Top 10 Conclusions Taken from Tech-Ed Session about Active Directory Auditing by Don Jones

Don Jones recently did a very interesting session on Tech-Ed dedicated to Active Directory Auditing pains and solutions. The session was vendor-neutral (however some vendors, including NetWrix, were present too among other participants) and it was done in the format of an open discussion with more than 100 people participating.

Most participants were IT professionals from predominantly large organizations (tens of thousands of AD users), mostly from the US, from many different industries. The following is my take from the discussion.

1) MS Audit Collection Services (which is a part of SCOM): everybody is aware of this technology and understands that it can be used for Active Directory auditing. But only two people are using it. Most people said ACS is very far from being a 100% solution to AD auditing.

2) Built-in event forwarding feature introduced in Windows 7 and Windows Server 2008: NOBODY is using it for event consolidation. Major concern is scalability, however none of the participants were able to test it in large production environments. One participant is currently testing it, but nothing to share so far.

3) Everybody wants Active Directory change reporting functionality and only some people want to have real-time alerting on Active Directory changes in addition to reporting.

4) Two most critical examples of real-time alerts: account lockouts and changes in security groups.

5) Most people are interested in Group Policy auditing. Nobody was able to suggest any adequate native solutions for this through, only 3rd party tools can be used for GPO auditing.

6) The use of 3rd party agents for Active Directory auditing: most people are ok with this, but several people (all from misc government agencies BTW) said it’s very tough to approve a piece of 3rd party code running on a domain controller (literally takes months or even years). Agents that don’t require high-privileges can be ok through.

7) Object-level and attribute-level Active Directory backup and restore: more than 40% of participants need it, and most said it would seem logical to have this integrated with AD auditing processes, simply because it’s a part of change management.

8 ) Major challenges with native AD auditing: EventIDs change with different versions of Windows, scalability issues (lots of events), no convenient analysis tools, no event consolidation capability (have to look at all DCs separately – and everybody is afraid of using the native event forwarding feature).

9) What most people want to audit is AD and Group Policy changes, but several people gave examples of certain additional audit categories asked by their auditors, such as logons and account lockouts.

10) One person said they tried to audit everything in Windows Server (enabled ALL audit categories in GPO) and their servers practically went down (huge performance degradation) so they had to limit the scope of auditing significantly.

So what are your thoughts about Active Directory auditing? Can you share what’s important for you and what solutions are using now? Please join this discussion and post your comments below.