protecting and auditing active directory with quest …...auditing components of active directory,...
TRANSCRIPT
TECHNICAL BRIEF
Written byRandy Franklin Smith
CEO, Monterey Technology Group, Inc.Publisher of UltimateWindowsSecurity.com
Protecting and Auditing Active Directory with Quest Solutions
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 1
© 2010 Quest Software, Inc.
ALL RIGHTS RESERVED.
This document contains proprietary information protected by copyright. No part of this document may be
reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying
and recording for any purpose without the written permission of Quest Software, Inc. (―Quest‖).
The information in this document is provided in connection with Quest products. No license, express or
implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in
connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND
CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST
ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-
INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no
representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any time
without notice. Quest does not make any commitment to update the information contained in this
document.
If you have any questions regarding your potential use of this material, contact:
Quest Software World Headquarters
LEGAL Dept
5 Polaris Way
Aliso Viejo, CA 92656
www.quest.com
E-mail: [email protected]
Refer to our Web site for regional and international office information.
Trademarks
Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix,
AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch,
BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop
Authority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin,
Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe,
LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool,
NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest
Central, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle
Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab,
Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator,
vControl, vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA, VizionCore, Vizioncore
vAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator, Vizioncore
vReplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of
Quest Software, Inc in the United States of America and other countries. Other trademarks and registered
trademarks used in this guide are property of their respective owners.
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 2
Contents Executive Summary ...................................................................................................................................... 3
Key Audit and Protection Requirements for Active Directory ....................................................................... 4
Why Protect and Audit Active Directory ..................................................................................................... 4
Key Components for Protection and Auditing of Active Directory ............................................................. 4
Change Tracking .................................................................................................................................... 5
Real-Time Monitoring............................................................................................................................. 6
Reporting ............................................................................................................................................... 7
Security Event Management and Correlation ........................................................................................ 8
Secure Audit Trail .................................................................................................................................. 8
Providing Comprehensive Audit and Protection for Active Directory ............................................................ 9
Introduction ................................................................................................................................................ 9
ChangeAuditor for Active Directory ......................................................................................................... 10
Intelligent AD Auditing.......................................................................................................................... 10
Quest InTrust ........................................................................................................................................... 14
Integration of InTrust and ChangeAuditor ........................................................................................... 15
Summary ..................................................................................................................................................... 16
About the Author ......................................................................................................................................... 17
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 3
Executive Summary Active Directory (AD) is the core of enterprise IT; for this reason, comprehensive protection and auditing
of AD changes is critical. Together Quest ChangeAuditor for Active Directory and InTrust provide the
monitoring, reporting and audit trail capabilities required to fulfill operational, planning, security and
compliance requirements for AD. ChangeAuditor tracks, monitors and reports on core changes; InTrust
provides a long-term, secure audit trail and correlates AD data with other enterprise IT activity.
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 4
Key Audit and Protection Requirements for Active Directory Why Protect and Audit Active Directory On many levels, Active Directory (AD) is the core of enterprise IT: AD is where you find user accounts,
groups for access control, encryption policies, certificates and CRLs, network IPSec polices—the list goes
on and on. Moreover, nearly every system component integrates with AD, from databases to applications,
UNIX systems and wireless access points to VPNs, as well as business partners and cloud services
through federation services.
Because AD is critical to your business operations, comprehensive protection and auditing of changes is
a must. One unauthorized or accidental change to AD can have devastating cost, security, downtime and
compliance consequences. For instance, group policy objects (GPOs) provide centralized and automated
configuration control of all computers on your network; a poorly edited GPO can spread a configuration
change to thousands of computers in minutes, possibly compromising the security or availability of your
network.
In addition, AD must be managed by all-powerful domain administrators. Malicious actions by rogue
administrators can be deterred by a high-integrity audit trail that detects changes and enforces
accountability.
Key Components for Protection and Auditing of Active Directory Many monitoring, reporting and audit trail capabilities are required to fulfill AD’s operational, planning,
security and compliance requirements. But as shown in Figure 1. The comprehensive protection and
auditing components of Active Directory, the foundation is change tracking. It should supply real-time
changes and detailed event data to be consumed downstream monitoring, reporting and audit trail
components.
Figure 1. The comprehensive protection and auditing components of Active Directory
Change TrackingReal-time
Monitoring•Alerting
•Object protection
• Integration with systems management solutions
Reporting• Planning and analysis
•Compliance documentation
• Forensic analysis and security incident response
•Operational accountability
•Directory integration/synchronizatio
n monitoring
Secure Audit Trail• Long-term and high-
integrity
•Admissible as evidence
•Accountability over AD administrators
Security Event Management
(SEM) and Correlation
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 5
Change Tracking
All objects in Active Directory (e.g., users, groups, computer accounts, OUs and group policy objects) are
structured according to AD’s schema of object classes and properties. Therefore, in general, AD change
tracking can be implemented using a uniform process that works no matter what type of object is
changed. The key elements to any AD change event should include the:
Time of the change
Object modified
User that modified the object
Operation performed
If applicable, properties modified and their values before and after the change
Domain controller where the change was made
IP address of the workstation or client machine from which the change originated
AD includes built-in auditing that might, at first glance, seem to be a viable option for tracking changes.
However, the native AD audit log has architectural limitations that prevent it from satisfying audit and
protection requirements. This is detailed in the Architectural Limitations of the Native Active Directory
Audit Log inset below. Moreover, the native audit log fails to audit the following critical types of
information:
Nested group changes – Although the basic, schema-based change tracking engine of AD
native auditing tracks first-level group membership changes, nested membership changes go
unnoticed. For instance, if John is a member of the group Directory Services Engineers which is a
member of Enterprise Admins (an all-powerful forest-level group), native AD auditing will not
generate any event alerting you that John now has Enterprise Admins authority.
Group policy settings – Unlike other AD objects, GPOs have only a pointer (or ―stub‖) object
stored in AD; the actual configuration settings comprising a GPO reside in the file system of each
domain controller. Simple schema-based tracking like the native AD audit log only monitors
changes to the ―stub‖ of the GPO, such name changes or deletions. At best, the native audit log
can tell you that a GPO was modified, but not which of the thousand settings was defined or the
setting’s values before and after the change.
Permission changes – In Windows Server 2003, the native audit log can report only that the
Discretionary Access Control List (DACL) of an AD object was modified—not which permissions
were added or removed for which users or groups. In Windows Server 2008, the native audit log
reports the before and after values of the entire DACL—but it uses cryptic security descriptor
definition language (SDDL):
D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;
CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BO)S:(AU;FA;CCDCLCSW
RPWPDTLOCRSDRCWDWO;;;WD).
Cryptic AD schema – The native AD audit log reports the actual class and property names as
defined in AD’s schema. These names are sometimes highly cryptic, which can make it
impossible to understand what was actually changed without significant research in the AD
schema. For instance, a change to a user’s last name is reported as a modification of the ―sn‖
property.
Comprehensive auditing and protection of Active Directory requires an intelligent change tracking engine
that monitors all modifications to Active Directory, looks for subtle impacts such as nested group
membership changes, and translates cryptic data into information that IT, security, and compliance staff
can understand and act upon. ChangeAuditor for Active Directory’s sophisticated change tracking engine
meets these requirements, as explained in greater detail later in this tech brief.
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 6
Real-Time Monitoring
Protecting Active Directory requires real-time monitoring that identifies high impact, suspicious or
prohibited changes and automatically takes appropriate actions, such as reversing the change or
informing appropriate personnel.
Alerting – Administrators need to be able to define changes that may not necessarily be
prohibited but are suspicious or high- impact. These changes need to be reviewed immediately to
determine an appropriate response. For instance, when a group policy object is modified,
potentially thousands of computers or users could be impacted. At the same time, once
stabilized, most GPOs are fairly static and seldom need modification. Therefore, administrators
should be able to designate stable GPOs and receive immediate notification of any modifications.
Upon such notification, administrators can confirm that the GPO change was approved and
executed in compliance with the organization’s normal configuration change control process.
Architectural Limitations of the Native Active Directory Audit Log
Because Active Directory monitoring and auditing is so important, Windows Server provides
some native functionality for auditing changes and other high-priority AD events. Despite the
valuable functionality provided by the Windows security log, significant gaps and limitations
remain. The following limitations compromise an organization’s ability to fulfill security and
regulatory requirements for monitoring and auditing Active Directory:
Audit data scattered among domain controllers - While directory information is
replicated between domain controllers, security logs are not. Each domain controller has
its own security log, which contains only the events associated with operations
performed against that particular domain controller. Therefore, an organization’s overall
audit trail is fragmented across many domain controllers within the AD environment.
No reporting or alerting - Windows Server provides no real reporting or analysis
capabilities for the Windows security log. The one native tool for viewing security log
activity is the Event Viewer Microsoft Management Console, which provides only basic
filtering capabilities. The task triggering capability introduced in Windows Server 2008
could provide some rudimentary alerting but would require significant scripting and
management effort.
No protection from administrators – Since the audit data remains on the domain
controllers, it cannot be used as a reliable audit trail of administrator actions because
administrators can erase or modify any file on the system.
High volume of audit data - Because of the low-level, generalized nature of the
Directory Service Access category, the Windows security log can produce huge
amounts of data when used to audit AD changes. With each domain controller
producing potentially hundreds of megabytes of audit data every day, locating critical
events is like looking for a needle in a haystack—and vast storage is required to archive
the audit data.
Performance risks - Given the huge amounts of audit data and the arcane nature of
policy definition, it is easy to define AD audit policies that may overwhelm any amount of
domain controller hardware.
For a full discussion of AD’s native audit log, its limitations and impact on compliance with key
regulatory requirements please see the white paper ―Overcoming Active Directory Audit Log
Limitations‖ available at http://www.quest.com/common/registration.aspx?requestdefid=26188.
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 7
Integration with system management solutions - While direct e-mail notification may be
appropriate in some situations, enterprises need the ability to receive alerts generated by AD
monitoring directly into systems management solutions such as System Center Operations
Manager (SCOM) or Tivoli via SNMP traps or other interfaces.
Object protection – Some changes should not be allowed at all. For instance, administrators
may create an organizational unit (OU) that holds critical objects intended for emergencies, This
OU may contain an emergency administrator account to be used if all other administrator
accounts are deleted, locked out or unavailable, possibly due to a denial of service attach. Or a
top level group policy object may ensure certain critical security policies are deployed to all
computers. In both cases, an organization needs the ability to lock down such objects to prevent
any modification that could jeopardize their purpose – even by administrators.
Reporting
Most AD changes are not severe enough to generate an alert or object protection response, but needed
to be reported. Organizations need to report Active Directory changes to fulfill a wide array of analytical
and documentation needs, including:
Planning and analysis – Because enterprises are constantly changing, they need to be able to
analyze historical data to predict future capacity requirements. They also need to determine how
frequently certain changes are made to assess the benefit of automating certain processes or the
impact of modifying an operation. For instance, an organization considering adopting a self-
service password reset solution needs to know how often accounts are locked out due to
forgotten passwords and how many corresponding calls are made to the help desk for password
resets.
Compliance documentation – To satisfy regulators and auditors, organizations must not only
demonstrate that a certain security process or control is in place, but also produce documentation
that the process is being used in specific cases. For instance, organizations need to document
how promptly accounts are disabled after employee terminations and when group membership is
revoked in due to job changes.
Forensic analysis and security incident response – When a system intrusion or other security
incident occurs, analysts may be hampered without an audit trail of all relevant AD changes.
Analysts need to be able to search the audit trail left by the intruder or malicious insider using a
variety of sorting and grouping techniques.
Operational accountability – The dire consequences of erroneous changes to Active Directory
has already been discussed in this document. When an operational mistake is made,
management must be able to determine how the mistake was made, by whom and when. Without
this information, the enterprise can’t prevent the problem from happening again, nor can it assign
responsibility or take appropriate action against policy violations.
Enterprise activity correlation – AD changes are only a portion of the overall IT activity that
organizations must be able to monitor and analyze. Other typical sources of event data include
logon and authentication auditing, network connection, and access to applications and resources.
Analysts frequently need to correlate events from these different kinds of log data to see the
complete picture of what is happening on the network. Therefore, ultimately AD change tracking
data needs to be aggregated with the rest of an organization’s log data into a single repository for
detailed analysis.
Directory integration/synchronization monitoring – To improve security, operational
efficiency, organizational responsiveness, and compliance, organizations are increasingly
integrating or synchronizing directory information between systems to automate identity and
access management. Debugging and managing the flow of identity information between Active
Directory can be complicated, and engineers need visibility into changes made by
synchronization processes.
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 8
Security Event Management and Correlation
Active Directory changes are only one channel of the wider stream of security activity. Information
security analysts must correlate AD changes with related activity such as AD authentication events and
Windows server security events. Ultimately AD audit events need to be aggregated with the rest of the
organization’s security monitoring.
This is especially important in larger enterprises where AD administrators are separate from information
security staff. AD change events must be merged into their overall view of enterprise-wide security
activity.
Secure Audit Trail
Most organizations ultimately depend on audit logs as evidence for internal investigations and legal
proceedings. For audit logs to be admissible as evidence, organizations must produce the original audit
logs and demonstrate that they were not altered. Because audit data tends to be both voluminous and
redundant, organizations may reduce storage requirements by normalizing audit data into different tables.
However, such restructuring of the data can create the perception that audit record has been modified,
rendering it inadmissible. Furthermore, normalization can create indexing problems and performance
issues at insertion and query time. Unfortunately, the dynamic accessibility and block-oriented format of
databases means they do not function well as an unalterable repository for large amounts of redundant
data.
Most reporting and analysis processes require that AD audit data reside in a relational database for
efficient query capability. However, security and compliance requirements demand that audit logs be
protected from modification and stored for long periods of time. So while a relational database may be
required for temporary storage of audit data for reporting and analysis, audit logs must ultimately be
preserved in a high-integrity repository that supports digital signatures and compression.
This repository must also be segregated from AD’s operational administrators, because a database within
the forest is accessible to all forest administrators and can be modified or even erased. Therefore, to
deter or detect unauthorized changes, the permanent copy of any audit data must reside in a repository
outside of the jurisdiction of its administrators.
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 9
Providing Comprehensive Audit and Protection for Active Directory Introduction By combining ChangeAuditor for Active Directory (CAAD) with Quest InTrust, Quest Software provides
comprehensive audit and protection for Active Directory:
ChangeAuditor provides core change tracking, monitoring and reporting.
InTrust provides a long-term, secure audit trail and correlates audit data with other IT activity.
Figure 2 - ChangeAuditor and InTrust provide comprehensive auditing and protection for AD.
Change TrackingReal-time
Monitoring•Alerting
•Object protection
• Integration with systems management solutions
Reporting• Planning and analysis
•Compliance documentation
• Forensic analysis and security incident response
•Operational accountability
• Directory integration/synchronization
monitoring
Secure Audit Trail
• Long-term and high-integrity
•Admissible as evidence
•Accountability over AD administrators
Security Event Management
(SEM) and Correlation
Quest InTrust
ChangeAuditor for
Active Directory
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 10
ChangeAuditor for Active Directory ChangeAuditor monitors Active Directory domain controllers in real time, preventing unauthorized
changes to protected objects and recording allowed changes for specified objects, users and actions. It
also provides advanced alerting and reporting.
ChangeAuditor’s architecture is comprised of three components. These work with the SQL Server
relational database that contains ChangeAuditor’s audit data and configuration:
ChangeAuditor
Agent
ChangeAuditor
Agent
ChangeAuditor
Agent Domain Controllers
ChangeAuditor
Database
ChangeAuditor
Client
ChangeAuditor
Coordinator
SQL Server
Reporting
Services
SMTP Email Alerts
SNMP
Systems Center Operations Manager
ChangeAuditor
Coordinator
Figure 3 - ChangeAuditor architecture
ChangeAuditor Agent – ChangeAuditor’s change tracking engine resides in the ChangeAuditor
agent, which runs on each domain controller. As the agent monitors any attempts to change
various objects in AD, it compares each requested change to the object protection policies
previously defined by ChangeAuditor users. If the change matches a prohibited combination of
user, action and object, ChangeAuditor prevents the change from being made. Otherwise,
ChangeAuditor records the event to the ChangeAuditor database according to the organization’s
CAAD configuration policy that defines which objects, users and actions are audited.
ChangeAuditor Coordinator – The ChangeAuditor Coordinator monitors new activity being
logged to the ChangeAuditor database and generates SMTP e-mail alerts and SNMP traps. It can
also send events to SCOM, depending on the activity and ChangeAuditor’s configured alert
policy. Additional ChangeAuditor Coordinators and a SQL Server cluster can be implemented for
fault-tolerance.
ChangeAuditor Client – IT staff use the ChangeAuditor Client to access and configure
ChangeAuditor, as well as run reports and conduct analysis. Reports can also be scheduled and
automatically delivered via SQL Reporting Services, which integrates directly with the
ChangeAuditor Client. With this client, staff can quickly determine who changed what, when the
change occurred, and where the change originated.
Intelligent AD Auditing
Unlike native AD auditing, which is limited to simple object/property schema-based auditing, the
ChangeAuditor agent provides intelligent auditing of AD changes. It addresses the specialized auditing
requirements arcane to Active Directory as described in the Change Tracking section earlier in this
document.
Nested group changes fully expanded
ChangeAuditor intelligently monitors nested group memberships and faithfully reports indirect group
membership additions. To use the example given earlier, if John is made a member of the group
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 11
Directory Services Engineers, which in turn is a member of Enterprise Admins, ChangeAuditor alerts you
that a new member has gained all-powerful Enterprise Admins membership.
Scenario: User added to nested group
Directory Services
Engineers
Enterprise Admins
Native AD
audit event:
(none)
ChangeAuditor
event
Figure 4. Nested group membership changes are reported by ChangeAuditor
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 12
Changes to group policy settings reported in detail
As explained earlier, a GPO’s configuration settings reside in the file system of each domain controller, so
the native audit log can tell you only that a GPO was modified, but not which settings were changed or
their values before and after the change. ChangeAuditor, on the other hand, reports exactly which
settings within the GPO were changed and provides the before and after values for the settings, as
shown below:
Scenario: Group Policy Object Modified
Native AD
audit event
ChangeAuditor
event
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 13
Permission changes fully reported, without redundant notifications
At best, native AD auditing can report only that there was some kind of permission change on a given
OU; moreover, it floods the security log with hundreds or thousands of additional notifications for each
child object within that OU and its sub-OUs. ChangeAuditor, however, reports a single permission change
event for the object where the permissions were actually modified, and specifies exactly which entries
were deleted and/or added:
Scenario: Active Directory permissions delegated for a given organizational unit
Native AD audit
event
ChangeAuditor
event
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 14
Plain language used instead of cryptic AD schema
While the native AD audit log reports changes using cryptic schema names for objects and properties,
ChangeAuditor reports AD changes in plain language easily understood by IT staff:
Scenario: Last name of user account changed
Native AD audit
event
ChangeAuditor
event
Quest InTrust While ChangeAuditor provides real-time monitoring and reporting, Quest InTrust provides the security
audit trail and security event management (SEM) for comprehensive auditing and protection of Active
Directory. InTrust is a modular log management and change auditing platform with optional integration
with ChangeAuditor for specialized monitoring functionality, and knowledge packs for expert analysis of
log and monitoring data.
The InTrust platform provides log collection, alerting, archival and reporting. InTrust has built-in support
for the common log formats, including Windows event logs and any type of text file log, as well as syslog
streams for support of UNIX, Linux and network devices such as routers and firewalls.
In addition, InTrust provides a secure log-based repository that can securely and efficiently store large
amounts of audit data. This protects the data from tampering and keeps it separate from the operational
AD administrators, providing deterrence and detection control.
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 15
Integration of InTrust and ChangeAuditor
In larger enterprises where AD administrators are separate from information security staff, AD change
events must be merged into one overall view of enterprise-wide security activity. Quest delivers this view
by integrating the ChangeAuditor auditor event stream into InTrust’s enterprise-wide security event
management capabilities.
ChangeAuditor agents can be configured to write Active Directory change events to a local Windows
event log in addition to the normal SQL Server database used for alerting and short-term reporting. Then,
as shown in Figure 5, InTrust collects the ChangeAuditor event logs from each domain controller and
aggregates them with other log data, including logs from servers, firewalls, authentication events from
domain controllers, application logs and more:
ChangeAuditor
Agent
ChangeAuditor
Agent
ChangeAuditor
Agent
Domain Controllers
Quest InTrustWindows
Event
Logs
InTrust Log
Repository
(Secure and
Compressed)
Security Event Management
Correlation to other AD security events such as authentication
Long term, security audit trail for compliance, legal and forensic needs
Other log
data
Figure 5 – Integration of ChangeAuditor with InTrust for an enterprise view of security
Once the AD audit data is safely in the InTrust repository, it is protected from tampering by anyone who
gains administrator authority in Active Directory. Moreover, AD change events can be correlated with
other log data (such as domain controller authentication events) by security personal for full security
event management.
AD audit data and other logs can be efficiently stored for years in the InTrust repository in compressed
format. However, the logs can be immediately reproduced in their original format to satisfy compliance
requirements, legal discovery or investigations. InTrust even allows log data repositories to be indexed so
that large amounts of historical log data can be quickly searched without the time-consuming and
expensive process of re-importing logs into a reporting database.
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 16
Summary Active Directory (AD) is the core of enterprise IT and requires comprehensive protection and auditing.
Together, ChangeAuditor for Active Directory and Quest InTrust provide the monitoring, reporting and
audit trail capabilities needed to fulfill AD’s operational, planning, security and compliance requirements.
Key Component Quest Solution
Intelligent change tracking
ChangeAuditor
for Active
Directory
ChangeAuditor reports all details of each change,
including ―who, what, when, and where.‖
Complex changes involving nested groups,
permission inheritance, group policy objects, and
cryptic AD schema are fully reported in plain
language and without the loss of information
common to AD’s native audit log.
Monitoring Critical objects can be protected from accidental or
malicious changes.
Administrators are alerted when suspicious or high-
impact changes occur
Monitoring of directory integration and
synchronization improves visibility into AD and
facilitates troubleshooting.
Reporting ChangeAuditor provides:
Reports for planning and analysis
Compliance documentation
Forensic analysis and security incident response
Operational accountability
Secure audit trail
Quest InTrust
Long-term storage is facilitated by efficient and
compressed storage of original logs.
Repositories are secure and protected from
tampering, so they are admissible for legal
proceedings.
Repositories can be indexed for quick querying
without lengthy database import.
Tamper-proof repository provides deterrent and
detective control over all-powerful AD
administrators.
Security event management
and correlation Active Directory changes are aggregated with the
rest of the enterprise’s audit logs for
comprehensive security event management.
InTrust collects relevant AD security events not
captured by ChangeAuditor, including AD
authentication activity.
Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 17
About the Author Randy Franklin Smith is president of Monterey Technology Group, Inc. and creator of the
UltimateWindowsSecurity.com Web site and training course series. As a Systems Security Certified
Professional (SSCP), a Microsoft Most Valued Professional (MVP), and a Certified Information Systems
Auditor (CISA), Randy specializes in Windows security. Randy is an award-winning author of almost 300
articles on Windows security issues for publications such as Windows IT Pro, for which he is a
contributing editor and author of the popular Windows Security log series. He can be reached at
5 Polaris Way, Aliso Viejo, CA 92656 | PHONE 800.306.9329 | WEB www.quest.com | E-MAIL [email protected]
If you are located outside North America, you can find your local office information on our Web site
TECHNICAL BRIEF
About Quest Software, Inc.
Now more than ever, organizations need to work smart and improve efficiency. Quest Software
creates and supports smart systems management products—helping our customers solve
everyday IT challenges faster and easier. Visit www.quest.com for more information.
Contacting Quest Software
PHONE 800.306.9329 (United States and Canada)
If you are located outside North America, you can find your
local office information on our Web site.
E-MAIL [email protected]
MAIL Quest Software, Inc.
World Headquarters
5 Polaris Way
Aliso Viejo, CA 92656
USA
WEB SITE www.quest.com
Contacting Quest Support
Quest Support is available to customers who have a trial version of a Quest product or who
have purchased a commercial version and have a valid maintenance contract.
Quest Support provides around-the-clock coverage with SupportLink, our Web self-service.
Visit SupportLink at https://support.quest.com.
SupportLink gives users of Quest Software products the ability to:
• Search Quest’s online Knowledgebase
• Download the latest releases, documentation, and patches for Quest products
• Log support cases
• Manage existing support cases
View the Global Support Guide for a detailed explanation of support programs, online services,
contact information, and policies and procedures.
© 2010 Quest Software, Inc. ALL RIGHTS RESERVED.
Quest Software is a registered trademark of Quest Software, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. TBW-AuditAD-Manuel-US-MJ-20100513