5.1 Configuring Windows Active Directory Monitoring

Change Guardian monitors the following Windows Active Directory (AD) sources:

  • AD objects

  • Computer accounts

  • Configurations

  • Contacts

  • Groups

  • User accounts

  • Organization units

  • Trusts

You must configure your Active Directory environment to ensure that the operating system generates and retains Active Directory events until Change Guardian processes them. This chapter provides information about the following:

For information about requirements and recommendations for computers running the Active Directory Domain Services, see the Technical Information for Change Guardian 5.2 page.

5.1.1 Implementation Checklist

The following table provides an overview of the tasks required for Change Guardian to start monitoring Windows Active Directory audit events:

Task

See

Complete the prerequisites

Prerequisites

Add the license key

Adding a License Key

Configure the Windows Active Directory

Configuring the Security Event Log

Configuring Active Directory Auditing

Configuring User and Group Auditing

Configuring Active Directory Security Access Control Lists

Synchronizing Active Directory User Accounts

Configure Change Guardian for monitoring

Creating Windows Active Directory Policies

Assigning Policies and Policy Sets

Triage events

Section 7.0, Managing Events

Section 8.0, Configuring Alerts

5.1.2 Prerequisites

Ensure that you have completed the following:

5.1.3 Configuring Active Directory

You have to complete the following tasks to configure Active Directory

Configuring the Security Event Log

You must configure the security event log to ensure that Active Directory events remain in the event log until Change Guardian processes them.

Set the maximum size of the Security Event Log to no less than 10 MB, and set the retention method to Overwrite events as needed.

To configure the security event log:

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open a command prompt, type gpmc.msc and press Enter to start the Group Policy Management Console.

  3. Expand Forest> Domains> domainName > Domain Controllers.

  4. Right-click Default Domain Controllers Policy, and then click Edit.

    NOTE:Making this change to the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.

  5. Expand Computer configuration> Policies> Windows Settings> Security Settings.

  6. Select Event Log and configure Maximum security log size to a size of no less than 10240 KB (10 MB).

  7. Configure Retention method for security log to Overwrite events as needed.

  8. Return to the command prompt, type gpUpdate, and then press Enter.

To verify this configuration and ensure Active Directory events are not discarded before processing:

  1. Open a command prompt as an administrator.

  2. At the command line, type eventvwr to start the Event Viewer.

  3. In Windows logs, right-click Security, and select Properties.

  4. Verify the settings reflect a maximum log size of no less than 10240 KB (10 MB), and the selection to Overwrite events as needed.

Configuring Active Directory Auditing

This configuration enables auditing of Active Directory events and logs the events in the security event log.

You should configure the Default Domain Controllers Policy GPO with Audit Directory Service Access set to monitor both success and failure events.

To verify or set this configuration:

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open a command prompt, type gpmc.msc and press Enter to start the Group Policy Management Console.

  3. Expand Forest> Domains > domainName > Domain Controllers.

  4. Right-click Default Domain Controllers Policy, and then click Edit.

    NOTE:Making this change to the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.

  5. Expand Computer configuration> Policies> Windows Settings> Security Settings.

  6. Complete the following steps:

    1. In Security Settings, expand Advanced Audit Policy Configuration > Audit Policies.

    2. For CGAD and CGGP, click DS Access.

    3. For each subcategory, select the following options:

      • Configure the following audit events

      • Success

      • Failure

    4. For CGAD only, define the same configuration for all subcategories of Account Management and Policy Change.

  7. Complete the following steps:

    1. In Security Settings, expand Local Policies and click Audit Policy.

    2. For CGAD and CGGP, click Audit directory service access.

    3. Select the following options:

      • Define these policy settings

      • Success

      • Failure

    4. For CGAD only, configure or verify the same selections for Audit account management and Audit policy change.

  8. Return to the command prompt, type gpUpdate and press Enter.

Configuring User and Group Auditing

This configuration enables auditing of user logon and logoff activities (by both local users and Active Directory users), and local user and group settings.

You can configure user and group auditing by one of the following methods:

Configuring Manually

You can configure user and group auditing manually.

To manually configure user and group auditing:

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open the Microsoft Management Console, and then select File > Add/Remove Snap-in.

  3. Select Group Policy Management Editor, and then click Add.

  4. On the Select Group Policy Object window, click Browse.

  5. Select Domain Controllers.FQDN, where FQDN is the Fully Qualified Domain Name for the domain controller computer.

  6. Select Default Domain Controllers Policy, and then click OK.

  7. Click Finish, and then click OK.

  8. In the Microsoft Management Console, expand Default Domain Controllers Policy FQDN > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.

  9. Under Audit Account Logon Events, select Define these policy settings, and then select Success and Failure.

  10. Under Audit Logon Events, select Define these policy settings, and then select Success and Failure.

  11. In the Microsoft Management Console, expand Default Domain Controllers Policy FQDN > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.

  12. Under Audit Logon, select Audit Logon, and then select Success and Failure.

  13. Under Audit Logoff, select Audit Logoff, and then select Success and Failure.

  14. To update Group Policy settings, open a command prompt and type gpupdate /force.

Configuring Active Directory Security Access Control Lists

The SACL describes the objects and operations to monitor. You must configure the SACL to generate events for operations that can result in, or are related to, changes in GPO data stored in Active Directory.

To monitor all changes of current and future objects inside Active Directory with Change Guardian for Active Directory, follow the steps in Configuring SACLs for Change Guardian for Active Directory. If you are running Change Guardian for only Group Policy in your environment, see Configuring SACLs for Change Guardian for Group Policy Only.

Configuring SACLs for Change Guardian for Active Directory

If you are running Change Guardian for Active Directory in your environment, complete the steps in this section. To monitor all changes of current and future objects inside Active Directory with Change Guardian, you must configure the domain node.

To verify or set this configuration:

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open a command prompt, type adsiedit.msc and press Enter to start the ADSI Edit configuration tool.

  3. Right-click ADSI Edit, and then select Connect to.

  4. In the Connection window, ensure that Name is set to Default naming context, and Path points to the domain to configure.

    NOTE:You must perform Step 5 through Step 13 three times, configuring the connection points for Default naming context, Schema, and Configuration.

  5. In Connection Point, select Select a well known Naming Context, and then select one of the following:

    • On the first time through this step, select Default naming context in the drop-down list.

    • On the second time through this step, select Schema.

    • On the third time through this step, select Configuration.

  6. Click OK, and then expand Default naming context or Schema or Configuration.

  7. Right-click the node under the connection point (begins with DC= or CN=), and select Properties.

  8. On the Security tab, click Advanced.

  9. On the Auditing tab, click Add.

  10. In the Applies to or Apply onto field, select This object and all descendant objects.

  11. Configure auditing to monitor every user.

    • If you are using Windows Server 2012 or later:

      1. Click Select a principal.

      2. Type everyone in the Enter the object name to select field.

      3. Click OK.

      4. In the Type field, select All.

      5. In the Permission list, select the following:

        • Write All Properties

        • Delete

        • Modify Permissions

        • Modify Owner

        • Create All Child Objects

          The other nodes related to child objects are selected automatically.

        • Delete All Child Objects

          The other nodes related to child objects are selected automatically.

    • For versions lower than Windows 2012:

      1. Type everyone in the Enter the object name to select field.

      2. Click OK.

      3. In the Permission, select Successful and Failed for the following:

        • Write All Properties

        • Delete

        • Modify Permissions

        • Modify Owner

        • Create All Child Objects

          The other nodes related to child objects are selected automatically.

        • Delete All Child Objects

          The other nodes related to child objects are selected automatically.

  12. Clear the setting to Apply these auditing entries to objects and/or containers within this container only.

  13. Click OK until you close all open windows.

  14. Repeat Step 5 through Step 13 two more times.

Configuring SACLs for Change Guardian for Group Policy Only

If you are running Change Guardian only for Group Policy product in your environment, complete the steps in this section.

To verify or set this configuration:

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open a command prompt, type adsiedit.msc and press Enter to start the ADSI Edit configuration tool.

  3. Right-click ADSI Edit, and then select Connect to.

  4. In the Connection window, ensure Name is set to Default naming context, and Path points to the domain to configure.

  5. In Connection Point, select Select a well known Naming Context, and then select Default naming context in the drop-down box.

  6. Click OK, and then expand Default naming context.

  7. Right-click the node under the connection point (begins with DC=), and select Properties.

  8. Select the Security tab.

  9. Click Advanced > Auditing > Add.

  10. Clear the setting to Apply these auditing entries to objects and/or containers within this container only.

  11. Configure auditing to monitor every user.

    • If you are using Windows Server 2012 or later:

      1. Click Select a principal.

      2. Type everyone in the Enter the object name to select field.

      3. Click OK.

      4. In the Type field, select All.

      5. In the Permission list, select the following:

        • Delete

        • Create Organizational Unit objects

      6. In the Properties list, select the following:

        • Write gPLink

        • Write gPOptions

    • For versions lower than Windows 2012:

      1. Type everyone in the Enter the object name to select field.

      2. Click OK.

      3. In the Permission list, select the following:

        • Delete

        • Create Organizational Unit objects

      4. In the Properties list, select the following:

        • Write gPLink

        • Write gPOptions

  12. Click OK until you close all open windows.

  13. In Connection Point, select Select a well known Naming Context, and then select Configuration in the drop-down list.

  14. Click OK, and then expand Configuration.

  15. Right-click the node under the connection point (begins with CN=), and select Properties.

  16. Select the Security tab.

  17. Click Advanced > Auditing > Add.

  18. Configure auditing to monitor every user.

    • If you are using Windows Server 2012 or later:

      1. Click Select a principal.

      2. Type everyone in the Enter the object name to select field.

      3. Click OK.

      4. In the Type field, select All.

      5. In the Permission list, select the following:

        • Delete

        • Create Sites Container objects

      6. In the Properties list, select the following:

        • Write gPLink

        • Write gPOptions

    • For versions lower than Windows 2012:

      1. Type everyone in the Enter the object name to select field.

      2. Click OK.

      3. In the Permission list, select the following:

        • Delete

        • Create Sites Container objects

      4. In the Properties list, select the following:

        • Write gPLink

        • Write gPOptions

  19. Clear the setting to Apply these auditing entries to objects and/or containers within this container only.

  20. In the Applies to or Apply onto field, select This object and all descendant objects.

  21. Click OK until you close all open windows.

5.1.4 Creating Windows Active Directory Policies

You can create policies to monitor the following event sources:

AD objects Polices for creating and deleting domain, modifying connection object, and so on.

Computer accounts Polices for disabling and moving computer account, and changing permission to accounts.

Configurations Policies for creating and deleting GPOs.

Contacts Policies for creating, deleting, moving, and changing permission to contact.

Groups Policies for modifying DNS configurations, and monitoring node and zone.

User accounts Policies for creating distribution group, changing membership, creating security group, and so on.

Organization units Policies for creating, deleting, moving, and changing permission on organization unit.

Schema Policy templates and view policy templates.

Trusts Policies for creating, deleting, and modifying trust.

For more information about creating policies, see Creating Change Guardian Policies.

After creating policies, you can assign them to assets. For information about assigning policies, see Working with Policies.

NOTE:When you assign the Active Directory schema policies which are created for Attribute and Class schema monitoring together to the monitor assets, the AD schema events are not generated successfully.