Enhancing Security and Compliance

 

This document outlines a comprehensive plan for implementing Active Directory (AD) auditing to bolster your organization's security posture, proactively detect potential threats, and ensure compliance with industry regulations.

Auditing AD provides invaluable insights into user activity, system changes, and access patterns, enabling you to identify and respond to security incidents effectively.

1. Identify Critical Assets and Determine Audit Scope

It is best practice to identify critical assets within your Active Directory and define the scope of your auditing efforts, when considering Active Directory auditing.

We would recommend the following specific actions and events to monitor:

  • Object access (viewing, modifying, listing)
  • Group modifications (adding/removing users, changing settings)
  • User modifications (password resets, account disabling)
  • Computer account changes (creation, deletion, renaming)
  • GPO modifications (creation, modification, linking) 
  • User login/logout activity
  • Account lockouts
  • Use of special privileges
  • LDAP Queries
  • Sensitive Files and Folders


 

2. Configure Domain Controller Audit Policies

To generate detailed logs, enable auditing for these critical categories on your domain controllers:

Step 1: Access Group Policy Management

Open the Group Policy Management Console (GPMC) on a domain controller or a machine with administrative privileges.

Step 2: Locate the Default Domain Policy

  1. In the GPMC, navigate to "Forest" -> "Domains" -> "[Your Domain Name]".

  2. Right-click on "Default Domain Policy" and select "Edit".

Step 3: Navigate to Audit Policy

  1. In the Group Policy Management Editor window, expand "Computer Configuration" -> "Policies" -> "Windows Settings" -> "Security Settings" -> "Local Policies”.

  2. Click on "Audit Policy".

Step 4: Enable the Audit Policies

In the right pane, double-click on each of the following audit policies and configure them as described:

 

Account Logon

  1. Audit Credential Validation: This subcategory audits events related to credential validation, such as successful and failed logon attempts, Kerberos ticket requests, and NTLM authentication.

 

Account Management

  1. Audit User Account Management: This subcategory audits changes to user accounts.
  2. Audit Computer Account Management: This subcategory audits changes to computer accounts.
  3. Audit Security Group Management: This subcategory audits changes to security groups.

 

Detailed Tracking

  1. Audit PNP Activity: This subcategory audits events related to Plug and Play devices, such as device installation, removal, and configuration changes.
  2. Audit RPC Events: This subcategory audits events related to Remote Procedure Calls (RPC).

 

Directory Service Access

  1. Audit Directory Service Access: This subcategory audits access to Active Directory objects, including users, groups, and computers.
  2. Audit Directory Service Changes: This subcategory audits changes to Active Directory objects, such as modifications to user attributes, group memberships, or computer accounts.

Logon/Logoff

  1. Audit Special Logon: This subcategory audits special logon events, such as those performed by service accounts or using privileged credentials.

 

Object Access

  1. Audit Detailed File Share: This subcategory provides more granular auditing of file share access, including read, write, and delete operations on individual files.
  2. Audit File System: This subcategory audits access to files and folders on local drives, complementing the file share auditing.
  3. Audit Handle Manipulation: This subcategory audits the creation and manipulation of object handles, which are used to access and manage system resources.
  4. Audit Kernel Object: This subcategory audits access to kernel objects, which are core operating system components.
  5. Audit Other Object Access Events: This subcategory provides a catch-all for auditing access to other object types not covered by the specific subcategories.
  6. Audit Registry: This subcategory audits access to the Windows Registry.
  7. Audit SAM: This subcategory audits access to the Security Account Manager (SAM).

 

Policy Change

  1. Audit Audit Policy Change: This subcategory audits changes to audit policies themselves.
  2. Audit Authentication Policy Change: This subcategory audits changes to authentication policies, such as password policies or Kerberos settings.
  3. Audit MPSSVC Rule-Level Policy Change: This subcategory audits changes to the Microsoft Protection Service (MPSSVC) rule-level policies, which control security features like Windows Firewall.
  4. Audit Other Policy Change Events: This subcategory provides a general audit of other policy changes not covered by the specific subcategories.

Privilege Use

  1. Audit Sensitive Privilege Use: This subcategory audits the use of sensitive privileges, such as those that allow access to system resources or debugging capabilities.

System

  1. Audit IPsec Driver: This subcategory audits events related to the IPsec driver, which is used for network security and encryption.
  2. Audit Security State Change: This subcategory audits changes to the security state of the system, such as modifications to security settings or user rights assignments.
  3. Audit System Integrity: This subcategory audits events related to system integrity, such as violations of code integrity policies or attempts to load unsigned drivers.

Step 5: Link the GPO (if necessary)

If you edited a GPO other than the Default Domain Policy, ensure it's linked to the appropriate Organizational Unit (OU) containing your domain controllers.

Step 6: Verify and Apply the Policy

Run gpupdate /force on your domain controllers to apply the new policy immediately.

Verify the policy settings using the auditpol command-line tool or by checking the security event logs on your domain controllers.

3. Implement Auditing Rules with adsiedit.msc

adsiedit.msc allows control over Active Directory object auditing. 

To configure Auditing Rules using adsiedit.msc

  1. Open ADSI Edit: Locate and run the adsiedit.msc tool on a domain controller or a computer with appropriate administrative privileges.
  2. Initiate Connection: In the left pane of the ADSI Edit window, right-click on "ADSI Edit" at the top of the tree.
  3. From the context menu that appears, choose the "Connect to..." option. This will open the "Connection Settings" dialog box.
  4. Choose Naming Context: In the "Connection Settings" dialog, select the "Default naming context" option to connect to your current domain. If you need to manage the overall Active Directory structure, select "Configuration" instead.
  5. Establish Connection: Click "OK" to establish the connection to the selected naming context. You should now see the Active Directory structure within the ADSI Edit window, allowing you to browse and manage objects.

 

Active Directory is organized hierarchically. Expand the tree structure within adsiedit.msc to locate specific objects using their distinguished names. For example:

 

  1. User: CN=JohnDoe,CN=Users,DC=yourdomain,DC=com
  2. Group: CN=Domain Admins,CN=Users,DC=yourdomain,DC=com

 

To configure auditing rules for an object:

 

  1. Right-click the object and select "Properties" -> "Security" -> "Advanced".
  2. Go to the "Auditing" tab and click "Add" to create a new audit entry.
  3. Specify the following for the audit entry: 

 

  1. Principal: Who to audit (e.g., specific users or groups). For instance, to audit access to a confidential file share, you might specify the "Finance Department" group as the principal.
  2. Type: "Success" and/or "Failure". You might choose to audit both successful and failed attempts to change permissions on critical objects.
  3. Access: The specific actions to audit (e.g., "Read", "Write", "Delete", "Reset Password"). To track potential unauthorized changes, you could audit "Write" access to user attributes like scriptPath.
  4. Apply onto: "This object only" or "This object and all descendant objects". Auditing "Delete Subfolders and Files" on a parent folder can help you track deletion of sensitive data.

 

Further Examples and use cases are available at the bottom of this document.

4. Implement File System Auditing

File system auditing detects unauthorised access, modifications, or deletions.

Identifying Critical Files and Folders:

  1. Sensitive Data: Financial records, customer databases, intellectual property, etc.
  2. Configuration Files: Files controlling systems and applications.
  3. Log Files: Audit trails, security events, and diagnostic information.

Configuring File Access Auditing:

Step 1: Access File or Folder Properties

  • Locate the file or folder you want to audit.
  • Right-click on it and select "Properties".

Step 2: Navigate to Security Settings

  • In the Properties window, go to the "Security" tab.
  • Click on the "Advanced" button to access advanced security settings.

Step 3: Access the Auditing Tab

  • In the "Advanced Security Settings" window, navigate to the "Auditing" tab.   

Step 4: Add an Audit Entry

  • Click the "Add" button to create a new audit entry. This will open the "Auditing Entry for [File/Folder Name]" dialog.   

Step 5: Specify Principal

  • Click the "Select a principal" link to choose the user or group you want to audit. This could be a specific user account, a built-in security group (e.g., "Everyone", "Authenticated Users"), or a custom group.   

Step 6: Define Access

  • In the "Applies to" dropdown, select the type of access you want to audit. This could be "This folder only", "This folder and subfolders", or "This folder, subfolders, and files", depending on the scope of auditing you require.

Step 7: Specify Permissions

  • Under "Permissions", check the boxes for the specific actions you want to audit. Common options include: 
    • Read: Auditing attempts to read the file or folder's attributes or data.   
    • Write: Auditing attempts to modify the file or folder's attributes or data.
    • Execute: Auditing attempts to execute the file (if it's an executable).
    • Delete: Auditing attempts to delete the file or folder.
    • Change Permissions: Auditing attempts to modify the file or folder's permissions.
    • Take Ownership: Auditing attempts to take ownership of the file or folder.

Step 8: Set Audit Type

  • Under "Audit", choose the type of events you want to audit: 
    • Success: Audit only successful access attempts.   
    • Failure: Audit only failed access attempts.   

Step 9: Apply and Verify

  • Click "OK" to save the audit entry and close the dialogs.
  • You can verify the SACL configuration by revisiting the "Advanced Security Settings" for the file or folder.

5. Alerting

Alerting is crucial for timely response to security events. Communicate SOC will detect activity based on severity:

  1. Critical-Severity: For critical events like changes to sensitive groups, password resets for privileged accounts, account lockouts, and suspicious logon activity. These alerts should trigger immediate notifications.
  2. High-Severity Alerts: For events that require prompt investigation, such as modification of user attributes, creation or deletion of sensitive accounts, and changes to computer account attributes.
  3. Medium-Severity Alerts: For general monitoring and trend analysis, such as object access events and privilege use events.

6. Ongoing Maintenance

To ensure the effectiveness of your Active Directory auditing, conduct regular reviews of audit policies and work with Communicate SOC to fine-tune alerts to minimise false positives. 

Communicate SOC will proactively search for indicators of compromise in the logs, using threat hunting techniques.


Example Implementation

Example 1: Auditing Attempts to Disable User Accounts

To track attempts to disable user accounts:

  1. Locate the "Users" container or the OU containing user objects.
  2. Right-click the object and select "Properties" -> "Security" -> "Advanced".
  3. Go to the "Auditing" tab and click "Add" to create a new audit entry.
  4. Specify the following for the audit entry: 
    • Principal: "Domain Admins" (or a similar group).
    • Type: "Success" and "Failure."
    • Access: Check "Write Property" and enter "userAccountControl" in the "Properties" field.
    • Apply onto: "This object and all descendant objects."

 

Example 2: Auditing Changes to Machine Account Properties

To track modifications to machine account properties:

  1. Locate the "Computers" container or the OU containing the computer objects.
  2. Right-click the object and select "Properties" -> "Security" -> "Advanced".
  3. Go to the "Auditing" tab and click "Add" to create a new audit entry.
  4. Specify the following for the audit entry: 
    • Principal: "Domain Admins" (or a similar group).
    • Type: "Success."
    • Access: Check "Write Property" and enter the relevant property name (e.g., dNSHostName, servicePrincipalName) in the "Properties" field.
    • Apply onto: "This object and all descendant objects."

 

Example 3: Auditing Changes to a Sensitive GPO

To track modifications to a sensitive Group Policy Object (GPO), such as the "Default Domain Policy":

  1. Locate the GPO object in the Group Policy Management Console (GPMC).
  2. Right-click the GPO and select "Properties" -> "Security" -> "Advanced".
  3. Go to the "Auditing" tab and click "Add" to create a new audit entry.
  4. Specify the following for the audit entry: 
    • Principal: "Domain Admins" (or a similar group).
    • Type: "Success."
    • Access: Check "Write Property" to audit any modifications to the GPO's settings.
    • Apply onto: "This object only."

 

Example 4: Auditing Access to the Domain Admins Group

To track who is accessing the "Domain Admins" group:

  1. Locate the "Domain Admins" group object.
  2. Right-click the object and select "Properties" -> "Security" -> "Advanced".
  3. Go to the "Auditing" tab and click "Add" to create a new audit entry.
  4. Specify the following for the audit entry: 
    • Principal: "Everyone."
    • Type: "Success."
    • Access: Check "Read Property," "Write Property," "Add member," and "Remove member."
    • Apply onto: "This object only."

 

Example 5: Auditing Access to Edge Cookies and Passwords

To track who is accessing EdgeCookies.db and EdgePasswords.db for all users:

  1. Locate the C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default directory, using the wildcard (*) to match all user profiles.
  2. Right-click the directory and select "Properties" -> "Security" -> "Advanced".
  3. Go to the "Auditing" tab and click "Add" to create a new audit entry.
  4. Specify the following for the audit entry: 
    • Principal: "Everyone" (or a more specific group).
    • Type: "Success" and "Failure."
    • Access: Check "Read," "Write," and "Delete."
    • Apply onto: "This folder, subfolders, and files."