How to select a good audit tool for Active Directory
Hi All, I am tasked with performing a security audit of our Active Directory, covering the all salient aspects, such as account management, group management, OU management, and management of delegated access rights in Active Directory.
This obviously is not that easy an undertaking and our team simply does ont have the time or the resources to come up with in-house scripts or the like to perform our audit. We also do not know yet exactly what all we should be covering but are starting to build a list.
It would be quite beneficial to have some sort of a dedicated automated solution that we can use to perform such audits, especially on a frequent basis, and so I thought of tapping into this forum to get some experience based suggestions on what might be some criteria on which to select a good audit tool for Active Directory.
One of the reasons for my question is that there appears to be so much choice, and while so many vendors promise the sky, come evaluation time, there tools barely deliver. We don't have too much to look for the right tools, so thought of tapping into this forum with the hope of hearing from others in a similar boat.
Shalom. As IT admins, I think we've all dealt with vendors at some point or the other, and in the AD audit field there are certainly many tools to choose from.
Here in Israel, we're very security conscious, to the extent that I am unable to reveal what tool we use, because doing so might reveal the extent of our security.
I can however share a few points that we considered when selecting an AD audit tool, which are as follows -
I. Security - To us, how trustworthy a tool the most important consideration. It is so important because most of using it are Domain Admins, and the last thing we want is untrustworthy code running in our security credentials.
In this regard, we came across many tools that were quite cheap, but when we asked where they we built, most of them were built in places we just don't trust. For instance, one was built in Pakistan, another one in India, and even a very prominent vendor's tool was built in Russia! There is no way we are running anything built in Russia in our environment.
II. Reliability - The second most important factor for us was reliability, and that to is largely based on what is the level of knowledge and proficiency of the engineers who built the tool and the support technicians who support it.
This is very important because when you're making critical security decisions the last thing you want is to make decision based on bad data, and the easiest way to obtain bad data is to rely on a tool built by non-SMEs / inexperienced developers / script kiddies.
III. Functionality - For us, functionality isn't most important since most tools offer similar capabilities when it comes to basic AD audit capabilities.
When you get into advanced but essential AD audit capabilities, the choices very quickly dwindle because you're left with offerings from solid vendors who truly understand the space and subject matter and are amongst the best.
IV. Cost - Cost, always has been the last factor for us. That is because our management chain understands just how important Active Directory security is. They understand that if our AD gets compromised, the security of the entire organization could be jeopardized.
I hope that my input helps you in making the right decisions. It is very easy to overlook these factors, but these, in our opinion, are the most important factors, especially when you're running as Domain Admin, even if you use Run As, because its just not worth any risk.
Thank you for sharing your thoughts on this important subject. This is an often overlooked area of security, and its good to see you guys in Israeli take this seriously.
As such, the United States and Israel both have to be extremely vigilant against attacks, both physical and cyber attacks. Here in D.C. we take this especially seriously, and we've all been recently giving thought to the security of the very tools we admins use as well.
Here in the U.S., we too share your point of view, in that I don't think any IT admin at any U.S. organization, in their right minds, would deploy a tool built in Russia!
After all doing so, especially in a production environment, could be the easiest thing we could do to compromise our security. I mean, who knows who built the tool, where it was really built, how secure it is, how much it was tested etc.
I appreciate you sharing your thoughts in this regard. Thanks for your input.
I think as IT admins/analysts we have all struggled with this question some time or the other.
In my own experience I have found that while there is a lot of choice when it comes to basic Active Directory management and reporting tools, the choices substantially narrow done when it comes to tools related to delegated access reporting.
By the way, I mentioning so because you seemed to indicate that you were interested in delegated access reporting as well.
One thing I will point out in this regard is that while many vendors claims to provide access reporting, most of them are just providing are the ability to find out who has what permissions where in Active Directory, and we all know those aren't access reports at all because they don't take effective access into account.
A true delegated access report is one that takes into account effective access in Active Directory, and can determine the resultant-set-of-permissions (RSOP) in Active Directory and show us who can really do what in our Active Directory deployments.
When it comes to a true delegated access reporting tool, there is only one tool that I know of, based on my own research, that can actually do so in Active Directory.
Thank you all for your input, You've all made some very important points that I would have otherwise overlooked, and I really appreciate your assistance in this regard.
Johnny, you seemed to indicate that there is only one tool that can actually find out who is delegated what access in Active Directory. That is certainly very interesting, and I would certainly like to know which tool you're referring to.
Could you please let me know which is the tool that can help our organization find out exactly who is delegated what access in our Active Directory forest(s) ?
