Active Directory (AD) holds the keys to the kingdom, and attackers know all the tricks to take advantage of vulnerabilities in AD to stay hidden and move around the network to find and steal your sensitive data. To counter these potential vulnerabilities, companies should perform an Active Directory audit on a regular schedule, at least once a year.
The challenge is to keep the attack vectors to a minimum and the capabilities of stolen credentials limited. That way when attackers steal credentials on the network, they can’t steal data before they are discovered and neutralized.
Get the Free Pen Testing Active Directory Environments EBook
Varonis is an excellent AD auditing and monitoring system because it does so much more than audit and monitors AD. Varonis also provides dashboards and reports to track progress towards a secure AD, automates processes to keep AD secure, and detects an attacker’s movements through AD.
Check out our in-depth Active Directory audit checklist. You can do all these steps manually or with PowerShell, but really, using Varonis is easier.
- Capabilities of an Audit
- Before Auditing
- Enable Auditing
- Admin Groups
- Group Policy
- User Account Changes
- Stale Users
- Finding Vulnerabilities
Capabilities of a Varonis Active Directory Audit
Auditing Active Directory can uncover many kinds of potential threats that attackers can exploit to infiltrate and move around your network, but it’s not all about risk. It’s mostly about risk, but a good Active Directory audit will help keep AD clean and manageable.
Think of AD-like a nice bonsai tree. Regular pruning, care, and attention will net out a very nice and visually pleasing tree. AD is similar that way. Stay on top of AD maintenance regularly and there will never be a crisis moment. Audits should never lead to ‘oh #$@%’ moments. Audits are a check-in to verify day-to-day operations work as expected.
Don’t worry – Varonis can not only do the audit but helps clean up, maintain, and monitor AD as well as improve the overall security posture of the organization. At first, there might be some ‘oh #$@%’ responses if AD is an under-appreciated bonsai tree, but after some remediation and pruning, AD will become pretty and manageable again.
Ed. Note: Audit in this blog means two things, audit as in reviewing the current state of things to verify adherence to policy and audit as in actively monitor the status of a thing. Varonis does both of these – gathers data about AD for review and remediation, and actively monitors AD for current and potential threats.
Before Running an AD Audit
If this is going to be the first Active Directory audit with Varonis, don’t panic! We are here to help. Varonis Sales Engineers (SE) and support do this all the time. Reach out to them if any issues or complications occur.
To enable the audit, DatAdvantage needs to be installed and running. Varonis Professional Services or SE’s typically run new installs for customers and prospects. With DatAdvantage installed, enabling the constant monitoring of Directory Services and Azure AD modules is a licensing issue. There aren’t further installs required.
That’s pretty much it. Varonis doesn’t require a crazy amount of training to use the dashboard and understand what each widget (a single dashboard element) means. Figuring out how to remediate or remove the issues correctly is a different question, which we will discuss later.
How Long do Active Directory Audits Take?
Typically, Active Directory audits take two weeks to a month to gather the data, and then several months to from square one to remediate the risks that you discover during the audits. This assumes one or two resources using PowerShell and built-in Windows tools. Varonis automates the data gathering process and then some of the remediation tasks to make this process much faster.
How to Enable Active Directory Auditing
To do the basic AD auditing in Varonis, provide a username and password that can read the Domain Controller. That’s it.
Varonis’ AD event auditing is, at the very core, a gathering of the Security Event Logs from Domain Controllers. We provide a comprehensive list of what GPO items that need to enabled to get full auditing capability. We also provide a quick configuration option that creates a Varonis GPO object that contains the correct audit settings. The Varonis GPO is an advanced option, be aware that it does create a high-level GPO object which can conflict with other settings.
Varonis does quite a bit of post-processing on the back end to make AD audit events readable and understandable. This processing also feeds the behavior baselines and modeling, and it is highly recommended that everyone take advantage of this functionality — the more data inputs into the threat detection and analysis in Varonis, the better.
Audit Admin Group Membership
The top priority of an AD audit is to verify that the administrative permissions granted match the needs of the organization and do not exceed policy and best practices. Administrators are the holders of the keys to the kingdom. By default, admin permissions grant users the authority to make changes to computer configurations, group policies, and view all the file shares on the network.
Domain Admins Group
A great place to start is the Domain Administrators Group. These users can do anything and everything on the network. This group membership needs to be limited to the few trusted individuals with the knowledge and experience to wield this power and authority. Remove any stale users and users that no longer need this kind of responsibility.
It is quite possible to break some applications and sharing tied to users you remove from the domain admins group. Be prepared for some issues to come up.
IT Staff Rights
The next step in an Active Directory audit is to investigate the rights of the rest of the IT staff to ensure they don’t have more access than necessary based on best practices.
Best practice says that designated administrators have two accounts – one account with user privileges for day to day use, and a second admin account to use when they need to make changes per the change management process. This way, users are rarely logged in with their admin accounts, and anytime an attacker accesses an admin account, all the alarms go off.
Additionally, where possible, delegate certain responsibilities to IT staff, and remove their administrative rights to other resources. For example, the NetApp administrator probably doesn’t need the right to change GPOs or even look at the HR share on the NetApp. Limit IT users to the access they need to do their jobs. This keeps attackers from gaining significant footholds in the network if one of these accounts is compromised.
Auditing Active Directory Group Policy
Group policies are another priority during Active Directory audits. We talked about Group Policies and GPOs in detail in a previous blog. Here are some things to check during an audit.
- Are GPOs applied correctly to all computers and domains? There can be nested or overriding GPOs that cause unexpected behaviors. Audit these carefully and make sure the correct GPOs apply to the expected users and computers.
- Verify that the GPOs enforce a strong password policy.
- Verify that Local Administrator accounts are disabled via GPO correctly.
Varonis actively monitors and throws alerts for all changes to GPOs. Investigate any changes made outside of an official change window because they could indicate someone is trying to infiltrate the network.
How To Audit AD User Account Changes
With the default capabilities in AD, monitoring changes to users and groups is incredibly complicated. There are several GPOs involved and then more than one Security Event Log entry per change – if you catch the change in the logs before they roll over.
Varonis makes it very easy to audit changes made to AD users and groups by monitoring and normalizing the Security Event Log events across all of your Domain Controllers into a single human-readable log.
This monitoring, combined with the threat detection and analysis in DatAlert, means that any changes to users and groups get flagged as potential privilege escalation attacks. Auditing doesn’t get easier than that.
Auditing Stale Users and Computers in Active Directory
Just like trimming the bonsai tree of dead limbs, remove the user accounts that are no longer active from AD. Stale users are users that haven’t generated any activity for six months (default setting and user-configurable). Attackers covet stale accounts because no one pays attention to the accounts that nobody uses, and they can take advantage of that inattention to move around your network.
Varonis displays stale accounts in the Directory Services Dashboard for review and tracking over time. The Dashboard updates regularly to keep stale users visible and under control. This can be a scheduled audit or something the team manages as new stale accounts appear.
Unlock this free video with tips to find and remediate unresolved SIDs.
Using an Audit to Find Vulnerabilities
The Varonis Directory Services Dashboard highlights many potential vulnerabilities. Here are some samples with quick definitions.
- Computer Accounts that are Admin Accounts: Attackers use these accounts for privilege escalations
- Accounts with No Password Policy: These accounts are easy targets for attackers
- Enabled Accounts with No Password Expiration: There is a good chance these accounts can be brute force attacked by known username and password lists
- Check out this free video to learn about finding and remediating accounts with no password expiration.
- Domains where the Protected Users Group does not exist: These domains are older versions of AD and accounts in this domain might be easier to attack
- Number of Enabled Locked Out Users: If there are any of these user accounts there might be an active brute force attack in progress
- Number of Disabled Users: Disabled Users are potential targets for attackers as they are probably not used or monitored closely – it’s best to delete them.
With Varonis monitoring AD, it’s quite straightforward to keep AD under control and pruned to a pretty bonsai. After the initial shock, most customers calm quickly and get to work to address the highest priority risk items and work their way down the list. AD has been around for a long time now, and only recently did we become aware of how sophisticated attackers can be when they attack networks.
AD auditing is just one of the first parts of the Varonis Operational Journey. There are several more steps in addition to discovering and remediating AD. Other steps in the journey are, address over permissive folders, implement threat detection and response, and use DataPrivilege to manage folder and group membership requests.
If you aren’t convinced that Varonis can manage AD auditing for you after reading this entire blog, you can always read our free Active Directory Security Audit Checklist and run through these steps manually.