Wednesday, June 17, 2015

Querying Event Logs using XML

I have been working for a little while on creating tools for an administrator to be able to manage an Active Directory for Least Privileges Principles, and to secure AD Access.

Specifically here, I will be talking about configuring Monitoring and Alerts for suspicious behavior in the administration of Active Directory.

The first activity to monitor and to generate an alert is a logon by a member of the Microsoft Privileged Groups.  It is assumed that you have read and are following the Microsoft Best Practice of normally having ZERO members of the Privileged Groups (Domain Admins, Enterprise Admins, etc).  Membership in these groups is only granted temporarily in order to perform a specific task.   The Intruder Attack Surface of your Ad is minimized by reducing the time that this elevation of privileges exist.

But what about abuse of privilege, or unauthorized role elevation?

By monitoring and alerting on every logon and logoff on any computer of anyone with this group membership, you are able to track the activities of the role, and able to detect unauthorized access.

Here is how it is done.

(see http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx for background on these instructions )
  • Configure a GPO that creates a Registry entry for "SpecialGroups".  
    1.   First, Document all of the SID's for the groups that you wish to monitor.  
      1. In PowerShell, import the Active Directory Module.
      2. For each group in scope, type a Get-ADGroup -id "Domain Admins", etc.
      3. Note the SID of that group.
    2. Create a GPO To distribute the Special Group Registry key
      1. GPMC -> Edit GPO -> Computer Configuration -> Preferences -> Windows Settings - Registry
      2. Create a new Registry Entry:
        Key Path: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit
        Value Name: SpecialGroups
        Value Type: REG_SZ
        Value Data: S-1-5-21-3496112146-2253716704-1307938399-512;S-1-5-21-3496112146-2253716704-1307938399-519;S-1-5-32-544
        (Note: use the SID's that you documented in step 1, separated by ";"
    3. Apply the GPO to all computers that you want to monitor for "SpecialGroups" Logon.
    4. The final step is to set up monitoring of Event ID 4964.    (I will add a PowerShell script to run for this purpose...  Stay tuned.)
1 comment:
Labels: , , ,
Subscribe to: Posts (Atom)