Not all AD auditing tools audit all of AD
Active Directory (AD) is a crucial component of just about any Windows-based IT infrastructure, and keeping tabs on who modified AD records, when they were changed, and why they were changed can be a full-time job. Throw in some additional requirements—such as the need to be in compliance with federal and state governance guidelines, from the Sarbanes-Oxley (SOX) Act to the Health Insurance Portability and Accountability Act (HIPAA)—and you have the makings of a headache-inducing task for many IT pros. But help is on the way.
Windows Server 2008 AD Improvements
Microsoft listened to IT pro complaints about AD auditing and implemented several new features in Windows Server 2008 to ease the pain. “Windows 2008 brings various benefits to the table with respect to event management, including a completely changed event-log storage model,” says Guido Grillenmeier, a Microsoft Directory Services MVP and a master technologist with HP’s Advanced Technology Group. “It also includes improved native AD auditing, as it allows more granular and more complete auditing of AD changes. For example, it can record the old value and new value of an attribute that was changed.”
Server 2008 breaks auditing into four categories: Access, Changes, Replication, and Detailed Replication. The Changes category improves upon the way AD changes were handled in Windows Server 2003 and Windows 2000, logging deltas of attribute changes, detailing new object creation and movement, and offering a create-event feature that’s triggered when objects are moved to different domains.
Choosing an AD Auditing Solution
Regardless of whether you’re running Server 2008, Windows 2003, or Win2K, an off-the-shelf AD auditing product can help minimize the workload. Determining what level of AD auditing your organization needs is important . Grillenmeier cautions against looking for a silver-bullet solution to AD auditing requirements. “For example, proxy-management solutions … such as AD Self-Service Suite and Ensim Unify … are nice tools to delegate specific management tasks to non-admin users and audit the changes they do to AD with the tool. However, these tools only audit what’s changed by them and can’t audit native changes in AD; they can never create a complete auditing trail.”
Grillenmeier contrasts those AD proxy-management auditing tools with AD auditing tools that gather security and auditing events from event logs on domain controllers (DCs)—such as Microsoft System Center Operations Manager or HP OpenView—and AD auditing tools that combine native event logs with AD data gathered by agents, such as Quest InTrust and Quest ChangeAuditor (formerly NetPro ChangeAuditor).
“Event-log–based \[auditing\] may be sufficient for many customers that need to meet specific compliancy requirements,” says Grillenmeier. “It’s mainly a matter of correctly setting up auditing in the directory itself, so that the changes are correctly logged in the event logs. Note that if proxy-management tools are used, you still have to combine the native event data with the data of the proxy tools to figure out which person actually performed a change in AD, since for changes done by the proxy tool the native event logs will only see the service account as the owner of the change.” Grillenmeier says that only products that combine event-log auditing with separate agents that gather AD data are capable of auditing all AD changes.
Tom Crane, a product manager for InTrust at Quest Software, says that the most useful products offer the ability to capture AD change information not provided by the version of Windows Server you’re using. “Some AD change information doesn’t appear in the event log. For example, some changes are consolidated down into a single event message, and that single event may contain multiple changes. Having a tool that is able to provide that information will help reduce time spent in troubleshooting AD auditing problems.”
Don’t Forget the Data
One important yet overlooked aspect of AD auditing is the massive amount of data the auditing process can generate. “For enterprise-scale customers, this easily amounts to many gigabytes per day of auditing data,” Grillenmeier says. “Tools that \[have the capability\] to efficiently store the auditing data in a compressed format and \[automatically clean up that data over time\] are a critical factor for large companies.” You’ll do well to consider your organization’s auditing needs, the number of AD changes it makes, and how granular those changes are. And you’d be well advised to pay attention to the security, backup, and disaster recovery of AD auditing data, just as you would for other types of data.