tips and tricks to know if your active directory auditing tools are even working
TRANSCRIPT
Fortress that stands still: Tips and Tricks to Know if Your Active Directory Auditing Tools Are Even Working
@paulacqure
@CQUREAcademyCONSULTING
Krzysztof PietrzakCQURE: Infrastructure & Security ExpertCQURE Academy: Trainer
Mike Jankowski - LorekCQURE: Cloud Solutions & Machine Learning ExpertCQURE Academy: Trainer
What does CQURE Team do?
Consulting services
High quality penetration tests with useful reports
Applications
Websites
External services (edge)
Internal services
+ configuration reviews
Incident response emergency services
– immediate reaction!
Security architecture and design advisory
Forensics investigation
Security awareness
For management and employees
Trainings
Security Awareness trainings for executives
CQURE Academy: over 40 advanced security
trainings for IT Teams
Certificates and exams
Delivered all around the world only by a CQURE
Team: training authors
Agenda
Auditing Active Directory
You must enable auditing in a domain-level GPO, with no
override, to ensure every system in your domain is
tracking important events.
For Domain members you should audit failed logons,
successful and failed account management and policy
change.
For Directory servers you should monitor critical
directory object change
Use the same GPO to boost the security log size, because
with the increased auditing you’ll need it (but not overdo
this).
Active Directory Dynamic Objects
What is the most successful path for the attack right now?
:)
THE ANATOMY OF AN ATTACK
Healthy Computer
User Receives Email
User Lured to Malicious Site
Device Infected with
Malware
HelpDesk Logs into Device
Identity Stolen, Attacker Has
Increased Privs
:)
Healthy Computer
User Receives Email
User Lured to Malicious Site
Device Infected with
Malware
User Lured to Malicious Site
Device Infected with
Malware
HelpDesk Logs into Device
Identity Stolen, Attacker Has
Increased Privs
User Receives Email
Chasing the obvious: NTDS.DIT, SAM
The above means:
To read the clear text password you need to struggle!
To perform an analysis on NTDS.DIT the following information
sources are needed from the domain controller:
NTDS.DIT
Registry hives (at least the SYSTEM hive)
SAM, ntds.dit are stored locally on the server’s drive
They do not contain passwords
Auditing Active Directory is not enough!
Summary
Start monitoring professionally your AD
Know who has changed what and when
If you detect a successful attack
Report the issue
Investigate or do a penetration test /AD Audit
Perform regular AD Health Checks
Database changes, permission on top-level objects - we
commit obvious mistakes
PowerBroker Auditing &
Security Suite
Real-time Change Auditing and Recovery
for AD and Windows environments
PowerBroker Auditing & Security Suite
Centralized real-time change auditing of Active
Directory, File Systems, Exchange, SQL and
NetApp
Entitlement reporting for AD and File Systems
Continuous backup and recovery for AD
How does it work?
Demonstration
Quick Poll + Q&A
Thank you for attending
today’s webinar.