logo

Active Directory Auditing Guidelines

Active Directory provides account management, authentication and authorization services that are critical for strong access governance. Accordingly, proper Active Directory auditing is essential for both cybersecurity and compliance with regulations that require strong access management.

For example, to promptly detect insider threats, organizations need to constantly watch for the creation of new accounts and security groups and any modifications to existing users and groups, since those changes could provide unwarranted access rights that could be misused by account owners or attackers who compromise their accounts. They also must keep a close eye on user activities like logon attempts and directory changes, and identify security gaps like inactive user and computer accounts.

However, Active Directory does not audit all security events by default — you must explicitly enable auditing of important events so that they are recorded in the Security event log and available for inclusion in audit reports and alerts.

This article provides recommendations for setting up auditing in your Active Directory environment, using the Netwrix Audit Policy Best Practices as a reference.

Getting Started with AD Auditing

Active Directory (AD) auditing is the process of collecting and analyzing data about your AD objects and Group Policy. Organizations perform AD auditing to proactively improve security, promptly detect and respond to threats, and keep IT operations running smoothly.

Using Audit Policy

To specify which system events and user activity to track, you use the Audit Policy settings in Active Directory Group Policy. You specify which types of events you want to audit and select the settings for each one. For instance, you can log all events when a user account is disabled or a bad password is entered.

Like other Group Policy settings, auditing is configured using the Group Policy Management Editor (GPME) tool in the Group Policy Management console (GPMC). Note that audit settings for devices joined to a domain are be default set at relatively low level, so they should be refined. On domain controllers (DCs), auditing is often more robust, but it still might not be at the level that you need.

To audit Active Directory, you can use either the basic (local) security audit policy settings or the advanced security audit policy settings, which enable more granularity. Microsoft does not recommend using both, since that can lead to “unexpected results in audit reporting.” In most cases, when you turn the advanced auditing on, basic auditing will be ignored, even if you later turn the advanced auditing off.  It is recommended to use Advanced auditing if you are not currently performing any auditing.

  • Basic policies can be set by going to Computer Configuration > Policies > Windows Settings > Security Settings Local Policies > Audit Policy.
  • Advanced policy settings can be found under Computer Configuration Policies > Windows Settings > Advanced Audit Policy Configuration Audit Policies.

Audit Policy Scope

You can define auditing policies for both the entire domain and individual organizational units (OUs). Note that a setting configured at the OU level has higher priority than a domain-level setting and will override it in case of conflicts. You can check the resulting policies using the auditpol command-line utility.

Configuring the Security Log

You’ll also need to specify the maximum size and other properties of the Security log using the Event Logging policy settings. To change settings via GPME, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log and double-click the policy name. According to Microsoft, the recommended maximum log size for modern OS versions is 4Gb, and the recommended maximum total size for all logs is 16Gb. You can view the logs with Event Viewer.

Which AD Security Log Events to Track

The key to effective auditing is knowing which events to log. If you track too many events, your logs will be so full of noise that they’ll be hard to analyze and they’ll overwrite themselves quickly. But if you fail to track critical events, you’ll be unable to detect malicious activity and investigate security incidents. Here are the recommended events to track to strike the right balance.

Audit account logon events

To detect unauthorized attempts to log in to a domain, it is necessary to audit logon events — both successful and failed. Audit account logon events provides a way to track authentication events, such as NTLM and Kerberos authentication. It should not be confused with Audit logon events, which defines the auditing of every user attempt to log on to or log off from a computer, as explained below.

Here are the recommended settings for the advanced Audit account logon events policy:

  • Audit Credential Validation: Failure
  • Audit Kerberos Authentication Service: Success, Failure
  • Audit Kerberos Service Ticket Operations: Failure
  • Audit Other Account Logon Events: Success, Failure

Note that logoff events are not tracked on domain controllers unless you are actually logging into that specific DC.

Audit logon events

This policy can record all successful and failed attempts to log on or off a local computer, whether by a domain account or a local account. This information is useful for intruder detection and post-incident forensics. Microsoft provides descriptions of the various event IDs that can be logged.

The minimum recommended advanced settings are:

  • Audit Account Lockout: Success, Failure
  • Audit Group Membership: Success
  • Audit Logoff: Success, Failure
  • Audit Logon: Success, Failure
  • Audit Special Logon: Success, Failure

Account management

Carefully monitoring all changes to user accounts helps minimize the risk of business disruption and system unavailability.

At a minimum, it is recommended to set the basic Audit account Management policy to “Success”. If you are using Advanced audit policies, use the following settings:

  • Audit Application Group Management: Success, Failure
  • Audit Computer Account Management: Success
  • Audit Distribution Group Management: Success
  • Audit Other Account Management Events: Success
  • Audit Security Group Management: Success
  • Audit User Account Management: Success, Failure

Directory service access

Monitor this only if you need to see when someone accesses an AD object that has its own system access control list, such as an OU. In that case, it is recommended to configure the following settings:

  • Audit Directory Service Access: Success, Failure
  • Audit Directory Service Changes: Success, Failure

Object access

Audit this only if you need to see when someone used privileges to access, copy, distribute, modify or delete files on file servers. Enabling this setting can generate a large volume of Security log entries, so use it only if you have a specific use for that data. The recommended advanced settings are:

  • Audit Detailed File Share: Failure
  • Audit File Share: Success, Failure
  • Audit Other Object Access Events: Success, Failure
  • Audit Removable Storage: Success, Failure

Policy change

Improper changes to a Group Policy object (GPO) can lead to security incidents and violations of data privacy mandates. To reduce your risk, set up following advanced settings:

  • Audit Policy Change: Success, Failure
  • Audit Authentication Policy Change: Success, Failure
  • Audit MPSSVC Rule-Level Policy Change: Success, Failure
  • Audit Other Policy Change Events: Failure

Privilege use

Turn this on only if you want to track each instance of user privileges being used. Enabling this policy can generate a large volume of entries in your Security logs, so do so only if you have a specific use for that data. To enable this policy, configure the following:

  • Audit Sensitive Privilege Use: Success, Failure

Process tracking (sometimes called Detailed tracking)

Available only in advanced audit policy, this setting is focused on process-related audit events, such as process creation, process termination, handle duplication and indirect object access. It can be useful for incident investigations, but it can generate a large volume of entries in your Security logs, so enable it only if you have a specific use for the data. The recommended settings are:

  • Audit PNP Activity: Success
  • Audit Process Creation: Success

System

It is wise to log all attempts to start, shut down or restart of a computer, as well as all attempts by a process or program to do something that it does not have permissions to do, such as malicious software trying to change settings on your computer. Recommended advanced settings are:

  • Audit Security State Change: Success, Failure
  • Audit Other System Events: Success, Failure
  • Audit System Integrity: Success, Failure
  • Audit Security System Extension: Success

AD Auditing Best PracticesTop of Form

By auditing Active Directory, you can reduce security risks by identifying and remediating toxic conditions like deeply nested groups and directly assigned permissions that attackers can exploit to gain access to your network resources. The following best practices can help make your AD auditing more effective:

Get a thorough understanding of your AD environment.

Start by getting answers to the following questions:

  • How many accounts and groups do you have?
  • What GPOS and other critical Active Directory objects do you have?
  • Who has permissions to your DCs and OUs?

Prioritize your efforts.

Three places organizations often begin are:

  • Privileged AD access — Examine critical objects like GPOs.
  • Large groups — Evaluate the access of large groups like Domain Users and Everyone.
  • Privileged user access — Determine which users have elevated access, either through membership in powerful groups like Domain Admins or via more indirect methods like nested group membership.

Get the right stakeholders involved.

Determine which business users understand who should have access to what. For example, the manager of a particular department is likely to know which IT resources their team members needs access to in order to do their jobs, and why permissions have been set up a certain way.

Regularly review group membership.

First, ensure that only the right users are members of Domain Admins and Enterprise Admins. Strictly limiting membership in these groups will reduce the risk that a rogue admin will abuse their privileged access. Equally important, it minimizes the number of accounts that an adversary could compromise to instantly gain control of the domain.

Second, have business owners validate that the right members are in their groups — and that the group has access to only the resources that it needs.

Repeat these reviews on a regular basis.

Keep improving your AD auditing process

Once you implement your top priorities for AD auditing, move on to the next areas. For example, once you have established regular reviews of group membership, start auditing changes to AD passwords.

Next steps

Setting up the correct audit policies is a great start — but it’s only half the battle. You also need to be able to analyze the data you collect. Unfortunately, modern IT environments are so complex and busy that logs often become too large to sift through effectively, and the audit log can even overwrite itself. Single-purpose software tools can help with particular tasks, but a patchwork of solutions cannot deliver the comprehensive visibility you need for data security.

With the Netwrix Active Directory Security Solution, you can secure your Active Directory from end to end. It will enable you to:

  • Uncover security risks in Active Directory and prioritize your mitigation efforts.
  • Harden security configurations across your IT infrastructure.
  • Promptly detect and contain even advanced threats, such as DCSync , NTDS.dit extraction and Golden Ticket attacks.
  • Respond to known threats instantly with automated alerts options.
  • Minimize business disruptions with fast Active Directory recovery.

FAQ

How can I enable auditing of AD objects?

To enable auditing of Active Directory objects you can either:

  • Configure an audit policy on the domain controllers to log the specified events for all users.
  • Configure an auditing ACL (SACL) on specific objects to monitor specific changes to them.

How do I configure an audit policy setting for a domain controller?

  1. Open the Group Policy Management Console.
  2. Right-click the Default Domain Controllers Policy and select Edit.
  3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
  4. Specify the audit settings for each event category want to monitor and save your changes.
  5. Either wait for the policy to update automatically or run gpupdate on the DC yourself to update the policy immediately.

Use the Windows Event Viewer to view captured events.

How do I configure auditing for specific AD objects?

  1. Open Active Directory Users and Computers.
  2. Navigate to the object you want to monitor and open it.
  3. Go to the Security tab.
  4. Click the Advanced button.
  5. Go to the Auditing tab.
  6. Click Add.
  7. Select the properties you want to monitor.
  8. Click OK to close each window until you are back to the main ADUC screen.
Jeff is a former Director of Global Solutions Engineering at Netwrix. He is a long-time Netwrix blogger, speaker, and presenter. In the Netwrix blog, Jeff shares lifehacks, tips and tricks that can dramatically improve your system administration experience.