Wednesday, May 27, 2015

Active Directory auditing - 3rd party tools - the example of AD Audit Plus (2)

In the previous blog post, we installed and configured ManageEngine's AD Audit Plus with the objective of looking at some of the features it offers beyond native Active Directory auditing tools.

It would require dozens if not hundreds of pages to illustrate all the features. For example, with appropriate licensing, AD Audit Plus can audit File Servers (file creation, modification and deletion), on both Windows File Servers as well as 3rd party file storage such as EMC and NetApp:

(click to enlarge)

For the sake of concision, I'll concentrate on some examples of Active Directory auditing that are found essentially under the Reports tab (once we have opened the application by clicking on the AD Audit Plus icon on the desktop):

AD Audit Plus seemed to start auditing immediately, even before I logged on with some test users in various scenarios (successful logon, failed logon, locked-out account). I first changed the threshold for account lockout to 3 failed attempts (so I would not have to fail 10 times before triggering an account lockout). AD Audit Plus audited this as a change to the default domain policy (as in "Group Policy"):

(click to enlarge)

Otherwise, we can view user logons (both sucess and failure - none here) and filter by user and period (last 24 hours, last 12 hours, last hour...):

If we want to exclude accounts (service accounts, for example) so they do not fill up the logs, we can click on the "Exclude User Accounts" icon in the upper right-hand corner. This takes us to the Admin section of the console where we can specify those accounts:

We can view logon failures from several perspectives. This view shows logon failures in general:

And this view is per user (we can see the number of logon failures for each user):

We can also view locked out users:

This view shows us the last logon time:

While we could probably accomplish any one of these audits with native Active Directory filtering or an elaborate enough PowerShell script, AD Audit Plus provides the desired information in a very readable and (in my opinion) user-friendly interface.

Under the Configuration tab, AD Audit Plus also has  pre-configured "Alert Profiles" such as "Modified Admin Groups" for which an email can be sent if members are added or removed from the Admin Groups (by default "Administrators", Domain, Entreprise, Schema Admins):

Under the "E-mail Notify" column, we can click on the "Configure" link which displays the Alert Profile. We can configure an email address to which the alert will be sent:

If we look in the Report Profile Categories, we can see the configuration of the alert itself (what triggers it for example - next two screenshots):


So that's a sort of preview of the features offered by one of the better-known 3rd party Active Directory auditing tools on the market. Of course, the reader would do well to test it themselves (or one of the other products reviewed in the article by Eric B. Rux - see my previous blog post) and determine if it works for them.

Does such a product present significant advantages over native Active Directory auditing tools and PowerShell scripts? I would argue that it does, and certainly for larger environments or environments where accountability is important. But what do you think? Please feel free to comment in the space below.

1 comment:

  1. Great, In this article the concept is very clear and helpful. It describes most valuable information related to active directory auditing with the help of this post such as object access, account logon events, policy change etc. I found nice information related to this from which maintain safe and secure active directory environment and track who made changes, when and where.