[ActiveDir] AD - What to monitor?
AD Gurus, Can you guys expand on the topic of what should be monitored in AD? and Why? I am talking in terms of Security events only to protect AD and also protect from attacks of any kind. Obviously, one would monitor failed logon, too many accounts creations etc. What else should we monitor? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD - What to monitor?
You may want to start by looking at some commercial products and see what functions they perform and what they monitor. NetPro's Change Auditor is great, and the MOM AD MP (entire Technical Guide is available) would be two nice starting points. If I remember correctly, NetPro also has an AD Health product. If you don't want to pay, then you can start scripting based upon what you see common among all of the commercial products available. Ryan On 3/6/06, Adeel Ansari [EMAIL PROTECTED] wrote: AD Gurus,Can you guys expand on the topic of what should be monitored in AD? and Why?I am talking in terms of Security events only to protect AD and also protect from attacks of any kind.Obviously, one would monitor failed logon, too many accounts creations etc.What else should we monitor?Regards,AdeelList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD - What to monitor?
Things I like to know about. Administration Events OU creations/deletions/mods Critical Security Group Modifications GPO Creation/deletion/mods and Linking Domain Administrator Logins and from where Password changes on critical accounts Domain Activities Got one word for you Replication! AD's go bad when replication is out of whack... In my experience when it comes to replication you need to monitor both the Event Logs, but also the ports. Also if a firewall goes anywhere between two replication partners, you then have to start to consider UDP fragmentation which manifest itself as broken trust and bad authentication attempts. As for events, well the security event logs are a maze of Event ID's that I just rather not dig into unless I am required. Both Quest and Netpro (probably NetIQ, MOM and some other tools out there I haven't evaluated as well) have some nice tools that make monitoring the security event logs a lot nicer. I currently use Quest Intrust and Intrust for AD. The nice thing about the AD product is that it creates a nice little Event Log for administration and logs those activities separately. The put a hook into the LDAP service that intercepts the LDAP calls and logs them. There are some KB articles out there that list several of the events. As one person suggest, reviewing Netpro, Quest, NetIQ's and HPs stuff also helps get an idea. MoM also has some pretty slick admin packs that might be informative, but I see Mom more as a Big Picture Up/Down monitor, there is still a lot of value in Third-Party add-ons since most of these products offer add-ons to MoM as part of their features. Todd From: Ryan A. Conrad [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 4:01 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD - What to monitor? You may want to start by looking at some commercial products and see what functions they perform and what they monitor. NetPro's Change Auditor is great, and the MOM AD MP (entire Technical Guide is available) would be two nice starting points. If I remember correctly, NetPro also has an AD Health product. If you don't want to pay, then you can start scripting based upon what you see common among all of the commercial products available. Ryan On 3/6/06, Adeel Ansari [EMAIL PROTECTED] wrote: AD Gurus, Can you guys expand on the topic of what should be monitored in AD? and Why? I am talking in terms of Security events only to protect AD and also protect from attacks of any kind. Obviously, one would monitor failed logon, too many accounts creations etc. What else should we monitor? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD - What to monitor?
Depends upon what you're organization's security/compliance requirements are but here are some things to think about: --excessive failed logons, password changes --account policy changes --changes to AD configuration objects (e.g. creation/deletion of sites, site links, AD-integrated DNS zones, schema object mods., FSMO role changes ) --changes to key AD group memberships (e.g. Domain Admins, Enterprise Admins.) or service accounts --changes to key Group Policies --changes to key attributes (e.g. department, phone number, ManagedBy) There's probably a longer list but those are just some that come to mind right away. Depending upon the objects being monitored, and your needs, the native security logs may/may not provide the data you need. In that case, 3rd party tools like those from NetPro, Quest, NetIQ may make sense. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Monday, March 06, 2006 9:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD - What to monitor? AD Gurus, Can you guys expand on the topic of what should be monitored in AD? and Why? I am talking in terms of Security events only to protect AD and also protect from attacks of any kind. Obviously, one would monitor failed logon, too many accounts creations etc. What else should we monitor? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD - What to monitor?
So, does Intrust do these things: OU creations/deletions/mods Critical Security Group Modifications GPO Creation/deletion/mods and Linking Domain Administrator Logins and from where Password changes on critical accounts Can you get granular and say show me all the changes to these groups, or these OU's, or when this account is used, etc? Do you use Quest Reporter? Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E] Sent: Monday, March 06, 2006 5:16 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD - What to monitor? Things I like to know about. Administration Events OU creations/deletions/mods Critical Security Group Modifications GPO Creation/deletion/mods and Linking Domain Administrator Logins and from where Password changes on critical accounts Domain Activities Got one word for you Replication! AD's go bad when replication is out of whack... In my experience when it comes to replication you need to monitor both the Event Logs, but also the ports. Also if a firewall goes anywhere between two replication partners, you then have to start to consider UDP fragmentation which manifest itself as broken trust and bad authentication attempts. As for events, well the security event logs are a maze of Event ID's that I just rather not dig into unless I am required. Both Quest and Netpro (probably NetIQ, MOM and some other tools out there I haven't evaluated as well) have some nice tools that make monitoring the security event logs a lot nicer. I currently use Quest Intrust and Intrust for AD. The nice thing about the AD product is that it creates a nice little Event Log for administration and logs those activities separately. The put a hook into the LDAP service that intercepts the LDAP calls and logs them. There are some KB articles out there that list several of the events. As one person suggest, reviewing Netpro, Quest, NetIQ's and HPs stuff also helps get an idea. MoM also has some pretty slick admin packs that might be informative, but I see Mom more as a Big Picture Up/Down monitor, there is still a lot of value in Third-Party add-ons since most of these products offer add-ons to MoM as part of their features. Todd From: Ryan A. Conrad [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 4:01 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD - What to monitor? You may want to start by looking at some commercial products and see what functions they perform and what they monitor. NetPro's Change Auditor is great, and the MOM AD MP (entire Technical Guide is available) would be two nice starting points. If I remember correctly, NetPro also has an AD Health product. If you don't want to pay, then you can start scripting based upon what you see common among all of the commercial products available. Ryan On 3/6/06, Adeel Ansari [EMAIL PROTECTED] wrote: AD Gurus, Can you guys expand on the topic of what should be monitored in AD? and Why? I am talking in terms of Security events only to protect AD and also protect from attacks of any kind. Obviously, one would monitor failed logon, too many accounts creations etc. What else should we monitor? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/