Change Guardian monitors the following in Active Directory (AD):
AD objects
Computer accounts
Configurations
Contacts
Groups
User accounts
Organization units
Trusts
This chapter provides information about the following:
Complete the following tasks to start monitoring Windows Active Directory audit events:
|
Task |
See |
|---|---|
|
Review requirements and recommendations for computers running the AD Domain Service |
|
|
Complete the prerequisites |
|
|
Add the license key |
|
|
Configure Change Guardian for monitoring |
Categories of Change Guardian Policies for Windows Active Directory |
|
Triage events |
Ensure that you have completed the following:
Complete the following tasks to allow Change Guardian to monitor Active Directory events.
NOTE:Change Guardian documentation provides the third-party configuration steps for ease of use. For more information about the third-party products or for any issues with the configuration, see their documentation.
NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance.
Configure the security event log to ensure that Active Directory events remain in the event log until Change Guardian processes them.
To configure the security event log:
Log in as an administrator to a computer in the domain that you want to configure.
To open Group Policy Management Console, enter the following at the command prompt: gpmc.msc
Open Forest > Domains > domainName> Domain Controllers.
Right-click Default Domain Controllers Policy, and then click Edit.
NOTE:Changing the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.
Expand Computer Configuration > Policies > Windows Settings > Security Settings.
Select Event Log and set:
Maximum security log size to 10240 KB (10 MB) or more
Retention method for security log to Overwrite events as needed
To update policy settings, run the gpUpdate command at the command prompt.
To verify the configuration is successful:
Open a command prompt as an administrator to the computer.
Start Event Viewer: eventvwr
Under Windows logs, right-click Security, and select Properties.
Ensure that the settings show maximum log size of 10240 KB (10 MB) or more and that Overwrite events as needed
is selected.
Configure AD auditing to enable logging of AD events in the security event log.
Configure Default Domain Controllers Policy GPO with Audit Directory service access to monitor both success and failure events.
To configure AD auditing:
Log in as an administrator to a computer in the domain that you want to configure.
To open Group Policy Management Console, run gpmc.msc at the command prompt.
Expand Forest > Domains > domainName > Domain Controllers.
Right-click Default Domain Controllers Policy, and click Edit.
NOTE:Changing the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.
Expand Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
To configure AD and Group Policy, under Account Management, and Policy Change, select the following for each subcategory: Configure the following audit events, Success, and Failure.
To configure only AD, under DS Access, select the following for each subcategory: Configure the following audit events, Success, and Failure.
Click Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options, enable Force audit policy subcategory setting on the default domain policy.
Under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
Under Audit account management, Audit directory service access, and Audit policy change, select the following for each subcategory: Define these policy settings, Success, and Failure.
To update policy settings, run the gpUpdate command at the command prompt.
For more information, see Monitoring Active Directory for Signs of Compromise in the Microsoft Documentation site.
Configure user and group auditing to audit the following activities:
Logon and logoff activities of local users and Active Directory users
Local user settings
Local group settings
To configure user and group auditing:
Log in as an administrator to a computer in the domain that you want to configure.
Open Microsoft Management Console, select File > Add/Remove Snap-in.
Select Group Policy Management Editor and click Add.
In the Select Group Policy Object window, click Browse.
Select Domain Controllers.FQDN, where FQDN is the Fully Qualified Domain Name for the domain controller computer.
Select Default Domain Controllers Policy.
In the Microsoft Management Console, expand Default Domain Controllers Policy FQDN > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
Under Audit Account Logon Events and Audit Logon Events, select Define these policy settings, Success, and Failure.
In the Microsoft Management Console, expand Default Domain Controllers Policy FQDN > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.
Under Audit Logon, select Audit Logon, Success, and Failure.
Under Audit Logoff, select Audit Logoff, Success, and Failure.
To update policy settings, run the gpupdate /force command at the command prompt.
Security Access Control Lists (SACLs) describe the objects and operations to monitor.
To allow Change Guardian to monitor changes of current and future objects inside Active Directory, follow the steps in Configuring SACLs for AD. However, if you are using Change Guardian for only Group Policy in your environment, see Configuring SACLs for GPO.
To monitor all changes of current and future objects inside Active Directory, configure the domain node.
To configure SACLs:
Log in as an administrator to a computer in the domain that you want to configure.
To open ADSI Edit configuration tool, run adsiedit.msc at the command prompt.
Right-click ADSI Edit, and select Connect to.
In the Connection Settings window, specify the following:
Name as Default naming context.
Path to the domain to configure.
If you are performing this step for the first time, select Default naming context.
If you are performing for the second time, select Schema.
If you are performing for the third time, select Configuration.
In Connection Point, set Select a well known Naming Context to Default naming context.
In the ADSI Edit window, expand Default naming context.
Right-click the node under the connection point (begins with DC= or CN=), and click Properties.
On the Security tab, click Advanced > Auditing > Add.
In Applies to or Apply onto, select This object and all descendant objects.
Configure auditing to monitor every user:
Click Select a principal, and type everyone in Enter the object name to select.
Specify the following options:
Type as All
Select Permissions as:
Write All Properties
Delete
Modify Permissions
Modify Owner
Create All Child Objects
The other nodes related to child objects are selected automatically
Delete All Child Objects
The other nodes related to child objects are selected automatically
Deselect the option Apply these auditing entries to objects and/or containers within this container only.
AD objects: Policies about creating and deleting a domain, modifying connection object, and so on
Computer accounts: Policies about disabling and moving a computer account, and changing permission to accounts
Configurations: Policies about creating and deleting GPOs
Contacts: Policies about creating, deleting, moving, and changing permission of contacts
DNS Configuration: Policies about modifying DNS configurations, and monitoring the node and zone
Groups: Policies about the following:
Creating distribution group and security group
Membership changes to distribution group, privilege group, and security group
Organization units: Policies about creating, deleting, moving, and changing permission of organization unit
Schema: Policies about the following:
Creating and changing schema attributes and classes
Deactivating and reactivating schema objects
Changing schema permissions
Changing schema settings
NOTE:If you want to receive all events related to Schema, create more than one policy having related Schema events as policy definition. For example, create a policy to monitor events about schema attribute created and schema attribute modified.
Trusts: Policies about creating, deleting, and modifying trust
User accounts: Policies about the following:
Changing administrator or guest accounts
Failure to reset user password
Disabling and moving user accounts
Changing permission to user accounts
For more information about creating policies, see Creating Policies.
After creating policies, you can assign them to assets. For information about assigning policies, see Working with Policies.
NOTE:If you assign the Active Directory schema policies created for Attribute and Class schema monitoring together, the AD schema events are not generated successfully. Create separate policies for Attribute and Class schema.