Active Directory Audit Checklist Guide & Best Practices
Organizations that operate a local Windows Active Directory need to conduct an audit of their AD environment regularly. The best way to approach this task is to prepare an Active Directory audit checklist beforehand. This gives the admin a clear pathway to search through and monitor the activity going on inside the Active directory. Moreover, after a security incident, it is recommended to perform a thorough check of the AD. Once again hinting towards a proper plan.
However, even a template-driven audit is time-consuming. So admins might need a quicker alternative to traditional auditing. Don’t worry, we cover that and much more in this write-up. Let’s first go through the reasons for keeping a checklist for AD audits.
Why Organizations Need Active Directory Audit Checklist
Active Directory in itself is a vast resource management portal. Due to user-level ignorance, an AD slowly degrades from its optimal state. That is why administrators need to perform This process is what admins call an AD audit.
It can be thought of as an in-depth analysis of object logins, password changes, resource sharing, threat protection, and vulnerability scans.
Without a template, it becomes difficult for the administrators to figure out whether or not they are in violation of any compliance.
Check the following instructions and start the audit.
Access the Advanced Audit Policy Configuration in Active Directory Step-by-Step
Step 1. Open Group Policy Management Console (GPMC)”
- Press the Windows and R keys together to launch the run dialog box.
- Type “GPMC.msc” in the space in front of “Open”.
- Click OK or press Enter on your Keyboard.
Step 2. Get to the Group Policy Object
- Expand Forest > Domains > Select Your Domain.
- Hover your cursor over an existing GPO and right-click. If you don’t want to disturb the existing GPO right-click on the domain name and select the “Create a GPO in this domain, and Link it here….” option.
Step 3. Navigate to Advanced Audit Policy Configuration
- Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
Inside the AAPC node, you can view several subcategories, each of which is in charge of a specific policy. The options include:
Account Logon, Account Management, Detailed Tracking, DS Access, Logon/Logoff, Object Access, Policy Change, Privilege Use, System, and Global Object Access Auditing. Now let us see what all admins can configure in each subcategory one by one.
Account Logon in Active Directory Audit Checklist
Admins should not confuse it with regular security policies which are more like a classroom that authenticates student IDs. This system on the other hand resembles a security camera located in the central office (the Database) of the school.
This allows it to view the attempts on the database itself and not the endpoint login validation.
Therefore it can alert the admin in case there is a hacking event ( akin to a lockpicking attempt on the central office of the school).
Other than that it checks new account creation activity (which can be compared to a new iID being issued for a student).
Moreover, it also notifies in case of an unauthorized login attempt like using a stolen identity card to access the resources.
| Sub Category | Default Setting | Used For |
| Credential Validation | Not-configured | Checks user credential |
| Kerberos Authentication Service | Not-configured | If regular Kerberos authentication (TGT) requests are required |
| Kerberos Service Ticket Operations | Not-configured | If security audits in Kerberos are required |
Windows AD Audit of Account Management Category
Account management refers to the changes that occur inside Users, Computers, and Group objects. All the subcategories within this have a low Event volume but this does not mean that admin should ignore what happens in such events.
| Sub Category | Default Setting | Used For |
| Audit Application Group Management
Audit Security Group Management Distribution Group Management |
Other than the Security Group rest which has a Sucess setting others have a Not-configured default position | Creation, deletion, and modification of the group. Member addition, Group type change |
| Computer Account Management | Not-configured | Tracks change like creation, deletion, and modification in computer objects inside the domain. |
| User Account Management | Success | Unlocks user account activity audits, including creation, changes, deletion, passwords, security identifiers, administrator permissions, and credential management. |
| Other Account Management Events | Not-configured | Logs access to password hashes (likely during migration) and calls to the password policy API (potential attack testing). Also tracks domain policy changes related to password complexity and account lockout settings. |
Other Audit Categories
| Major Category | Sub Category | Event Volume | Default Setting | Triggers During |
| Domain Services Access | Detailed Directory Service Replication | Upto Very High | Not-configured | Track data replication information between DCs |
| Directory Service Access | High-ADDS Servers, Zero-Computers | Not-configured | OS generates audit events on AD DS access. | |
| Directory Service Changes | High on DC Zero-Client PC | Not-configured | If objects inside ADDS are created, Modified, Deleted, Moved, Undeleted | |
| Directory Service Replication | Medium-DC Zero-Client PC | Not-configured | At the beginning and End of Domain Replication. | |
| Logon/Logoff | Account Lockout | Low | Success | failed logon attempt in a locked account |
| IPsec Extended / Main / Quick Mode | High | Not-configured | Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) results in various Modes during negotiation results. | |
| Logoff | Low | Success | Log on session Termination | |
| Logon | Low-client, medium-DC | Success-PC
Success/Failure-Server |
User logon attempt | |
| Network Policy Server | NPS Medium to High,
Moderate on Other Hardware |
Success/Failure | RADIUS (IAS) and Network Access Protection (NAP) activity on requests like Grant, Deny, Discard, Quarantine, Lock, and Unlock made by a user. | |
| Other Login and Logoff Events | Low | Not-configured | Remote desktop sessions, workstation lock/unlock, screen saver activation, replay attacks | |
| Special Logon | Low | Success | Admin equivalent login or checking a specific login inside a group |
Object Access policies track attempts to access specific objects on a network or computer, like files, directories, and registry keys. Enable subcategories for success/failure events.
- Application Generated
- Certification Services
- Detailed File Share
- File Share/System
- Filtering Platform Connection/Packet Drop
- Handle Manipulation
- Kernel Object
- Other Object Access Events
- Registry
- SAM
Policy Change monitors changes to critical security policies on a system or network.
- Audit/Authentication /Authorization Policy Change
- Filtering Platform Policy Change
- MPSSVC Rule-Level Policy Change
- Other Policy Change Events
Privilege Use tracks the use of specific permissions on systems.
- Non-Sensitive Privilege Use
- Sensitive Privilege Use
- Other Privilege Use Events
Alternative Methods to Get Active Directory Details
Auditing is not the only way to get information about the Active Directory object. Moreover, in a situation where admins just have to track minor changes, performing an audit might be overkill. Sometimes it’s better to skip a regular audit as it takes too much time to compete. Instead, admins can get faster insights into AD health if they carry out an initial assessment with SysTools AD Reporting software.
With this, administrators can figure out which OU is missing users so they can bulk add users in the Active Directory easily.
Thanks to its smart category filter, admins can plan out a password reset for AD users too.
Conclusion
Here in this writeup, we saw how to enable the default Active Directory audit checklist. Not only that, we also found why sometimes administrators may not need the complete auditing process. This is mainly because of the slow and complex procedure. Therefore, it might be better to use the automated tool and generate reports on the objects instead.
