NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Active Directory Auditing: Time-Saving Techniques to Get You on the Right Track

October 27, 2016

  • Blog
  • Archive

Active Directory Auditing

Recently, I hosted a webinar Active Directory Auditing: Time-Saving Techniques to Get You on the Right Track, Fast. In this blog I am going to share some resources that were discussed during the webinar. Although auditing Active Directory (AD) and Group Policy (GP) has not changed a whole lot since Server 2008, there are additional resources and some old standards that require reminders from time to time.

The topics discussed in the webinar were around core techniques and challenges of auditing AD and GP, changes over the years, and some PowerShell techniques to add to our tool box. Here are some resources to explore…

Microsoft Protocol Documentation

When embarking on an auditing effort or doing any kind of forensics, having a deep understanding of how a particular technology works is important. Staring at a massive pile of events around technologies can cause your head to hurt. But, knowing what you are looking for essentially causes the needle in the haystack to grow exponentially.

The details of Microsoft technologies are documented in Protocol Documents you can find on MSDN. These documents, often referred to as Technical Specifications, were the outcome of an incredibly large effort on the part of the engineering teams at Microsoft. All traffic that traverses a wire is documented in the specifications and the level of detail is just incredible. Here are a few for Active Directory, GP Auditing, Core GP and GP Security:

    • MS-ADTS - https://msdn.microsoft.com/en-us/library/cc223122.aspx
    • MS-GPAC - https://msdn.microsoft.com/en-us/library/dd973843.aspx
    • MS-GPOL - https://msdn.microsoft.com/en-us/library/cc232478.aspx
    • MS-GPSB - https://msdn.microsoft.com/en-us/library/cc232743.aspx

Microsoft Auditing Time – Great for Audit Planning

Check out the paper from Microsoft that goes through, in excruciating detail, audit categories and details around audit events in Windows 10 and Windows Server 2016. The information is relevant to previous versions of the OS as well. It is only 730+ pages, so some light reading while eating lunch! I’m finding it a great reference for whenever I am in a discussion around Audit planning for an organization. One key to successful auditing is to only collect what you need and what you will actually consume. Some super chatty audit categories exist and will just clog up your logs while providing little to no value.

Auditing Group Policy

There are a few areas of GP Auditing that present challenges. There are also some very interesting GP-related security implications that are worth exploring. Understanding implications around GPO Discoverability, or the ability to use GP data to locate systems where individual users have rights, was a topic of discussion at this year’s Blackhat conference. My colleague Darren, GP MVP and founder of SDM Software, put up an interesting few blog posts recently that are worth exploring. Check out some of these posts around ‘Security fun with Bloodhound’, ‘Changes in GP Processing Behavior’ and an overview of ‘GP Permissions’.

One of my favorite GP-related resources for troubleshooting and auditing has been around for a long time. This paper explores the formulaic approach of events and categories of those events, specifically related to Group Policy. If you work quite a bit in Group Policy and want to control your auditing only to those events that are relevant it’s an important resource.

AD forensics, PowerShell and a MS Blog to Watch

The last resource is really a plug for someone else. Ashley McGlone (goateePFE) is one of those people that are full of information, are entertaining and practical. The information that he shares on his blog is some of the best. The sessions that he delivered for the Microsoft Virtual Academy are just great. So full of information that you may find yourself finding a specific module (module 7 for AD forensics) and watch it over and over.

Summary

Auditing and performing some type of forensic analysis on Active Directory and Group Policy is a challenging prospect. It is not impossible, and with some commitment to learning it becomes quite easy and intuitive. Spend the time exploring some of these resources and build up your inherent skills and knowledge in the area – it will be a huge benefit. The sheer complexity of the architecture, and the huge body of data that can be generated through auditing is why so many great software solutions have sprung up in the ISV community over the years. Knowledge is great, but having the right tools to be efficient is also critical.

If you didn't catch my webinar live, you can watch it now - Active Directory Auditing: Time-Saving Techniques to Get You on the Right Track, Fast.

Kevin Sullivan, former Group Policy MVP and Configuration Management Expert

Kevin brings a strong history of software operations, strategy, capital fundraising, and mergers and acquisitions to BeyondTrust, where he is responsible for the company’s day to day operations. Kevin joined BeyondTrust by way of the company’s acquisition of eEye Digital Security, where he served as CEO and Chairman. Under Kevin’s leadership, eEye experienced significant growth, launched several 'market-first' security solutions and brought the company back to category leadership. Prior to joining eEye, Kevin was CEO of NetPro Computing, where he helped grow the business before concluding its very successful sale to Quest Software. Kevin has also served as the president and CEO of Homebid.com, where he secured funding and eventually sold the business to industry leader HomeStore.com. During his seven years as president and COO at Viasoft Inc., Kevin led the company through a successful initial public offering prior to its sale. Kevin started his IT career at IBM, serving in several key marketing and executive business management roles.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.