• No results found

Find the Who, What, Where and When of Your Active Directory

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Find the Who, What, Where and When of Your Active Directory"

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

1 . 8 0 0 . 8 1 3 . 6 4 1 5 | w w w . s c r i p t l o g i c . c o m / s m b I T

Find the Who, What, Where

and When of Your Active

Directory

(2)

© 2012 ScriptLogic Corporation ALL RIGHTS RESERVED.

(3)

Do you only look at log files when you have been attacked?

You can use Active Directory to capture information about every attempt to access a network or any computer resource. This is a good news and bad news situation. The good news is that you can capture in log files and all the data you could ever possibly need, the bad news is that the amount of data you collect can be overwhelming and require a seasoned professional to understand and interpret. Given this, the challenge is not can you capture the data, rather the challenge is do you know what data you need to capture in your log files.

The security logs created by Active Directory are central to an organization’s security policies. They guard against unauthorized access, data leakage, policy violations and other fraudulent activities. Compliance to legal and regulatory requirements, such as data protection laws, is compulsory and generally requires audit events to be captured and securely stored in log files. All businesses are concerned with operational effectiveness and most cannot afford to have administrative staff constantly monitoring every service they are running. It is therefore critical for operational efficiency that organizations deploy tools that help monitor and analyze their Active Directory log files to identify issues needing administrator attention. Examining events in log files is invaluable in troubleshooting Active Directory problems. Log files enable you to see what was happening prior to the problem occurring, which then helps you replicate and subsequently resolve the issue.

Windows Server 2008 has several different log files. There are five Windows logs that record events that happen on the computer such as a database error, a user logging on, or a failure of a driver to load correctly. There are also seven applications and services logs that capture events such as a printer was added to the network. This article is about helping you find out who, what, where, and when of your Active Directory system. To do this you will need to look at the security log and the directory service log.

Who is changing your Active Directory system?

The directory service log captures all of the operational transactions of Active Directory. For example it will capture if a user has been created, if a user has been assigned to a group, or if a user’s information has been changed.

The directory service log contains three types of events, namely information, warnings and errors. Information events are the lowest priority and errors are the highest priority. You can display the directory service logs with the event viewer by selecting Applications and Service Logs > Directory Service as shown in figure 1.

(4)

There are six logging levels, 0 to 5. The level 0 provides the minimum amount of information and level 5 provides the greatest amount of information. By default, the logging levels for each event category, such as security events and internal configuration events, are set to 0. You can increase the event logging level for an entry category by editing the Active Directory registry. This can be particularly useful if you are using the logs to troubleshoot problems.

It is a best practice to have a policy in place that allows only experienced administrators change your Active Directory registry and that a backup of the system should be done before changing the registry. Also be warned that raising the logging level will create significantly increase the data being captured, which means that you will need to increase the size of your log file. To increase the size of your log file simply right click on the directory services log in the event viewer, and select properties. You can then select the maximum log file as well as the action you want taken when the log file reaches its maximum size. If you are not archiving your log files then you should select the option “overwrite events as needed”. If you plan to archive your log files then you should select the option to archive the log when full.

What events will you capture in your log file?

The security log is one of the five Windows logs that you can also look at in the event viewer. Events captured in the security log are called audit events, and the event is either a success or a failure. For example did the user logon successfully or did someone attempt but failed to logon. Depending on your security and IT needs, you will need to enable the Audit Policies that defines the audit events that you wish to capture.

(5)

Figure 2: Audit event categories.

Who is accessing your computer resources?

If you wish to create an audit event when a user attempts to logon to a computer you would click audit

(6)

Figure 3: Configuring an audit policy for user logons.

If you want to see which users are assessing a computer resource such as a printer, a file system or a specific folder you would set the audit policy that is called Object Access. However an audit event is only created for objects that have System Access Control List (SACL) associated with them and you have configured the audit setting.

(7)

Figure 4: Configuring a System Security Access Control List (SACL).

(8)

Figure 5: Defining your audit entries.

Reasons you may wish to capture successful accesses to a specific folder may include the ability to track the access to the folder for billing purposes, for auditable proof that the resource was used, and to identify changes in access behavior. Reasons that you may wish to log access failures may be to identify if there have been fraudulent attempts to access or damage a resource.

(9)

Figure 6: Configure the audit file system events.

Turning log files into meaningful business information

You can see that it would be easy to create huge log files that are impossible for an administrator to manually inspect and identify problems. Fortunately event viewer provides you with the ability to filter the log files and create customized views of the data and this alleviates the problem to some extent. However if you are capturing large amounts of data in log files it is burdensome on an administrator to filter out all the different events. To manage this situation most enterprises invest in tools that monitor, analyze and report on the captured data. The types of tools that you select will vary depending on your business needs and the amount of data you are collecting. For example a financial institution may be legally required to maintain their log files for several years. In this situation they would benefit from a log management tool that automated the archiving, retrieval and disposal of their log files in a highly secure manner.

(10)

your security log along with data from your directory service log. Lastly you need a tool that has powerful filtering and search options.

The ability to collect, monitor and analyze log files is essential in all business environments. It will help you improve your operational effectiveness, troubleshoot problems and flag security concerns. Remember however, capturing data in log files is only one part of the solution. You will also need to define best practices and

References

Download now ( PDF - 10 Page - 353.57 KB )

Related documents

FDA Executive Summary. Prepared for the Date Meeting of the Ear, Nose, and Throat Devices Panel. Classification of Hearing Protector Devices

As the above results indicate, the literature references identified in PubMed are concerned with the attenuation efficiency, rating systems, acceptance, testing methods, and design

Genome-wide promoter methylation analysis in neuroblastoma identifies prognostic methylation biomarkers.

Integration with (NB) literature, using an in-house developed text-mining- based approach (using NCBI E-Utils to query PubMed, using all known gene aliases in combination with

Single Family Client Full

LivingRoom Main DiningRoom Main Kit w/o Eat Spc Main Den/Office Main Bathroom - Full Main Den/Office Main MasterBedroom Upper Bedroom Upper Bathroom - 3/4 Upper Den/Office Upper

Modern Electronic Communication 7th Edition by Beasley & Miller MCQ

11 In a Crosby FM transmitter, an FM signal having a center frequency of 2.04 Mhz and a deviation of 69 Hz is passed through four cascaded frequency multiplier stages: two

Guidance Notes for Dental Practitioners on the Safe Use of X-Ray Equipment

Building on considerations of administrative infrastructure and practical and procedural aspects of dental radiology, the guidelines helpfully deal with key issues pertaining

Roghanna Beartais chun Tacú le Gnóthaí a Fhás agus le Poist a Chruthú agus a Choinneáil i Láir Bailte agus Sráidbhailte.

The Committee recommends that Central Government support local authorities to introduce grant relief schemes, similar to that piloted in Limerick, to incentivise new businesses to

RDPLUS. FAQs. Thank you for choosing RDPlus as the Remote Desktop Technology solution for your Business.

In order to remove that restriction open the Group Policies settings from the Admintool and browse to: Local Computer Policy -> Computer Configuration -> Administrative

TOOLS FOR COMMON RAIL INJECTORS BOSCH PIEZO

If you disassemble the amplifying-part of common rail injector Bosch Piezo, to reassemble it you need a prior recharge with testing-oil (ISO oil) inside the piston-room of