6.1 Configuring Windows Active Directory Monitoring

Change Guardian monitors the following in Active Directory (AD):

  • AD objects

  • AD query

  • Computer accounts

  • Configurations

  • Contacts

  • DNS Configuration

  • Federation Service

  • Groups

  • Organization units

  • Schema

  • Trusts

  • User accounts

This chapter provides information about the following:

6.1.1 Implementation Checklist

Complete the following tasks to start monitoring Windows Active Directory audit events:

Task

See

Review requirements and recommendations for computers running the AD Domain Service

Change Guardian System Requirements

Complete the prerequisites

Prerequisites

Add the license key

Application Licenses

Configure Change Guardian for monitoring

Categories of Change Guardian Policies for Windows Active Directory

Assigning Policies and Policy Sets

Triage events

Section 8.0, Configuring Events

Section 9.0, Configuring Alerts

6.1.2 Prerequisites

Ensure that you have completed the following:

Configuring Active Directory

Complete the following tasks to allow Change Guardian to monitor Active Directory events.

NOTE:Change Guardian documentation provides the third-party configuration steps for ease of use. For more information about the third-party products or for any issues with the configuration, see their documentation.

NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance.

Configuring the Security Event Log

Configure the security event log to ensure that Active Directory events remain in the event log until Change Guardian processes them.

To configure the security event log:

  1. Log in as an administrator to a computer in the domain that you want to configure.

  2. To open Group Policy Management Console, enter the following at the command prompt: gpmc.msc

  3. Open Forest > Domains > domainName> Domain Controllers.

  4. Right-click Default Domain Controllers Policy, and then click Edit.

    NOTE:Changing the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.

  5. Expand Computer Configuration > Policies > Windows Settings > Security Settings.

  6. Select Event Log and set:

    • Maximum security log size to 10240 KB (10 MB) or more

    • Retention method for security log to Overwrite events as needed

  7. To update policy settings, run the gpUpdate command at the command prompt.

To verify the configuration is successful:

  1. Open a command prompt as an administrator to the computer.

  2. Start Event Viewer: eventvwr

  3. Under Windows logs, right-click Security, and select Properties.

  4. Ensure that the settings show maximum log size of 10240 KB (10 MB) or more and that Overwrite events as needed is selected.

Configuring AD Auditing

Configure AD auditing to enable logging of AD events in the security event log.

Configure Default Domain Controllers Policy GPO with Audit Directory service access to monitor both success and failure events.

To configure AD auditing:

  1. Log in as an administrator to a computer in the domain that you want to configure.

  2. To open Group Policy Management Console, run gpmc.msc at the command prompt.

  3. Expand Forest > Domains > domainName > Domain Controllers.

  4. Right-click Default Domain Controllers Policy, and click Edit.

    NOTE:Changing the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.

  5. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

    1. To configure AD and Group Policy, under Account Management, and Policy Change, select the following for each subcategory: Configure the following audit events, Success, and Failure.

    2. To configure only AD, under DS Access, select the following for each subcategory: Configure the following audit events, Success, and Failure.

  6. Click Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options, enable Force audit policy subcategory setting on the default domain policy.

  7. Under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.

  8. Under Audit account management, Audit directory service access, and Audit policy change, select the following for each subcategory: Define these policy settings, Success, and Failure.

  9. To update policy settings, run the gpUpdate command at the command prompt.

For more information, see Monitoring Active Directory for Signs of Compromise in the Microsoft Documentation site.

Configuring User and Group Auditing

Configure user and group auditing to audit the following activities:

  • Logon and logoff activities of local users and Active Directory users

  • Local user settings

  • Local group settings

To configure user and group auditing:

  1. Log in as an administrator to a computer in the domain that you want to configure.

  2. Open Microsoft Management Console, select File > Add/Remove Snap-in.

  3. Select Group Policy Management Editor and click Add.

  4. In the Select Group Policy Object window, click Browse.

  5. Select Domain Controllers.FQDN, where FQDN is the Fully Qualified Domain Name for the domain controller computer.

  6. Select Default Domain Controllers Policy.

  7. In the Microsoft Management Console, expand Default Domain Controllers Policy FQDN > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.

  8. Under Audit Account Logon Events and Audit Logon Events, select Define these policy settings, Success, and Failure.

  9. In the Microsoft Management Console, expand Default Domain Controllers Policy FQDN > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.

  10. Under Audit Logon, select Audit Logon, Success, and Failure.

  11. Under Audit Logoff, select Audit Logoff, Success, and Failure.

  12. To update policy settings, run the gpupdate /force command at the command prompt.

Configuring Security Access Control Lists

Security Access Control Lists (SACLs) describe the objects and operations to monitor.

To allow Change Guardian to monitor changes of current and future objects inside Active Directory, follow the steps in Configuring SACLs for AD. However, if you are using Change Guardian for only Group Policy in your environment, see Configuring SACLs for GPO.

Configuring SACLs for AD

To monitor all changes of current and future objects inside Active Directory, configure the domain node.

To configure SACLs:

  1. Log in as an administrator to a computer in the domain that you want to configure.

  2. To open ADSI Edit configuration tool, run adsiedit.msc at the command prompt.

  3. Right-click ADSI Edit, and select Connect to.

  4. In the Connection Settings window, specify the following:

    • Name as Default naming context.

    • Path to the domain to configure.

    • If you are performing this step for the first time, select Default naming context.

    • If you are performing for the second time, select Schema.

    • If you are performing for the third time, select Configuration.

    NOTE:You must perform Step 4 through Step 11 three times, to configure connection points for Default naming context, Schema, and Configuration.

  5. In Connection Point, set Select a well known Naming Context to Default naming context.

  6. In the ADSI Edit window, expand Default naming context.

  7. Right-click the node under the connection point (begins with DC= or CN=), and click Properties.

  8. On the Security tab, click Advanced > Auditing > Add.

  9. In Applies to or Apply onto, select This object and all descendant objects.

  10. Configure auditing to monitor every user:

    1. Click Select a principal, and type everyone in Enter the object name to select.

    2. Specify the following options:

      • Type as All

      • Select Permissions as:

        • Write All Properties

        • Delete

        • Modify Permissions

        • Modify Owner

        • Create All Child Objects

          The other nodes related to child objects are selected automatically

        • Delete All Child Objects

          The other nodes related to child objects are selected automatically

  11. Deselect the option Apply these auditing entries to objects and/or containers within this container only.

  12. Repeat Step 4 through Step 11 two more times.

Configuring AD Query Monitoring (LDAP Query)

LDAP (Lightweight Directory Access Protocol) is a directory service that you can use to authenticate, monitor and search for information of your Active Directory (AD). Directory services store the users, passwords, and computer accounts, and share that information with other entities on the network.

Active Directory uses the LDAP query to search and gather organized information about the entities. AD query monitoring requires you to perform the following steps:

Configuring AD Query Auditing

You can enable Expensive and Inefficient LDAP calls to be logged in Event Viewer through the AD query auditing.

To configure AD query auditing:

  1. Log in as an administrator to a computer in the domain that you want to configure.

  2. In the Start menu, type regedit and open Registry the Editor.

  3. Click HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > NTDS > Diagnostics.

  4. Open 15 Field Engineering and set the value data to 5.

NOTE:Logging Event ID-1644 events might impact the server performance. For more information, see Event ID-1644. Microsoft recommends setting a desired threshold to troubleshoot LDAP queries.

Configuring LDAP Binding Audit Events

To enable AD binding events to be logged, you can follow the steps:

  1. Log in as an administrator to a computer in the domain that you want to configure.

  2. In the Start menu, type regedit and open the Registry Editor.

  3. Click HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > NTDS > Diagnostics.

  4. Open 16 LDAP Interface Events and set the value data to 2.

Setting up Audit for LDAP Connection

To set the audit for LDAP connection, perform the following steps:

  1. Log in as an administrator to a computer in the domain that you want to configure.

  2. To open Group Policy Management Console, enter the following in the command prompt: gpmc.msc.

  3. Open Forest > Domains > domainName> Domain Controllers.

  4. Right-click Default Domain Controllers Policy, and then click Edit.

    NOTE:Changing the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.

  5. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.

  6. Under Audit Account Management, and Audit Directory Service Access, select the following for each subcategory: Define these policy settings, Success, and Failure.

  7. (Conditional) To link new GPO, navigate to Group Policy Management Console > Forest > Domains > domainName> Domain Controllers.

    1. Right-click Default Domain Controllers Policy > click Link an existing GPO > select the newly created GPO.

    2. To force the group policy update, right-click the defined OU and select Group Policy Update.

  8. To update policy settings, run the gpUpdate command at the command prompt.

  9. Open the Event Viewer using the command in the command prompt: eventvwr.exe and navigate to Applications and Service Logs > Directory Service > Properties. Ensure that settings for Maximum log size is 4000000 KB or (4 GB) and select Overwrite events as needed.

  10. (Optional) To apply a specific set of permissions in the Active Directory that are supported by your organization, see Configuring Security Access Control Lists.

To update the audit in ADSI:

  1. To open ADSI editor, use the command adsiedit.msc in the command prompt.

  2. Right-click ADSI edit > Connect to Default Naming Context.

  3. Right-click Domain DNS object with your domain name > Properties > Security > Advanced > Auditing > click Add to add Principal Everyone > specify Success in Type field > select Applies to field with This object and descendant objects > select all the check boxes except Full Control, List Contents, Read all properties, Read Permissions > select OK.

Configuring LDAP signing

You can configure the LDAP signing in client and server.

To configure LDAP server (Domain Controller) singing:

  1. Select Start > Run, type mmc.exe. Click OK.

  2. Navigate to File > Add/Remove Snap-in> Group Policy Management Editor > click Add.

  3. Select Group Policy Object > Browse.

  4. In the Browse for a Group Policy Object dialog box, select Default Domain Controller Policy under the Domains, OUs, and linked Group Policy Objects area > click OK.

  5. Click Finish > OK.

  6. Select Default Domain Controller Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.

  7. Right-click Domain controller: LDAP server signing requirements > select Properties.

  8. In the Domain controller: LDAP server signing requirements Properties dialog box, enable Define this policy setting and select Require signing in the Define this policy setting list > click OK.

  9. In the Confirm Setting Change dialog box, select Yes.

To configure LDAP client signing (Network Security):

  1. Select Start > Run, type mmc.exe > click OK.

  2. Navigate to File > Add/Remove Snap-in> select Group Policy Object Editor > select Add. Click Finish. Click OK.

  3. Select Local Computer Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies> Security Options.

  4. Right-click Network security: LDAP client signing requirements > select Properties.

  5. In the Network security: LDAP client signing requirements Properties dialog box, select Require signing from the list > click OK.

  6. In the Confirm Setting Change dialog box, select Yes.

IMPORTANT:After configuring the LDAP signing, to update policy settings, run the gpUpdate command at the command prompt.

Configuring Federation Service Monitoring

Change Guardian monitors the following in Federation Services (FS):

  • Application token success and failure

  • Fresh credential validation success and failure

  • Password change request success and failure

Configure Federation Service auditing to enable logging of Federation Service events in the security event log

To configure Federation Service auditing:

  1. Log in as an administrator in the domain that you want to configure.

  2. Open Group Policy Management Console. Run gpmc.msc using command prompt.

  3. Click Forest > Domains > Domain Name > Domain Controllers.

  4. Right-click Default Domain Controllers Policy and select Edit.

    NOTE:Changing the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.

  5. Click Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

  6. To configure ADFS auditing under Object Access, select the following for Audit Application Generated: Configure the following audit events, Success, and Failure.

  7. To update policy settings, run the gpUpdate command at the command prompt

Configure auditing for Federation Service in the Federation Service Management snap-in

To configure Federation Service auditing:

  1. To open the Federation Service Management snap-in click Start > Programs > Administrative Tools > AD FS Management.

  2. In the Actions pane, click Edit Federation Service Properties.

  3. In the Federation Service Properties dialog box, click Events.

  4. Select the Success audits and Failure audits check boxes.

  5. Click OK.

6.1.3 Categories of Change Guardian Policies for Windows Active Directory

AD objects: Policies about creating and deleting a domain, modifying connection object, and so on

AD Query Policies about accessing, authorizing, and monitoring the Active Directory information

Computer accounts: Policies about disabling and moving a computer account, and changing permission to accounts

Configurations: Policies about creating and deleting GPOs

Contacts: Policies about creating, deleting, moving, and changing permission of contacts

DNS Configuration: Policies about modifying DNS configurations, and monitoring the node and zone

Federation Service: Policies about securely sharing digital identity and entitlements rights across security and enterprise boundaries

Groups: Policies about the following:

  • Creating distribution group and security group

  • Membership changes to distribution group, privilege group, and security group

Organization units: Policies about creating, deleting, moving, and changing permission of organization unit

Schema: Policies about the following:

  • Creating and changing schema attributes and classes

  • Deactivating and reactivating schema objects

  • Changing schema permissions

  • Changing schema settings

NOTE:If you want to receive all events related to Schema, create more than one policy having related Schema events as policy definition. For example, create a policy to monitor events about schema attribute created and schema attribute modified.

Trusts: Policies about creating, deleting, and modifying trust

User accounts: Policies about the following:

  • Changing administrator or guest accounts

  • Failure to reset user password

  • Disabling and moving user accounts

  • Changing permission to user accounts

For more information about creating policies, see Creating Policies.

After creating policies, you can assign them to agents. For information about assigning policies, see Assigning Policies or Policy Sets.

NOTE:If you assign the Active Directory schema policies created for Attribute and Class schema monitoring together, the AD schema events are not generated successfully. Create separate policies for Attribute and Class schema.