Monitoring Group Maintenance
Two characteristics distinguish domain groups in AD: type and scope. Type determines whether a group is a distribution or a security group. Scope determines how the group can be used. Distribution groups exist for the benefit of Exchange Server 2000 and later and have no security-related function: You won't find distribution groups in ACLs or any other security-related settings. Security groups are used in file permissions and other security-related settings; mail-enabled security groups can also be used as distribution groups in Exchange. A group's scope determines how broadly the group can be used on the network and limits the number of other groups to which the group can be added as a member. Universal groups can be granted access to objects on any computer in the AD forest and can include users and global or universal groups from anywhere in the forest as members. Global groups can be granted access to resources anywhere in the forest but can include as members only users and global groups from the group's own domain. Domain local groups can include users and groups from anywhere in the forest as members but can be granted access only to resources within their own domain. Windows logs distinct event IDs for each combination of type, scope, and operation. Group creations, changes, and deletions simply state the name of the group and show who executed the operation. Group membership additions and deletions specify the group itself, the new or deleted member, and the user who executed the membership change.
Practical Tips and Recommendations
What are the important user-and group-related events to watch for? Of all the events that Table 1 lists, I'd be most interested in user account changes (event ID 642) and member additions to security groups (event IDs 636, 632, and 660), with new user accounts (event ID 624) a close runner-up. If your security is compromised either accidentally or maliciously, one of these five events will often tip you off to the problem: Attackers usually either create new accounts for themselves or enable or otherwise compromise existing accounts. And because the usual way to grant access to a resource is through group permissions, monitoring new users that are added to a group is a key way to monitor the access control changes that are important to compliance with most information security?related legislation.
I recommend that you enable account management auditing on all the computers in your domain. What should you monitor and report on? If you use scripts or an Independent Software Vendor's (ISV's) application for event log monitoring, you can configure them to produce periodic reports and send you near real-time alerts. Save real-time alerts for high-priority events that occur infrequently and can indicate some type of breach. Use daily, weekly, or monthly reports for more common, less suspicious events. If possible, perform a weekly or monthly review of new user accounts and group membership changes logged on your DCs. For daily reports or real-time alerts, consider watching for accounts being enabled (event ID 626) and membership additions to specific, highly privileged accounts such as Administrators, Domain Admins, Account Operators, Backup Operators, Server Operators, Power Users, and other important groups specific to your network. If your company is small, with little turnover, you can afford to monitor daily for new user account creations, rather than review a report of them less frequently.
If you can, monitor for new user accounts and group membership changes on your member servers. If you follow best practice and refrain from using local users and groups, activity on the local SAM should be minimal. If the system does detect a new local user account or local group membership change, you should know about it.
If your company has a Help desk that handles routine tasks such as forgotten password resets, make sure your systems are configured to audit such events, then spot-check them frequently when you verify Security log events against the supporting documentation. Make sure your Help desk staff knows that such reviews take place. This process is an effective deterrent against any dishonest staff members exploiting their authority for dishonest purposes.
Connecting the Dots
Account Management events let you connect the changes made to users and groups to your company's official written record, which is important for compliance and is a simple best practice. You should be able to tie user account creations and grants of access through group membership additions to a corresponding record that justifies the change and documents the appropriate manager's approval. The recording mechanism might be your Help desk program or, if your company is small, an email message from a manager requesting a user account for a new hire. One small company I know that doesn't have a formal Help desk application for recording all support and administrative requests created a Windows SharePoint discussion board called Account and Access Control Requests. The systems administrator requires all such requests to be approved by the appropriate manager in the discussion board. If the request comes to the admin directly through a phone call or email message, he simply initiates a discussion on the board. All the company's managers are on the alert list for the board and consequently get an email message with a link to the new request. The appropriate manager has only to follow the link and respond with "I approve."
Randy Franklin Smith (rsmith@ultimatewindowssecurity.com) is a contributing editor for Windows IT Pro, an information security consultant, and CEO of Monterey Technology Group. He teaches Monterey Technology Group's Ultimate Windows Security course series and is an SSCP, a CISA, and a Security MVP.
[Author's Note: This article series is based on Monterey Technology Group's "Security Log Secrets" course.]
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
)
Register
htckav March 12, 2008 (Article Rating: