Home » Blog » Active Directory » Active Directory Audit Checklist Guide & Best Practices

Active Directory Audit Checklist Guide & Best Practices

author
Published By siddharth
Anuraag Singh
Approved By Anuraag Singh
Published On December 3rd, 2024
Reading Time 8 Minutes Reading
Category Active Directory

Organizations that operate a local Windows Active Directory need to conduct an audit of their AD environment regularly. The best way to approach this task is to prepare an Active Directory audit checklist beforehand. This gives the admin a clear pathway to search through and monitor the activity going on inside the Active directory. Moreover, after a security incident, it is recommended to perform a thorough check of the AD. Once again hinting towards a proper plan.

However, even a template-driven audit is time-consuming. So admins might need a quicker alternative to traditional auditing. Don’t worry, we cover that and much more in this write-up. Let’s first go through the reasons for keeping a checklist for AD audits.

Why Organizations Need Active Directory Audit Checklist

Active Directory in itself is a vast resource management portal. Due to user-level ignorance, an AD slowly degrades from its optimal state. That is why administrators need to perform This process is what admins call an AD audit.

It can be thought of as an in-depth analysis of object logins, password changes, resource sharing, threat protection, and vulnerability scans.

Without a template, it becomes difficult for the administrators to figure out whether or not they are in violation of any compliance.

Check the following instructions and start the audit.

Access the Advanced Audit Policy Configuration in Active Directory Step-by-Step

Step 1. Open Group Policy Management Console (GPMC)”

  • Press the Windows and R keys together to launch the run dialog box.
  • Type “GPMC.msc” in the space in front of “Open”.
  • Click OK or press Enter on your Keyboard.

Run Module

Step 2. Get to the Group Policy Object

  • Expand Forest > Domains > Select Your Domain.
  • Hover your cursor over an existing GPO and right-click. If you don’t want to disturb the existing GPO right-click on the domain name and select the “Create a GPO in this domain, and Link it here….”  option.

Edit Domain

Step 3. Navigate to Advanced Audit Policy Configuration

  • Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

Advanced Audit

Inside the AAPC node, you can view several subcategories, each of which is in charge of a specific policy. The options include:

Account Logon, Account Management, Detailed Tracking, DS Access, Logon/Logoff, Object Access, Policy Change, Privilege Use, System, and Global Object Access Auditing. Now let us see what all admins can configure in each subcategory one by one.

Account Logon in Active Directory Audit Checklist

Admins should not confuse it with regular security policies which are more like a classroom that authenticates student IDs. This system on the other hand resembles a security camera located in the central office (the Database) of the school.

This allows it to view the attempts on the database itself and not the endpoint login validation.

Therefore it can alert the admin in case there is a hacking event ( akin to a lockpicking attempt on the central office of the school).

Other than that it checks new account creation activity (which can be compared to a new iID being issued for a student).

Moreover, it also notifies in case of an unauthorized login attempt like using a stolen identity card to access the resources.

Sub Category Default Setting  Used For 
Credential Validation Not-configured Checks user credential
Kerberos Authentication Service Not-configured If regular Kerberos authentication (TGT) requests are required
Kerberos Service Ticket Operations Not-configured If security audits in Kerberos are required

 

Windows AD Audit of Account Management Category

Account management refers to the changes that occur inside Users, Computers, and Group objects. All the subcategories within this have a low Event volume but this does not mean that admin should ignore what happens in such events.

Sub Category Default Setting  Used For 
Audit Application Group Management

Audit Security Group Management

Distribution Group Management

Other than the Security Group rest which has a Sucess setting others  have a Not-configured default position Creation, deletion, and modification of the group. Member addition, Group type change
Computer Account Management Not-configured Tracks change like creation, deletion, and modification in computer objects inside the domain. 
User Account Management Success Unlocks user account activity audits, including creation, changes, deletion, passwords, security identifiers, administrator permissions, and credential management.
Other Account Management Events Not-configured Logs access to password hashes (likely during migration) and calls to the password policy API (potential attack testing). Also tracks domain policy changes related to password complexity and account lockout settings. 

 

Other Audit Categories

Major Category  Sub Category  Event Volume  Default Setting Triggers During
Domain Services Access Detailed Directory Service Replication Upto Very High Not-configured Track data replication information between DCs
Directory Service Access High-ADDS Servers, Zero-Computers Not-configured OS generates audit events on AD DS access.
Directory Service Changes High on DC Zero-Client PC Not-configured If objects inside ADDS are created, Modified, Deleted, Moved, Undeleted
Directory Service Replication Medium-DC Zero-Client PC Not-configured At the beginning and End of Domain Replication.
Logon/Logoff Account Lockout Low Success failed logon attempt in a locked account
IPsec Extended / Main / Quick Mode High Not-configured Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) results in various Modes during negotiation results.
Logoff Low Success Log on session Termination
Logon Low-client, medium-DC Success-PC

Success/Failure-Server

User logon attempt
Network Policy Server NPS Medium to High,

Moderate on Other Hardware

Success/Failure RADIUS (IAS) and Network Access Protection (NAP) activity on requests like Grant, Deny, Discard, Quarantine, Lock, and Unlock made by a user.
Other Login and Logoff Events Low Not-configured Remote desktop sessions, workstation lock/unlock, screen saver activation, replay attacks
Special Logon Low Success Admin equivalent login or checking a specific login inside a group

 

Object Access policies track attempts to access specific objects on a network or computer, like files, directories, and registry keys. Moreover, you can enable subcategories for success/failure events.

  • Application Generated
  • Certification Services
  • Detailed File Share
  • File Share/System
  • Filtering Platform Connection/Packet Drop
  • Handle Manipulation
  • Kernel Object
  • Other Object Access Events
  • Registry
  • SAM

Policy Change monitors changes to critical security policies on a system or network.

  • Audit/Authentication /Authorization Policy Change
  • Filtering Platform Policy Change
  • MPSSVC Rule-Level Policy Change
  • Other Policy Change Events

Privilege Use tracks the use of specific permissions on systems.

  • Non-Sensitive Privilege Use
  • Sensitive Privilege Use
  • Other Privilege Use Events

Alternative Methods to Get Active Directory Details

Auditing is not the only way to get information about the Active Directory object. Moreover, in a situation where admins just have to track minor changes, performing an audit might be overkill. Sometimes it’s better to skip a regular audit as it takes too much time to compete. Instead, admins can get faster insights into AD health if they carry out an initial assessment with SysTools AD Reporting software.

Download Now Purchase Now

With this, administrators can figure out which OU is missing users so they can bulk add users in the Active Directory easily.

Thanks to its smart category filter, admins can plan out a password reset for AD users too.

Conclusion

Here in this writeup, we saw how to enable the default Active Directory audit checklist. Not only that, we also found why sometimes administrators may not need the complete auditing process. This is mainly because of the slow and complex procedure. Therefore, it might be better to use the automated tool and generate reports on the objects instead.

Frequently Asked Questions

How often should we schedule an Active Directory audit?

Security in AD is paramount. An audit allows you to ensure that the standard security practices are being followed and that there are no lapses. However, having too many audits in close proximity may not be ideal as it disrupts regular business operations. So set up a frequency that works best for your organization which should be between monthly and quarterly.

What happens if we don’t follow Active Directory auditing best practices during the program?

Not following the procedures defeats the purpose of conducting an audit, you may miss out on key vulnerabilities like users whose passwords never expire. Therefore, an assessment should be proper and for that, you can refer to the checklist on this

When is the best time to patch up security vulnerabilities inside an AD environment? 

After an incident, or as a preventive measure, every organization has a different viewpoint, so plan according to your own requirements.

Which is the best assistant to perform a quick AD assessment?

That would be the professional Active Directory Reporting tool described in this write-up.

Connect With Us

+9111-28084986