, I think we've all dealt with vendors at some point or the other, and in the AD audit field there are certainly many tools to choose from.

Here in Israel, we're very security conscious, to the extent that I am unable to reveal what tool we use, because doing so might reveal the extent of our security.

I can however share a few points that we considered when selecting an AD audit tool, which are as follows -

I. Security - To us, how trustworthy a tool the most important consideration. It is so important because most of using it are Domain Admins, and the last thing we want is untrustworthy code running in our security credentials.

In this regard, we came across many tools that were quite cheap, but when we asked where they we built, most of them were built in places we just don't trust. For instance, one was built in Pakistan, another one in India, and even a very prominent vendor's tool was built in Russia! There is no way we are running anything built in Russia in our environment.

 

II. Reliability - The second most important factor for us was reliability, and that to is largely based on what is the level of knowledge and proficiency of the engineers who built the tool and the support technicians who support it.

This is very important because when you're making critical security decisions the last thing you want is to make decision based on bad data, and the easiest way to obtain bad data is to rely on a tool built by non-SMEs / inexperienced developers / script kiddies.

 

III. Functionality - For us, functionality isn't most important since most tools offer similar capabilities when it comes to basic AD audit capabilities.

When you get into advanced but essential AD audit capabilities, the choices very quickly dwindle because you're left with offerings from solid vendors who truly understand the space and subject matter and are amongst the best.

 

IV. Cost - Cost, always has been the last factor for us. That is because our management chain understands just how important Active Directory security is. They understand that if our AD gets compromised, the security of the entire organization could be jeopardized.

 

I hope that my input helps you in making the right decisions. It is very easy to overlook these factors, but these, in our opinion, are the most important factors, especially when you're running as Domain Admin, even if you use Run As, because its just not worth any risk.

Lehitra'ot

- Ishmael



__________________

There isn't a system that cannot be broken into.



Veteran Member

Posts: 28
Date: Jun 18, 2011
How to select a good audit tool for Active Directory
Permalink  
 


Hi Ishmael,

Thank you for sharing your thoughts on this important subject. This is an often overlooked area of security, and its good to see you guys in Israeli take this seriously.

As such, the United States and Israel both have to be extremely vigilant against attacks, both physical and cyber attacks. Here in D.C. we take this especially seriously, and we've all been recently giving thought to the security of the very tools we admins use as well.

Here in the U.S., we too share your point of view, in that I don't think any IT admin at any U.S. organization, in their right minds, would deploy a tool built in Russia!

After all doing so, especially in a production environment, could be the easiest thing we could do to compromise our security. I mean, who knows who built the tool, where it was really built, how secure it is, how much it was tested etc.

I appreciate you sharing your thoughts in this regard. Thanks for your input.

Jack.



__________________

We will NEVER forget.



Member

Posts: 9
Date: Jul 12, 2011
RE: How to select a good audit tool for Active Directory
Permalink  
 


Hi John,

I think as IT admins/analysts we have all struggled with this question some time or the other.

In my own experience I have found that while there is a lot of choice when it comes to basic Active Directory management and reporting tools, the choices substantially narrow done when it comes to tools related to delegated access reporting.

By the way, I mentioning so because you seemed to indicate that you were interested in delegated access reporting as well.

One thing I will point out in this regard is that while many vendors claims to provide access reporting, most of them are just providing are the ability to find out who has what permissions where in Active Directory, and we all know those aren't access reports at all because they don't take effective access into account.

A true delegated access report is one that takes into account effective access in Active Directory, and can determine the resultant-set-of-permissions (RSOP) in Active Directory and show us who can really do what in our Active Directory deployments.

When it comes to a true delegated access reporting tool, there is only one tool that I know of, based on my own research, that can actually do so in Active Directory.

Johnny.



__________________


Member

Posts: 16
Date: Jul 12, 2011
RE: How to select a good audit tool for Active Directory
Permalink  
 


Ishmael, Jack, Johnny,

Thank you all for your input, You've all made some very important points that I would have otherwise overlooked, and I really appreciate your assistance in this regard.

Johnny, you seemed to indicate that there is only one tool that can actually find out who is delegated what access in Active Directory. That is certainly very interesting, and I would certainly like to know which tool you're referring to.

Could you please let me know which is the tool that can help our organization find out exactly who is delegated what access in our Active Directory forest(s) ?

Thanks,

John



__________________


Member

Posts: 5
Date: Jun 29, 2012
RE: How to select a good audit tool for Active Directory
Permalink  
 


Mr. John,

Have you tried ADManager Plus from Manage Engine? It is very good tool and has many reports. It is also inexpensive as it is made in Inda, so you can good price and value.

Krishna Raju



__________________


Veteran Member

Posts: 28
Date: Jul 18, 2012
RE: How to select a good audit tool for Active Directory
Permalink  
 


Mr. Raju,

Unlike in other parts of the world, here in the United States, the quality and reliability of a product is valued far more than their price, especially from a business standpoint.

So while your suggested tool may be inexpensive because its made in India, most organizations that run Active Directory, are going to be more  concerned about the security and reliability of your suggested tool than its price.

In fact, most organizations understand how important Active Directory is, and budget accordingly to ensure that their administrative personnel can get the best and most reliably tools so they can ensure that their Active Directory deployments are safe and sound at all times. 

Perhaps  in India and in other developing economies, where price is a factor, organizations may find your suggested tool good value for money.

Thank you for the suggestion though.

Jack.



__________________

We will NEVER forget.



Member

Posts: 16
Date: Jul 22, 2012
How to select a good audit tool for Active Directory
Permalink  
 


Ishmael, Jack, Johnny,

Sorry for asking you again, but we really need to know which tool can help our organization find out who is delegated what access in our Active Directory?

Can you please let me know? (It is a bit time-sensitive for us.)

Thanks,

John



__________________


Member

Posts: 9
Date: Jul 23, 2012
RE: How to select a good audit tool for Active Directory
Permalink  
 


John,

If you're looking to find out who is delegated what access in Active Directory, there is only tool that I know of that can do that - its the Gold Finger Active Directory Security Audit Tool.

Its also one of the most capable Active Directory audit tools I've seen, given its capabilities, which range from being able to generate basic security audit reports to viewing/exporting ACLs, and from auditing group memberships to audit security permissions in Active Directory.

Other than that, the only other option is to use basic permission analysis tools to determine effective access on all your Active Directory objects yourself. That is certainly doable, but can take months to accomplish.

Johnny.



__________________


Member

Posts: 7
Date: Mar 6, 2013
How to select a good audit tool for Active Directory
Permalink  
 


Hi John,

There are actually quite a few Active Directory auditing tools availability today, but not too many Active Directory Audit Tools, especially good ones.

There are some basic Active Directory Audit Tools, but most of them tend to automate simple stuff that you and I could automate anyway with just a little Powershell prowess. Whenever we look at tools, we look for things that we cannot do inhouse in a tool, and when it comes to Active Directory Audit Tools, one of the things we struggle with is performing delegation audits in our Active Directory.

We have been using this Active Direcory Audit Tool to perform delegation audits and it has made a huge difference for us because we can now get our delegation audit reports done in a matter of minutes, instead of days, so I would be happy to recommend that tool to you.

I would of course also recommend dderiving maximum value from Microsoft's own basic tools like dsacls, dsrevoke etc. They don't automate the hard stuff but they make it easy to do some simple security audit stuff, and thus I think they can help as well.

Good luck to you.

Guido



__________________

If you can't explain it simply, you don't understand it well enough” - Albert Einstein

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me