ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to view/determine/verify audit settings on important Active Directory objects in AD partitions?


Newbie

Posts: 1
Date: Aug 2, 2012
How to view/determine/verify audit settings on important Active Directory objects in AD partitions?
Permalink  
 


Hello Forum,

I am an IT auditor and I wanted some guidance on how to go about determining default audit settings on important Active Directory objects in our Schema, Configuration and Domain partitions?

In particular, we are tasked with performing a COBIT audit, and section DS 5 requires us to ensure that important Active Directory objects are properly secured.

For example, we need to verify audit settings on the following Active Directory objects -

  • CN=Schema,CN=Configuration,DC=ForestRootDomain
  • CN=Configuration,DC=ForestRootDomain
  • CN=Sites,CN=Configuration,DC=ForestRootDomain
  • CN=Partitions,CN=Configuration,DC=ForestRootDomain
  • CN=Directory Service,CN=Windows,CN=Services,CN=Configuration,DC=ForestRootDomain
  • DC=Domain,DC=ForestRootDomain
  • OU=Domain Controllers,DC=Domain,DC=ForestRootDomain
  • CN=System,DC=Domain,DC=ForestRootDomain

This is required to ensure that any modifications, deletions or changes to these objects result in the generation of an audit entry in our Directory Services logs on Domain Controllers.

Currently, the only way we know is to view the audit list via the Advanced Security Settings tab in Active Directory Administrative Center, but that does not show complete entries, and offers no way in which to document these settings (e.g. export them to a CSV file?)

I would like to know if there an easy way to document the current audit settings on each of these important Active Directory objects, and if so, how?

Thank you very much in advance.

Debbie.



__________________


Newbie

Posts: 1
Date: Aug 29, 2012
How to view/determine/verify audit settings on important Active Directory objects in AD partitions?
Permalink  
 


Hi Debbie,

We had a similar need driven by an audit, and initially we tried a few Microsoft command-line tools as well as Powershell to accomplish this, but we're not command-line / Powershell fans, so we ended up looking for and finding a simple automated tool to do this. 

We're using the 005 edition of the Gold Finger for Active Directory tool. It lets us view and export audit settings on both individual objects as well as OUs and domains quite easily. (You just point it to an object and click a button.)

The one other thing that we liked was that we could get a group based license, so we could easily control the use of  the tool via an Active Directory security group.

I think you can download a free trial from here.

Hope this helps.

Good luck.

Karen.



__________________


Veteran Member

Posts: 28
Date: Feb 28, 2013
How to view/determine/verify audit settings on important Active Directory objects in AD partitions?
Permalink  
 


Hi Debbie,

It is indeed quite important to periodically review your Active Directory audit settings. By this, I'm of course referring to the review of Active Directory SACLs on most if not all critical objects to ensure that your DCs will generate audit events for the right tasks.

In order to do so, what one needs in essence, as Karen has pointed out as well, is the ability to view the SACLs on objects. You can always try to view the SACLs via Active Directory Users and Computers snap-in, but the only downside with ADUC is that you can't export the SACL for quick analysis and archival.

There are some tools that let you dump an object's SACL, but most such tools can only do so on a per-object basis, and that can be quite ineffcient. There are also some tools that let you dump ACLs but not SACLs. However, there are very few tools that let you dump the SACLs in a bulk fashion, meaning that they let you dump/ export Active Directory SACLs of all objects in an OU or a domain.

We too use the Gold Finger tool to export (dump) entire DACLs and SACLs instantly, and it makes it really easy for us to use Excel to sort and filter the data to analyze it and ensure that we've set the right things to be audited.

On the topic of auditing, I should add that its always helpful to ensure that you're only auditing for an optimal set of actions, otherwise your audit logs will start to fill up really fast, and roll over within days, and make it harder to analyze and catch any suspicious activity.

I hope my input helps you and I wish you all the best.

Jack.



__________________

We will NEVER forget.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me