Mikael Grondahl

4 Active Directory Activities You Need to Keep a Closer Eye on

Are you faced with the constant pressure to ramp up security, making sure new compliance regulations are being met, making sure availability to the systems are continuously improved? And doing this on a tighter budget, with fewer resources?

Here are 4 Active Directory activities that you need to keep a closer eye on, Cygna Auditor for Active Directory will help you do this.

# 1 – Regular activities – “This was expected…”
You probably have some level of predictability when it comes to business automation. For example, you probably have on-boarding routines for new employees, when and how the user accounts are entered into the system, by which account, when they are enabled, and so on.

You pretty much know when it will happen, which account will perform the action, and most likely the source IP addresses the changes will come from.

HR probably even sends you automated emails when they on-board new employees, so that you can confirm that everything is OK.

And if anything, outside of the ordinary conditions occur, you can set up rules and alerts to notify you that something out of the normal is going on

# 2 – Not very common Active Directory activities – “Things that make me go hmm?”
Regardless if it’s for security or compliance reasons, or both, when events occur within your systems, if asked, you need to be able to provide detailed information about the chain of events to possible auditors.

You need to be able to show the auditor who did “what”, “when” and “where”.

For instance, if someone changed the permissions or added a member to a sensitive group, you need to be alerted of the activity, and you need to be able to provide proof of what took place.

Even if there’s nothing suspicious going on at all, having the ability to go back and take a closer look at events, making sure that no one has stepped out from the regular routines and processes, ensuring that regular procedures were followed, are very important.

# 3 – Forbidden Active Directory activities – “Oh no you didn’t!”
Some events obviously shouldn’t happen, especially if the culture and training within the organization is well defined, but sometimes administrators tend to get a little bit trigger happy and do more than is asked of them.

We’ve all seen it, the administrator that knows it all, just got his new certification, and now holds the keys to the kingdom.

We always need to have the answers to questions such as:

  • Who changed the membership of the Schema Administrators group?
  • Who set a password to never expire?
  • Who created trust relationships, or added a new domain?

# 4 – Irregular Active Directory activities, and by unexpected users – “That’s not normal?”, “You shouldn’t be able to do that!”
A lot of organizations operate 24/7 – 365, but how do we differentiate normal activity from abnormal? Can you tell when activities are going on that are outside of the normal pattern?

What if an account is trying to login to two different regions simultaneously, in two different time zones? Would you know?

What if an unusual amount of unsuccessful login attempts results in several accounts being locked? Would you get an alert?

What do you do when someone has been granted access privileges that are not part of their job description? How do you catch those accounts?

For instance, someone makes changes to a Group Policy object, or someone creates a new user account, and gives that user account admin privileges before leaving the company, creating a backdoor into the system.

Auditing Active Directory with Cygna Auditor

Active Directory is your most critical piece of security infrastructure. Cygna Auditor for Active Directory tracks all activity across the service, allowing you to detect, alert, and roll back unauthorized changes caused by insider activities or external attacks.