17

I need to monitor Active Directory domain administrator activities and look for the following:

  1. Looking for anomalies in daily activity

  2. Getting alerted upon a violation

My problem is that turning on Windows Auditing in my environment (over 100 domain controllers and 50,000 users) generates massive Security Event logs and is not feasible to sift through it.

Is there an alternative solution? Or is there an option where I can still turn on Windows Auditing and filter for these activities?

Fahmy Aziz
  • 171
  • 1
  • 1
  • 4
  • There are companies that offer *Advanced Threat Analytics* (hint, hint) solutions that may fit your needs. Unfortunately, I cannot recommend a specific vendor. – k1DBLITZ May 15 '15 at 03:04
  • I think a good or better question is ask is there a tool that can better correlate mountains of windows logs. A network of that size should have something like ArcSight logger or Splunk and to do this with those tools (especially Splunk) is somewhat trivial. just my 2 cents and I hope that helps. – dc5553 Jun 12 '15 at 18:07

8 Answers8

3

I think you should consider filtering and aggregating the Windows event logs. You can start by filtering for specific events, like 4624, successful logon of a user: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624

If you were to do nothing more than monitor when each Domain Administrator logs on, you will already be monitoring for one of the most important anomalies, which is when a user changes their work schedule. Unless your admin works nights or is in Australia, we don't expect him to be working Chinese working hours.

If you have a large budget, simply go to one of the many Security Information and Event Monitoring ("SIEM") vendors.

I don't recommend "getting alerted on a violation". You are going to want to watch data for a while, before you will know what constitutes a real important event.

techraf
  • 9,141
  • 11
  • 44
  • 62
Douglas Held
  • 241
  • 1
  • 7
  • 1
    Love Doug's answer so I'll just add that Securonix and root9b have specially-built products to monitor Active Directory. His suggestion to look for the 4624 event in the Windows Event Log can be supplemented with this paper from SANS -- https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262 -- which does mention it! Great suggestions! – atdre Sep 17 '15 at 20:28
1

Microsoft has a tool, Advanced Threat Analytics, that does exactly what you're looking for.

1

The question of monitoring AD is ancillary to the problem you appear to be having. Firstly are the events you wish to capture documented and published to the relevant people. So everyone knows what is correct and incorrect usage of systems, and the scope of their roles.

The events that you want to capture should be aligned with the governance of the business and IT resources. Simply going into the windows security logs and Active directory changes looking for problems is mostly a fruitless exercise.

Have you made a concerted effort to remove access to domain wide administration level permissions ie Domain Admin or Enterprise Admin. The permissions aren't necessary for most admins and proper delegation, issuing, revocation of permissions from admins should they need access to something centralizes security and brings visibility to activities of admins.

And in step with the above, an exhaustive scrub and search for delegated permissions on objects is a must. Poor visibility to such assignments on object in the AD management tools most admins would be familiar with can let this absolute huge one go monitored.

Beyond some of these suggestions to tighten the operational security of the companies assets, may I also suggest that you begin documenting from a security stand point. What you want to know about, and what needs securing and monitoring and developing the systems and procedures to make it all visible, measurable, non reputable, reviewed and so forth.

The data deluge out there is huge, solving the problem by hoovering and searching isn't the way when it comes to security, especially insider based vectors and actors. My opinion I'm sure the NSA disagrees with.

jCisco
  • 121
  • 4
1

Is there an option where I can still turn on Windows Auditing and filter for these activities?

[YES] I think you should use Log Parser 2.2 a tool from Microsoft and as its description say

Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory

The only problem with this powerful tool is the fact that it does not have a GUI. Yes it is from Microsoft but it is a command line tool only :). However, there are many third parties GUI for it (both free and commercial) Google it and you find the GUI support for it.

Now, this is the easy part of your question, the hard part which is:

Looking for anomalies in daily activity and Getting alerted upon a violation

What are the definitions anomaly and violation, this is different from one organization to another. For example and admin who grant access to an account on the AD at 3:00 am on the weekend might be anomalous action to your company but it is fun for another one.

Most of the log or security events analyzer tools is just a query system you need to tell it what you are looking for (which pattern or sequence of events) and it will try to find it for you. Based on the result of the query it is up to the security analyst to decide if that is a violation or not. Of course, some of them can allow you to write rules to define anomalies actions.

techraf
  • 9,141
  • 11
  • 44
  • 62
Ubaidah
  • 1,054
  • 6
  • 11
0

I'm using OSSEC to monitor my servers which works relativly well. The big upside is that it can be used for windows aswell as for linux und unix based systems. Also you are able to provide your own rules to filter for which could be used to track administrative activity that is documented in the logfiles.

davidb
  • 4,285
  • 3
  • 19
  • 31
0

The alternate solution could be to use a host-based intrusion detection system (HIDS) that can be set with detection rules around the resources and logs used/created by the domain controller (Active Directory). Most HIDS solutions can allow you to setup alerts that are trigger based on specific thresholds (i.e. after 10 failed attempts generate an email alert and send it to IT sec admin). Going a step beyond just detection for Domain controllers is to provide pro-active prevention using a host-based intrusion prevention system (HIPS) by creating least-access privilege access control policies that allow services such as LSASS.exe to R/W logs, ntds.dit, among other files but provide other program with read-only access. Symantec offers a HIDS/HIPS tool with lots of security intelligence out of the box. This product is called Symantec Data Center Security: Server Advanced. Other vendors in this space include McAfee (Solid Core) and Bit9 (however, this tool is focus towards clients and not so much servers).

dandaman12
  • 187
  • 1
  • 1
  • 8
0

If you don't already have a tool in place for event logging then this would greatly help you out. There are event logging and monitoring requirements that you should be following which would be helpful for you to disseminate what you needs alerts on and what needs to be logged. Tools such as Solarwinds or Landguard are extremely helpful.

Removing access to domain wide administration level permissions ie Domain Admin or Enterprise Admin is something that you should look into doing. And I agree that the permissions aren't necessary for most admins and proper delegation, issuing, revocation of permissions from admins should they need access to something centralizes security and brings visibility to activities of admins.

0

Firstly I should say - I'm in no way affiliated to this company except I have used and installed their products and liked them.

https://www.centrify.com/products/server-suite/ - is an enterprise level solution which allows monitoring, alerting and auditing of privileged account usage including domain administrators.

Definitely worth a look if your serious about auditing privileged users.

secnerd
  • 1
  • 2