6.1 Configuring Windows Active Directory Monitoring

Change Guardian monitors the following in Active Directory (AD):

  • AD objects

  • Computer accounts

  • Configurations

  • Contacts

  • Groups

  • User accounts

  • Organization units

  • Trusts

This chapter provides information about the following:

6.1.1 Implementation Checklist

Complete the following tasks to start monitoring Windows Active Directory audit events:

Task

See

Review requirements and recommendations for computers running the AD Domain Service

Change Guardian System Requirements

Complete the prerequisites

Prerequisites

Add the license key

Adding License for Applications

Configure Change Guardian for monitoring

Categories of Change Guardian Policies for Windows Active Directory

Assigning Policies and Policy Sets

Triage events

Section 7.0, Configuring Events

Section 9.0, Configuring Alerts

6.1.2 Prerequisites

Ensure that you have completed the following:

Configuring Active Directory

Complete the following tasks to allow Change Guardian to monitor Active Directory events.

NOTE:Change Guardian documentation provides the third-party configuration steps for ease of use. For more information about the third-party products or for any issues with the configuration, see their documentation.

NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance.

Configuring the Security Event Log

Configure the security event log to ensure that Active Directory events remain in the event log until Change Guardian processes them.

To configure the security event log:

  1. Log in as an administrator to a computer in the domain that you want to configure.

  2. To open Group Policy Management Console, enter the following at the command prompt: gpmc.msc

  3. Open Forest > Domains > domainName> Domain Controllers.

  4. Right-click Default Domain Controllers Policy, and then click Edit.

    NOTE:Changing the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.

  5. Expand Computer Configuration > Policies > Windows Settings > Security Settings.

  6. Select Event Log and set:

    • Maximum security log size to 10240 KB (10 MB) or more

    • Retention method for security log to Overwrite events as needed

  7. To update policy settings, run the gpUpdate command at the command prompt.

To verify the configuration is successful:

  1. Open a command prompt as an administrator to the computer.

  2. Start Event Viewer: eventvwr

  3. Under Windows logs, right-click Security, and select Properties.

  4. Ensure that the settings show maximum log size of 10240 KB (10 MB) or more and that Overwrite events as needed is selected.

Configuring AD Auditing

Configure AD auditing to enable logging of AD events in the security event log.

Configure Default Domain Controllers Policy GPO with Audit Directory service access to monitor both success and failure events.

To configure AD auditing:

  1. Log in as an administrator to a computer in the domain that you want to configure.

  2. To open Group Policy Management Console, run gpmc.msc at the command prompt.

  3. Expand Forest > Domains > domainName > Domain Controllers.

  4. Right-click Default Domain Controllers Policy, and click Edit.

    NOTE:Changing the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.

  5. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

    1. To configure AD and Group Policy, under Account Management, and Policy Change, select the following for each subcategory: Configure the following audit events, Success, and Failure.

    2. To configure only AD, under DS Access, select the following for each subcategory: Configure the following audit events, Success, and Failure.

  6. Click Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options, enable Force audit policy subcategory setting on the default domain policy.

  7. Under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.

  8. Under Audit account management, Audit directory service access, and Audit policy change, select the following for each subcategory: Define these policy settings, Success, and Failure.

  9. To update policy settings, run the gpUpdate command at the command prompt.

For more information, see Monitoring Active Directory for Signs of Compromise in the Microsoft Documentation site.

Configuring User and Group Auditing

Configure user and group auditing to audit the following activities:

  • Logon and logoff activities of local users and Active Directory users

  • Local user settings

  • Local group settings

To configure user and group auditing:

  1. Log in as an administrator to a computer in the domain that you want to configure.

  2. Open Microsoft Management Console, select File > Add/Remove Snap-in.

  3. Select Group Policy Management Editor and click Add.

  4. In the Select Group Policy Object window, click Browse.

  5. Select Domain Controllers.FQDN, where FQDN is the Fully Qualified Domain Name for the domain controller computer.

  6. Select Default Domain Controllers Policy.

  7. In the Microsoft Management Console, expand Default Domain Controllers Policy FQDN > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.

  8. Under Audit Account Logon Events and Audit Logon Events, select Define these policy settings, Success, and Failure.

  9. In the Microsoft Management Console, expand Default Domain Controllers Policy FQDN > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.

  10. Under Audit Logon, select Audit Logon, Success, and Failure.

  11. Under Audit Logoff, select Audit Logoff, Success, and Failure.

  12. To update policy settings, run the gpupdate /force command at the command prompt.

Configuring Security Access Control Lists

Security Access Control Lists (SACLs) describe the objects and operations to monitor.

To allow Change Guardian to monitor changes of current and future objects inside Active Directory, follow the steps in Configuring SACLs for AD. However, if you are using Change Guardian for only Group Policy in your environment, see Configuring SACLs for GPO.

Configuring SACLs for AD

To monitor all changes of current and future objects inside Active Directory, configure the domain node.

To configure SACLs:

  1. Log in as an administrator to a computer in the domain that you want to configure.

  2. To open ADSI Edit configuration tool, run adsiedit.msc at the command prompt.

  3. Right-click ADSI Edit, and select Connect to.

  4. In the Connection Settings window, specify the following:

    • Name as Default naming context.

    • Path to the domain to configure.

    • If you are performing this step for the first time, select Default naming context.

    • If you are performing for the second time, select Schema.

    • If you are performing for the third time, select Configuration.

    NOTE:You must perform Step 4 through Step 11 three times, to configure connection points for Default naming context, Schema, and Configuration.

  5. In Connection Point, set Select a well known Naming Context to Default naming context.

  6. In the ADSI Edit window, expand Default naming context.

  7. Right-click the node under the connection point (begins with DC= or CN=), and click Properties.

  8. On the Security tab, click Advanced > Auditing > Add.

  9. In Applies to or Apply onto, select This object and all descendant objects.

  10. Configure auditing to monitor every user:

    1. Click Select a principal, and type everyone in Enter the object name to select.

    2. Specify the following options:

      • Type as All

      • Select Permissions as:

        • Write All Properties

        • Delete

        • Modify Permissions

        • Modify Owner

        • Create All Child Objects

          The other nodes related to child objects are selected automatically

        • Delete All Child Objects

          The other nodes related to child objects are selected automatically

  11. Deselect the option Apply these auditing entries to objects and/or containers within this container only.

  12. Repeat Step 4 through Step 11 two more times.

6.1.3 Categories of Change Guardian Policies for Windows Active Directory

AD objects: Policies about creating and deleting a domain, modifying connection object, and so on

Computer accounts: Policies about disabling and moving a computer account, and changing permission to accounts

Configurations: Policies about creating and deleting GPOs

Contacts: Policies about creating, deleting, moving, and changing permission of contacts

DNS Configuration: Policies about modifying DNS configurations, and monitoring the node and zone

Groups: Policies about the following:

  • Creating distribution group and security group

  • Membership changes to distribution group, privilege group, and security group

Organization units: Policies about creating, deleting, moving, and changing permission of organization unit

Schema: Policies about the following:

  • Creating and changing schema attributes and classes

  • Deactivating and reactivating schema objects

  • Changing schema permissions

  • Changing schema settings

NOTE:If you want to receive all events related to Schema, create more than one policy having related Schema events as policy definition. For example, create a policy to monitor events about schema attribute created and schema attribute modified.

Trusts: Policies about creating, deleting, and modifying trust

User accounts: Policies about the following:

  • Changing administrator or guest accounts

  • Failure to reset user password

  • Disabling and moving user accounts

  • Changing permission to user accounts

For more information about creating policies, see Creating Policies.

After creating policies, you can assign them to assets. For information about assigning policies, see Working with Policies.

NOTE:If you assign the Active Directory schema policies created for Attribute and Class schema monitoring together, the AD schema events are not generated successfully. Create separate policies for Attribute and Class schema.