Active Directory auditing with PRTG

Active Directory auditing is the process of tracking and recording events that occur within an AD environment. This includes actions such as logins, changes to user accounts, access to files or resources, and administrative activities. Auditing helps organizations maintain security, compliance, and accountability by providing a detailed record of who did what, when, and from where within the network. Typical components of the audit process are audit policies, audit logs, and audit reports.

One of the many functions Active Directory serves is that of a gate keeper – controlling which users can use resources on the network, and their level of interaction with those resources. File shares, file servers, applications, internet access, printers: all depend on Active Directory to allow or deny access. This makes it vitally important for system administrators to keep track of how AD is protecting those resources.

Microsoft has included excellent audit facilities within AD. Log on/log off, object access, policy changes, account management, and many other activities all leave detailed records in the Windows Security Event Log. Unfortunately, even for only a small network, AD auditing can create huge numbers of log events, making it very difficult to keep track of the really important ones. Active Directory auditing tools like PRTG help you keep track of these events and alert you if something is not working as it should.

An Active Directory (AD) audit involves several critical security aspects to ensure the integrity, availability, and confidentiality of the AD environment. Here are some key security aspects typically involved in an AD audit

User account management

• Account provisioning and de-provisioning: Ensure that user accounts are created, modified, and disabled according to established policies and that inactive accounts are promptly deactivated.
• Privileged accounts: Audit the usage and management of privileged accounts to ensure they are used appropriately and are not over-privileged.

Password policies

• Complexity requirements: Verify that password policies enforce complexity requirements to prevent weak passwords.
• Expiration and rotation: Check that passwords are set to expire periodically and that users are required to change them regularly.
• Account lockout: Ensure that account lockout policies are in place to prevent brute force attacks.

Group Policy Objects (GPOs)

• Policy Configuration: Review GPOs to ensure they are configured according to security best practices and organizational policies.
• Application and Scope: Ensure that GPOs are correctly applied and scoped to appropriate users and computers.

Access controls

• Permissions and rights: Audit permissions on critical AD objects (e.g., organizational units, user accounts) to ensure they are set according to the principle of least privilege.
• Role-based Access Control (RBAC): Verify that access is granted based on roles and responsibilities.

Auditing and logging

• Event logging: Ensure that logging is enabled for critical AD activities, such as logon events, changes to AD objects, and administrative actions.
• Log review: Regularly review and analyze logs for signs of suspicious or unauthorized activities.

Security configuration

• Baseline security settings: Verify that the AD environment complies with baseline security settings and configurations.
• Patch management: Ensure that AD servers and domain controllers are regularly updated with security patches.

Replication and availability

• Replication health: Check the health and configuration of AD replication to ensure data consistency across all domain controllers.
• Backup and recovery: Verify that backups of AD are taken regularly and that recovery procedures are tested.

Service accounts

• Usage and management: Audit service accounts to ensure they are used appropriately and have the minimum necessary permissions.
• Password management: Ensure that service account passwords are managed securely, with periodic changes and proper storage.

Security policies

• Compliance: Ensure that AD policies comply with organizational and regulatory security requirements.
• Policy Enforcement: Verify that security policies are enforced consistently across the AD environment.

Physical security

• Domain controller security: Ensure that physical access to domain controllers is restricted and monitored.

Incident response

• Monitoring and alerts: Ensure that there are mechanisms in place for detecting and responding to security incidents within the AD environment.
• Incident handling procedures: Verify that there are clear procedures for handling security incidents involving AD.

Compliance and reporting

• Regulatory requirements: Ensure that AD configurations and practices meet relevant regulatory and compliance requirements (e.g., GDPR, HIPAA).
• Audit reporting: Generate and review reports to document compliance and identify areas for improvement.

If you use Microsoft Entra ID (formerly Azure AD) and want to keep an eye on what’s happening there, we’ve got you covered as well.

Set up, for example, a Microsoft Azure Subscription Cost sensor to keep your subscription costs in check. Or create a custom PRTG sensor for monitoring activities that might pose a risk:

• Be informed about risky sign-ins, for example, from an unusual or suspicious country
• Get alerts about impossible travel activities, for example, if an account logs in from Germany and two minutes later from Hongkong
• Check for AD accounts that Microsoft believes are exposed to a risk
• Keep an eye on new devices that are registered for Multi-Factor Authentication

In PRTG, “sensors” are the basic monitoring elements. One sensor usually monitors one measured value in your network, for example the traffic of a switch port, the CPU load of a server, or the free space on a disk drive.

On average, you need about 5-10 sensors per device or one sensor per switch port.