Active Directory is Microsoft’s Directory Service and a critical part of today’s enterprise IT environments. With Windows still the dominant business platform, Active Directory is crucial for identity, security, configuration and operations management.
For example, when users log into a computer, Active Directory checks the passwords and determines who they are and what access rights they have. Recent Quocirca research shows that 68% of Europe enterprises say Active Directory (AD) is the primary source of identity for employees. AD will also organise users, computers, other objects and groups by any number of logical or business needs to manage enterprise IT systems and set policies.
The problem is that Active Directory (AD) is often taken for granted. It simply gets on and does the job and is really not very interesting or ‘sexy’. Yet accidental or malicious adverse changes within AD can bring an entire business process to a standstill.
Pretty much everything that happens in AD needs to be audited for troubleshooting, increasingly strict internal security demands and stringent legislative and industry requirements such as HIPAA, PCI DSS and SOX. So monitoring what is going on in AD is vital, you would think; yet many companies still struggle to implement fast and effective AD auditing and reporting.
When asked the question, ‘What was changed, who changed it, when and from where?’, you would be surprised at how many IT managers still have to spend hours trawling through native logs to get the answers. While this is possible, native AD audit logs are not centralised, making it not only time consuming but useless as an enterprise-wide audit trail.
They are also not tamper-proof or tamper-resistant, so rogue administrators are able to easily cover their tracks by clearing the logs or the logs can be wiped accidentally. While native event logging produces an abundance of information, it provides few ways to filter and correlate that information and events into anything useful.
Furthermore, in some cases the log data just isn’t helpful; such as in the case of Group Policies where the log data provides no other real detail of a change to a policy other than by naming it. Combine these factors and the result is that native change auditing is just not feasible except for very small environments with a handful of servers and under 100 users.
Native log tools such as Event Viewer will allow viewing of log data, and consolidation is even possible at a limited scale with native Event Log Forwarding. But even in a mid-size IT infrastructure these tools are not powerful enough to perform any effective change management.
Native tools can’t significantly reduce the effects of adverse changes, because of the high latency between the change and its discovery and lack of reporting capabilities. Moreover, the manual examination process is still inefficient and painful. A change-induced problem might take a week or longer to solve.
The need for more automation and better log analysis has led some companies to develop in-house software using technologies such as PowerShell, .NET and other programming and scripting languages that have bindings for Active Directory and Windows APIs.
While it is possible to monitor for anticipated incidents, deal with event logs and query for events, if a company does not specialise in AD software, the process can be complex and time consuming. In-house scripts and programs in large distributed environments have to accommodate both internal and remote clients, along with heterogeneous systems, for example.
A second approach to auditing change is though SIEM – Security Information and Event Management. The cost of investment and support needed for SIEM can be justified if you want to integrate functions such as automatic remediation and intrusion prevention; but it is an expensive option if your focus is audit reliability and consistency. SIEM also fundamentally still relies largely on native audit logs, which often lack the needed detail to make SIEM valuable, and requires a high level of commitment to planning, deployment and management.
There is a third way. Software specifically developed for Active Directory change and configuration management is designed to gather, filter, report and analyse log information to evaluate and take necessary actions. There are solutions that are able to capture all possible details for a single change, including the ‘before’ and ‘after’ values. Based on this data, it is possible to perform rollback of unwanted changes and provide change and ‘state-in-time’ auditing for AD security and compliance.
The change audit reports list additions, deletions, and modifications made to AD users, groups, computers, OUs, group memberships, permissions, domain trusts, AD sites, FSMO roles, Group Policy objects and settings, AD schema, and all other types of objects, filling the many major gaps found in native Active Directory auditing. These tools automatically create reports and provide real-time alerts that show who changed what, when they did it and where, for all changes, including user and administrative activity, in a human-readable form.
The change audit data is also archived and can be stored for years, so you can recreate the full audit trail of changes made to AD and Group Policy during any period and drill down to as detailed information as is necessary. AD audit trail archiving allows organisations to analyse any policy violations that occurred in the past and maintain on-going compliance with internal and external regulations, such as SOX or PCI.
With Active Directory at the core of 98% of modern IT networks, change matters. If you can’t respond to some simple questions from the audit team without spending hours looking for the answers, it’s time to look seriously at alternative IT audit options.