Monitoring Group Maintenance
Two characteristics distinguish domain groups in AD: type and scope. Type determines whether a group is a distribution or a security group. Scope determines how the group can be used. Distribution groups exist for the benefit of Exchange Server 2000 and later and have no security-related function: You won't find distribution groups in ACLs or any other security-related settings. Security groups are used in file permissions and other security-related settings; mail-enabled security groups can also be used as distribution groups in Exchange. A group's scope determines how broadly the group can be used on the network and limits the number of other groups to which the group can be added as a member. Universal groups can be granted access to objects on any computer in the AD forest and can include users and global or universal groups from anywhere in the forest as members. Global groups can be granted access to resources anywhere in the forest but can include as members only users and global groups from the group's own domain. Domain local groups can include users and groups from anywhere in the forest as members but can be granted access only to resources within their own domain. Windows logs distinct event IDs for each combination of type, scope, and operation. Group creations, changes, and deletions simply state the name of the group and show who executed the operation. Group membership additions and deletions specify the group itself, the new or deleted member, and the user who executed the membership change.
Practical Tips and Recommendations
What are the important user-and group-related events to watch for? Of all the events that Table 1 lists, I'd be most interested in user account changes (event ID 642) and member additions to security groups (event IDs 636, 632, and 660), with new user accounts (event ID 624) a close runner-up. If your security is compromised either accidentally or maliciously, one of these five events will often tip you off to the problem: Attackers usually either create new accounts for themselves or enable or otherwise compromise existing accounts. And because the usual way to grant access to a resource is through group permissions, monitoring new users that are added to a group is a key way to monitor the access control changes that are important to compliance with most information security?related legislation.
I recommend that you enable account management auditing on all the computers in your domain. What should you monitor and report on? If you use scripts or an Independent Software Vendor's (ISV's) application for event log monitoring, you can configure them to produce periodic reports and send you near real-time alerts. Save real-time alerts for high-priority events that occur infrequently and can indicate some type of breach. Use daily, weekly, or monthly reports for more common, less suspicious events. If possible, perform a weekly or monthly review of new user accounts and group membership changes logged on your DCs. For daily reports or real-time alerts, consider watching for accounts being enabled (event ID 626) and membership additions to specific, highly privileged accounts such as Administrators, Domain Admins, Account Operators, Backup Operators, Server Operators, Power Users, and other important groups specific to your network. If your company is small, with little turnover, you can afford to monitor daily for new user account creations, rather than review a report of them less frequently.
If you can, monitor for new user accounts and group membership changes on your member servers. If you follow best practice and refrain from using local users and groups, activity on the local SAM should be minimal. If the system does detect a new local user account or local group membership change, you should know about it.
If your company has a Help desk that handles routine tasks such as forgotten password resets, make sure your systems are configured to audit such events, then spot-check them frequently when you verify Security log events against the supporting documentation. Make sure your Help desk staff knows that such reviews take place. This process is an effective deterrent against any dishonest staff members exploiting their authority for dishonest purposes.
Connecting the Dots
Account Management events let you connect the changes made to users and groups to your company's official written record, which is important for compliance and is a simple best practice. You should be able to tie user account creations and grants of access through group membership additions to a corresponding record that justifies the change and documents the appropriate manager's approval. The recording mechanism might be your Help desk program or, if your company is small, an email message from a manager requesting a user account for a new hire. One small company I know that doesn't have a formal Help desk application for recording all support and administrative requests created a Windows SharePoint discussion board called Account and Access Control Requests. The systems administrator requires all such requests to be approved by the appropriate manager in the discussion board. If the request comes to the admin directly through a phone call or email message, he simply initiates a discussion on the board. All the company's managers are on the alert list for the board and consequently get an email message with a link to the new request. The appropriate manager has only to follow the link and respond with "I approve."
Randy Franklin Smith (rsmith@ultimatewindowssecurity.com) is a contributing editor for Windows IT Pro, an information security consultant, and CEO of Monterey Technology Group. He teaches Monterey Technology Group's Ultimate Windows Security course series and is an SSCP, a CISA, and a Security MVP.
[Author's Note: This article series is based on Monterey Technology Group's "Security Log Secrets" course.]
With world records being broken at a dizzying pace, the 2008 Summer Olympics in Beijing has drawn massive audiences from around the world, most watching the games via traditional TV coverage. But behind the scenes, a massive array of technology is ...
WinConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
Master SharePoint with 3 eLearning Seminars Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!
SharePointConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
VMworld 2008 - Sign Up Today! Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.
Microsoft® Tech•Ed EMEA 2008 IT Professionals Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Are You Really Compliant with Software Regulations? View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.
Virtualization Congress Oct. 14-16 in London Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.
Register
htckav March 12, 2008 (Article Rating: