ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: What is the optimal set of administrative tasks to audit in Active Directory?


Member

Posts: 6
Date: Jun 11, 2010
What is the optimal set of administrative tasks to audit in Active Directory?
Permalink  
 


Hi Guys,

 

I am trying to figure out an optimal list of the set of administrative tasks that we should audit in our Active Directory.

 

While disk space is cheap, there’s no point dealing with extraneous data, so it would be helpful to figure out the core (essential) identity and access management tasks that we should definitely specify auditing for.

 

For example, the usual account and group management tasks are certainly in, but what about tasks such as the upload of a picture on a user account, or the linking of a group policy to a site object, or the change in permissions to a service connection point?

 

I look forward to your thoughts and suggestions.

 

Over & out,

Benji



__________________
Tower, this is Ghost Rider requesting a flyby!


Veteran Member

Posts: 28
Date: Jun 27, 2012
RE: What is the optimal set of administrative tasks to audit in Active Directory?
Permalink  
 


Hi Benji,

Yes, the more judicious you are about what you audit in Active Directory, the more value you'll derive out of  auditing -

Here are some tasks that come to mind - 

  1. Domain user/computer aco**** /security group account creations
  2. Domain user/computer account /security group deletions
  3. Domain user account password resets
  4. Domain user account status changes (i.e. disabled to enabled state)
  5. Domain security group membership changes
  6. All object security permission changes (i.e. changes in delegations)
  7. OU creations/deletions/GPO linking changes/ security permission changes

This is not a complete list, but I think is the crix of what to audit, in addition of course to Schema changes and Config partition changes.

Also, in addition to auditing, you should also always know who can perform these tasks in your Active Directory to begin with. This helps verify that only authorized personnel can carry out these tasks.

Hope this helps.  

Jack.



__________________

We will NEVER forget.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me