Best Practices for AD Auditing and Recovery

Organizations are required to produce ever-growing amounts of information regarding the activities of users and administrators. Driven by compliance or security requirements, this information often covers nearly every aspect of everyday network administration, such as the management of AD users, groups, desktops, servers, files, folders, applications, and more.

For organizations that must track changes, audit privileged user activity, and seamlessly roll back objects that are deleted from the AD infrastructure, help is needed to provide insights into complex changes that can’t always be seen with the naked eye.

This blog summarizes the needs for AD auditing and recovery, common solutions to address these needs, and a checklist of required AD auditing functionality.

Needs for auditing and recovery in Active Directory

Let’s take a look at the core requirements necessary in a comprehensive AD auditing and recovery solution.

• Tracking of changes: The AD admin needs to have the ability to check manually, as well as be notified immediately, when a change occurs to any aspect of AD.
• Entitlement reporting: The AD admin must know who has access to which resources to identify potential exposures of sensitive information and intellectual property.
• Granularity of objects rolled back: The AD admin must know exactly what was modified or deleted in order to recover from the issue quickly.

Native options

Microsoft has made tremendous headway in providing auditing for AD changes and the ability to bring an object back once it has been deleted. Although Microsoft provides both of these capabilities separately, neither one is a complete solution for the administrator who needs to manage AD.

• Auditing via Event Viewer logs: While auditing controls will create entries in the security log within Event Viewer when a change triggers a setting, limiting factors include decentralized storage of the security logs from multiple domain controllers, lack of information within the log entry regarding the old setting, and the inability to recover the object/configuration from the audit log.
• Recovery via System State: When the System State is backed up, it must backup the entire System State, including all of the other aspects (Registry, COM+, etc.), including all of the AD objects that have not changed. For large organizations, this wholescale backup can take a long time, not to mention filling up terabytes of space. With such a large backup to work with, the efficiency to find what you are looking for and the ability to restore just what you need can be a complicated task, especially if you are relying squarely on the auditing to indicate what was changed and when it was changed.
• Recovery via Recycle Bin: The technology does provide the administrator the ability to restore one or more deleted objects, along with all of their properties. Unfortunately, there are limitations with the Active Directory Recycle Bin, including time limitations for restore, no auditing of behavior, and no recovery from changed properties.

Overcoming native limitations

A well-managed Active Directory environment will integrate the concepts of auditing and recovery into one streamlined system to deliver fast and accurate rollback and recovery.

Real-time integrated auditing and recovery

With real-time change management, an administrator has the ability to quickly find a deleted or modified object in the audit log and, from the same entry, rollback all or part of the object to fix the errant modification. This real-time management capability reduces the time required to find the entry in two different logs (audit and recovery) and allows for granular control over what is to be restored.

Rollback of objects down to the attribute level

The continuous tracking of all activities in the AD database should provide a clear and concise look at what exactly was changed and who made the changes. The database also should provide information regarding what the old attribute level setting was and what the new setting currently is. This provides the administrator with precision control over which object and/or attribute will be rolled back.

Reporting on object and entitlement changes over time

Reports should display all aspects of the object, including modifications, deletions, and rollbacks. The reports should also be customized to show specific object deletions and/or modifications over a set period of time, to support easier change management controls over AD.

Look for a centralized view of enterprise access, as well as drill-down capability into any privilege to find out how access to a resource was granted — and then click to roll back the change to return to the previous state with the appropriate access privileges set.

Next steps

BeyondTrust PowerBroker Auditor and Recovery for Active Directory is part of the BeyondTrust PowerBroker Auditing & Security Suite which centralizes real-time change auditing for Active Directory, File Systems, Exchange, SQL, and NetApp; restores Active Directory objects or attributes, and helps to establish and enforce entitlements across AD and file systems. Through simpler administration, IT organizations can mitigate the risks of unwanted changes and better understand user activity to meet compliance requirements.

For more on PowerBroker Auditor and Recovery, including a checklist for required auditing and recovery features, download the white paper, or contact us today.