Monday, 18 July 2016

Why should you audit Group Policy and how do you go about it?

Group Policy gives network administrators the ability to define user, security, and organization-wide policies in bulk throughout the network. However, any minor changes to these policies can have massive implications to the user and to network. Continuous auditing and monitoring of Group Policy ensures that you are constantly aware whenever someone attempts to alter Group Policy or misuse Domain Controllers, member servers or Active Directory computers. In this article we will explain how you can use native tools to perform a basic GPO audit.

Group Policy change auditing using native features:

Change auditing Group Policy using native features can be broken down into three steps:
NOTE: Native auditing is very basic in nature – it may change events and will therefore not be very useful when trying to perform forensic analysis of change events.

Enabling DS Access auditing:
DS Access is enabled by editing the Default Domain Controller Policy using the Group Policy Management Editor. Auditing is enabled for Success and Failure events for the two subcategories— Audit Directory Service Access and Audit Directory Service Changesof the DS Access audit policy.





















Note: To do this, right-click Default Domain Controller Policy and click Edit; when the Group Policy Management Editor appears, expand to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies, and select DS Access. Double-click Audit Directory Service Access / Audit Directory Service Access, check the checkbox Configure the following audit events and select Success and Failure. Click Apply; click OK.

Configuring SACL entries for Group Policy Container objects:
SACL entries for the Group Policy Container objects are configured using the ADSI Edit as follows
1. In ADSI Edit, connect to Default naming context and navigate to DC=domain name, and CN=System.
2.  Right-click CN=Policies, and select Properties.
3. Under the Security tab, click Advanced.
4. Under the Auditing tab, click Add.
5. Now, Add Everyone in the Name field, select This object and all descendant objects in the Applies onto box, and check the checkboxes under Successful for the Create groupPolicyContainer objects and Delete groupPolicyContainer objects
Finally, click OK, and close all the open dialogue boxes.

















In the same way, create another auditing entry. This time, select Everyone in the Name field, select Descendant groupPolicyContainer objects in the Applies onto field, and select the check boxes under Successful for Write all properties, Delete, and Modify permissions.

























Viewing Group Policy change events in Windows Security logs:
After enabling auditing, Group Policy change events are recorded in the Windows Security logs. To view them, search for the relevant IDs using the Event Viewer. Some relevant event IDs are:

5136
A directory service object was modified
5137
A directory service object was created
5138
A directory service object was undeleted
5139
A directory service object was moved
5141
A directory service object was deleted


Article Summary

Group Policy settings play a vital role in determining what domain users can and cannot do in the Active Directory environment. Because of this, administrators must be vigilant when it comes to monitoring changes and modifications to it.
Trying to use native auditing tools to perform regular, detailed audits of Group Policies can be a difficult and lengthy process. Even if you devote the time to it, often the best configurations fail to capture all of the changes that occur. 
This leaves you with two alternatives; using Microsoft’s Advanced Group Policy Management (AGPM) or deploying a specialized Active Directory auditing solution like LepideAuditor Suite, This is one such solution that provides a scalable means to instantly see who, what, where and when changes are made to the Active Directory. It sends real time alerts and provides detailed reports to help with all manner of security, system management and security challenges that your organization may face (without breaking the bank). 

No comments:

Post a comment