Scribd
Upload
6 views

Webinar 1524 Slides

The document discusses how to configure Active Directory to audit security group membership changes. It covers enabling the necessary audit policies, interpreting the log events, and monitoring for changes to privileged groups. It emphasizes the importance of tracking changes to privileged groups beyond just the built-in 'Administrators' group.

Uploaded by

Ranjan Prakash
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6 views

Webinar 1524 Slides

The document discusses how to configure Active Directory to audit security group membership changes. It covers enabling the necessary audit policies, interpreting the log events, and monitoring for changes to privileged groups. It emphasizes the importance of tracking changes to privileged groups beyond just the built-in 'Administrators' group.

Uploaded by

Ranjan Prakash
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

10/11/2018

Tracking Group Sponsored by

Membership Changes
in Active Directory

© 2018 Monterey Technology Group Inc.

 Made possible by

Thanks to

1
10/11/2018

 Correctly configure all domain controllers to audit security group


membership changes
Preview of Key  Determine if you should also audit distribution group changes
Points  Find group membership additions and deletions in the security log.
Some of the events we’ll talk about are 4728, 4729, 4732, 4733, 4756
and 4757
 How to identify who made the change, which group was affected and
who the member is

 Default Domain Controllers Policy GPO


Audit Policy  Ensure advanced audit policy overrides
 Enable “audit security group management”
 Verify on sampling of DCs
 Group Policy Results
 Auditpol /get /category:*

2
10/11/2018

 2 types of groups
 Security
Groups in AD  Use for permissions and rights
 Called “security enabled” in security log
 Distribution
 Used in Exchange
 Called “security disabled” in security log

 Different audit subcategories for each type of group

Audit Policy
 Audit distribution group changes?
 Do you use distribution groups in Exchange to route confidential email?

3
10/11/2018

 Type
 Security
 Distribution
Groups in AD
 Scope
 Domain Local
 Global
 Universal
 Different event IDs for each combination of type, scope and operation

Scope Possible members Where can be assigned


permissions
Domain Local Users from same and Any computer in same
any trusted domain domain
Global Users from same domain Any computer in same or
Group Scope only trusting domain
in AD and Universal Users from same domain Any computer in same or
and any trusted domain trusting domain
Windows Machine Local Local users on same This comptuer
computer, domain users
from same or any
trusted domain

4
10/11/2018

Member
Created Changed Deleted
Added Removed
Local 4731 4737 4734 4732 4733
Security Global 4727 4735 4730 4728 4729

Event IDs for Universal


Local
4754
4744
4755
4745
4758
4748
4756
4746
4757
4747
group changes Distribution Global 4749 4750 4753 4751 4752
Universal 4759 4760 4763 4761 4762

Interpreting a
 Which group?
group  Who was added/removed?
membership  When are removals important?

change event  Who made the change?


 https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/e
vent.aspx?eventid=4728

5
10/11/2018

 Review regularly
How to  Analyze by
monitor group  Group
 Member
changes  Admin

 Be alerted on privileged group changes


 Not just system groups
 Important application and user groups

Custom
groups  How to alert on custom privileged groups?
 Naming convention
 Static list

6
10/11/2018

 Windows allows group nesting


 How are you alerted when
Bob

Nesting and
privileged
groups
IT Staff

Administrators

 Windows allows group nesting


 How are you alerted when

Nesting and
privileged IT Staff

groups
Administrators

7
10/11/2018

Privileged  Be sure to add all nested group members of privileged groups to the
privileged groups list
Groups  Whenever new member is added to a group, recognize if is a group
instead of a user
 Naming convention that distinguishes usernames from groups?
 Alert when a group is placed in a privileged group

modifications

Local SAM on
Servers  Computer Management
 Local Users and Groups

8
10/11/2018

 Remember each DC logs only the changes originating on it and


security logs are not replicated between domain controllers.
 Other gaps
Bottom line  Derek Melber, Microsoft MVP, will show you how to leverage the
security logs to gain insights into privileged group changes. Not just
the “admin” groups, but all groups that have privileges.
 These groups are located in Active Directory and locally on servers and
workstations. Derek will show you how to not only monitor group
changes, but also receive real-time alerts when these groups change,
so you can take immediate action for errant changes.

© 2018 Monterey Technology Group Inc.

Title

Derek Melber
[email protected]

9
10/11/2018

About Your Speaker

About Derek Melber

• Derek Melber
– Chief Technology Evangelist
– MVP (AD and Group Policy)
[email protected]
• Online Resources
– ManageEngine Active Directory Blog
– Security Hardening Site
– Download free Dummies book
• 2018 World Tour

10
10/11/2018

Agenda

• Limitations of Event Viewer


• The need to track privileged group changes
• What are privileged groups… finding them
• How to leverage Event Viewer to track privileged group changes

Limitations of the
Event Viewer

11
10/11/2018

Limitations of the Event Viewer

• Each Security Log is unique on each DC


• Size of log can be issue (FIFO)
• No reporting of events
• Alerting is possible… but limited

The need to track


privileged group
changes

12
10/11/2018

The need to track privileged group changes

• Privileged groups have ability to administer and make changes


• Privileged groups have access to more than standard user
• A change to a privileged group could give immediate access to resources
• Not knowing about changes allow for access without knowledge

• If the CEO were added to your Domain Admins group… would you care?

Finding privileged
groups

13
10/11/2018

What are privileged groups… finding them

• Default groups
– Domain Admins
– Enterprise Admins
– …
• Application/Service groups
– Exchange
– Sharepoint
– …
• Custom groups

Tracking privileged
group changes

14
10/11/2018

Leveraging Event Viewer to track privileged groups

• Once auditing is setup, all changes go through Event Viewer – Security Log
• We know the limits of the Event Viewer
• What is required
– Solution that gathers key events from security log
– Allows for generation of reporting of historical changes per group
– Allows for real-time alerting for when a privileged group changes
– Allows for easy customization of new privileged groups when they are created

Summary

• Limitations of Event Viewer


• The need to track privileged group changes
• What are privileged groups… finding them
• How to leverage Event Viewer to track privileged group changes

15
10/11/2018

Thank you!
Derek Melber
[email protected]

16

You might also like