The world's most trusted forum on Active Directory Security
As an IT Security Analyst at my organization, I have been tasked with establishing an Active Directory Audit program and identifying a good Active Directory Audit Tool to fulfill our internal IT security and audit requirements related to Active Directory Audits.
By way of background, we have been asked to establish a formal, periodic Active Directory Audit schedule and process as a part of an enhanced internal access governance program for 2013.
We are however seperate from our Active Directory operations team, and our role is primarily one geared towards establishing, assessing and enforcing security policies for our IT systems. As a result, we're not technical experts in Active Directory or in Active Directory security, yet need a way to be able to easily and independently perform Active Directory audits on a monthly basis.
I should clarify that we do understand Windows Security well enough (since we establish policies as well) but we don't really know how to manage Active Directory, monitor replication, DCs etc.
I am thus in search of an Active Directory Audit Tool that can help our team fulfill our periodic Active Directory Audit needs, independently, and without much assistance from our Active Directory operations team, primarily driven by a need for seperation of duties.
Also, in case it helps, we need to be able to generate high-level summary reports, audit group memberships, analyze administrative entitlements and ideally document findings in PDF format.
Although we are searching independently as well, tested recommendations would be helpful.
“Coffee - the favorite drink of the civilized world.” ― Thomas Jefferson
Have you looked at ADManager Plus? It is a good AD reporting tool, and it is also quite cheap, as it is built in India, so the development and testing costs are low. I think you can fulfill your needs with it.
We did take a look at AD Manager Plus from Manage Engine. Unfortunately, due to security reasons, our corporate policies prohibit us from deploying any software / tools / applications not made in USA.
Secondly, although it had many basic features, it did not have the ability to analyze administrative entitlements, which was a must-have for us, as one of the big parts of our audit is to audit elevated access in our corporate AD.
Thans for your suggestions though. If you have other suggestions, kindly share.
Have you taken a look at Change Auditor from Quest Software? I believe it can help you find track all changes and find out who did what in your Active Directory. Another solution that may be able to help you find out who made what changes is a similar tool called Change Reporter from Netwrix.
Both of these tools can help you keep track of who made what changes in Active Directory and are good Active Directory Audit Tools.
Thank you for your inputs - actually, we are looking for a tool to audit our Active Directory, not a tool that can help us collect and show audit events - I know its sounds confusing but I think Change Auditor and Change Reporter are both auditING tools. We already have an auditING solution in place, and it helps us find out what changed and who changed it in our Active Directory.
In our experience, we have found that it is much better to be able to know who can do something rather than know who did something, because sometimes, even though we know who did something, that something could cause a lot of damage. On the other hand, if we knew who can do something, then we can make sure that only the right/authorized people can do something, so we'd be better off than right now, i.e. right now we don't know who can do something, so we are hopelessly reliant on auditING to find out who did something, and we hope nobody does something really bad.
So, we are looking for a tool that can help us audit who CAN do what in our Active Directory. For example, something that could show us who is delegated what access in our Active Directory, or at least help us find out who can perform critical tasks like create accounts, delete OUs, modify group memberships etc. I suppose a tool that does an audit of delegated access in Active Directory.
If anyone know of a tool that can help us find out who is delegated what powers in our Active Directory, I would be greatful if you could help us fulfill this need.
We were in a sort of a similar situation last year, in that we had a need to audit Active Directory delegations in our Active Directory, and during our search, we stumbled upon one of the most capable tools I've ever worked with - its called Gold Finger for AD.
We primarily licensed the tool for performing delegation audits (i.e. who is actually delegated what access in our Active Directory domains) but over the last nine months or so, we've found that we've been able to use it to audit most aspects of our Active Directory including true last logons, group memberships, SACLs, provisioned permissions and delegated access rights.
Basically, its sort of a dedicated Active Directory audit tool, and if I had to enumerate it's audit capabilities, I'd say, it has the following 5 audit capabilities-
If this helps, I believe there's more info over here.
I hope this helps
I've been working with Active Directory since the Windows 2000 days, so over the years, I've come across may tools, solutions, scripts, guides and the like, and based on my experience, I would have to second Matthew's recommendation on Gold Finger.
In my opinion, it is one of the most valuable tools out there, because it not only has unique capabilities, such as this one, its numerous capabilities build on each other, so whether you want to peek under the hood and do your own analysis or use its automated reports, you have that choice.
For instance, lets say you wanted to find out who can reset your password. You can use its effective delegated access reporting capability to find that out by clicking a button. Or lets say you just wanted to determine effective permissions on your own account, you could use the Effective Permissions feature to see the underlying effective permissions. Or lets say you just wanted to view the ACL on your own account, in sufficient detail, you could use the ACL viewer capability to do that.
No other tool that I know of offers such power or flexibility. We've been using it for quite a while and it has helped us substantially lockdown access in our Active Directory. What used to take weeks to do now takes us 30 minutes, and that is HUGE for us, because we just cannot afford to spend that kind of time to constantly review and manually verify access changes in our Active Directory.
We tried it extensively before buying it (it was free to try) and have been very happy with it. The fact that it is endorsed by Microsoft and used around the world was quite re-assuring for us.
I hope this helps.
Thank you very much for your kind inputs. I sincerely appreciate you taking the time to share your experiences and opinions with me. Indeed, after having done and concluded extensive research into the various tools available, we too have arrived at the conclusion that Gold Finger is one of the most versatile and capable Active Directory Audit tools out there.
I also did act on your suggestion and try it out, and I have to admit that the ease with which it lets you perform and fulfill a variety of audits is quite impressive. Especially in our case, given that as IT auditors we are not Active Directory experts, the fact that we were able to fulfill virtually all our Active Directory related IdM audit needs, so easily and quickly, we are very impressed.
We will be moving forward to license it. Thank you for pointing us in the right direction.