Group Policy
gives network administrators the ability to define user, security, and organization-wide
policies in bulk throughout the network. However, any minor changes to these
policies can have massive implications to the user and to network. Continuous
auditing and monitoring of Group Policy ensures that you are constantly aware
whenever someone attempts to alter Group Policy or misuse Domain Controllers,
member servers or Active Directory computers. In this article we will explain how
you can use native tools to perform a basic GPO audit.
Group Policy change auditing using native features:
Change
auditing Group Policy using native features can be broken down into three steps:
NOTE: Native auditing is very basic in
nature – it may change events and will therefore not be very useful when trying
to perform forensic analysis of change events.
Enabling DS Access auditing:
DS Access is enabled by editing the Default
Domain Controller Policy using the Group Policy Management Editor. Auditing is
enabled for Success and Failure events for the two subcategories— Audit Directory Service Access and Audit Directory Service Changes—of the
DS Access audit policy.Note: To do this, right-click Default Domain Controller Policy and click Edit; when the Group Policy Management Editor appears, expand to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies, and select DS Access. Double-click Audit Directory Service Access / Audit Directory Service Access, check the checkbox Configure the following audit events and select Success and Failure. Click Apply; click OK.
Configuring SACL entries for Group Policy Container objects:
SACL entries for the Group Policy Container objects are
configured using the ADSI Edit as follows
1. In ADSI
Edit, connect to Default naming context
and navigate to DC=domain name, and CN=System.
2. Right-click CN=Policies, and select Properties.
3. Under the Security tab, click Advanced.
4. Under the Auditing tab, click Add.
5. Now, Add Everyone in the Name field, select This
object and all descendant objects in the Applies onto box, and check the checkboxes under Successful for the Create groupPolicyContainer objects and Delete groupPolicyContainer objects.
Finally, click OK, and close all the open dialogue boxes.
Finally, click OK, and close all the open dialogue boxes.
In the same way, create another auditing entry. This time, select Everyone in the Name field, select Descendant groupPolicyContainer objects in the Applies onto field, and select the check boxes under Successful for Write all properties, Delete, and Modify permissions.
Viewing Group Policy change events in Windows Security logs:
After
enabling auditing, Group Policy change events are recorded in the Windows
Security logs. To view them, search for the relevant IDs using the Event
Viewer. Some relevant event IDs are:
5136
|
A
directory service object was modified
|
5137
|
A
directory service object was created
|
5138
|
A
directory service object was undeleted
|
5139
|
A
directory service object was moved
|
5141
|
A
directory service object was deleted
|
Article Summary
Group Policy
settings play a vital role in determining what domain users can and cannot do
in the Active Directory environment. Because of this, administrators must be
vigilant when it comes to monitoring changes and modifications to it.
Trying to
use native auditing tools to perform regular, detailed audits of Group Policies
can be a difficult and lengthy process. Even if you devote the time to it, often
the best configurations fail to capture all of the changes that occur.
This
leaves you with two alternatives; using Microsoft’s Advanced Group Policy
Management (AGPM) or deploying a specialized Active Directory auditing solution like LepideAuditor Suite, This is one such
solution that provides a scalable means to instantly see who, what, where and
when changes are made to the Active Directory. It sends real time alerts and
provides detailed reports to help with all manner of security, system
management and security challenges that your organization may face (without
breaking the bank).
No comments:
Post a Comment