Active Directory Auditing Recently, I hosted a webinar Active Directory Auditing: Time-Saving Techniques to Get You on the Right Track, Fast. In this blog I am going to share some resources that were discussed during the webinar. Although auditing Active Directory (AD) and Group Policy (GP) has not changed a whole lot since Server 2008, there are additional resources and some old standards that require reminders from time to time. The topics discussed in the webinar were around core techniques and challenges of auditing AD and GP, changes over the years, and some PowerShell techniques to add to our tool box. Here are some resources to explore…

Microsoft Protocol Documentation

When embarking on an auditing effort or doing any kind of forensics, having a deep understanding of how a particular technology works is important. Staring at a massive pile of events around technologies can cause your head to hurt. But, knowing what you are looking for essentially causes the needle in the haystack to grow exponentially. The details of Microsoft technologies are documented in Protocol Documents you can find on MSDN. These documents, often referred to as Technical Specifications, were the outcome of an incredibly large effort on the part of the engineering teams at Microsoft. All traffic that traverses a wire is documented in the specifications and the level of detail is just incredible. Here are a few for Active Directory, GP Auditing, Core GP and GP Security:

Microsoft Auditing Time – Great for Audit Planning

Check out the paper from Microsoft that goes through, in excruciating detail, audit categories and details around audit events in Windows 10 and Windows Server 2016. The information is relevant to previous versions of the OS as well. It is only 730+ pages, so some light reading while eating lunch! I’m finding it a great reference for whenever I am in a discussion around Audit planning for an organization. One key to successful auditing is to only collect what you need and what you will actually consume. Some super chatty audit categories exist and will just clog up your logs while providing little to no value.

Auditing Group Policy

There are a few areas of GP Auditing that present challenges. There are also some very interesting GP-related security implications that are worth exploring. Understanding implications around GPO Discoverability, or the ability to use GP data to locate systems where individual users have rights, was a topic of discussion at this year’s Blackhat conference. My colleague Darren, GP MVP and founder of SDM Software, put up an interesting few blog posts recently that are worth exploring. Check out some of these posts around ‘Security fun with Bloodhound’, ‘Changes in GP Processing Behavior’ and an overview of ‘GP Permissions’. One of my favorite GP-related resources for troubleshooting and auditing has been around for a long time. This paper explores the formulaic approach of events and categories of those events, specifically related to Group Policy. If you work quite a bit in Group Policy and want to control your auditing only to those events that are relevant it’s an important resource.

AD forensics, PowerShell and a MS Blog to Watch

The last resource is really a plug for someone else. Ashley McGlone (goateePFE) is one of those people that are full of information, are entertaining and practical. The information that he shares on his blog is some of the best. The sessions that he delivered for the Microsoft Virtual Academy are just great. So full of information that you may find yourself finding a specific module (module 7 for AD forensics) and watch it over and over.

Summary

Auditing and performing some type of forensic analysis on Active Directory and Group Policy is a challenging prospect. It is not impossible, and with some commitment to learning it becomes quite easy and intuitive. Spend the time exploring some of these resources and build up your inherent skills and knowledge in the area – it will be a huge benefit. The sheer complexity of the architecture, and the huge body of data that can be generated through auditing is why so many great software solutions have sprung up in the ISV community over the years. Knowledge is great, but having the right tools to be efficient is also critical. If you didn't catch my webinar live, you can watch it now - Active Directory Auditing: Time-Saving Techniques to Get You on the Right Track, Fast.