Running security audits against client active directory domains can be pretty daunting. There’s so much to look at and it takes a long time to go through it and be thorough. There are, however, several tools available that can simplify this process.
I started testing Ping Castle on my own Active Directory (mostly a lab environment) and scored way worse than I expected. Ping Castle is like golf – the lower the score the better. It’s scored based on findings in 4 categories, each category scored out of 100, with an overall total of 100 for all 4 categories. I scored a 92/100. Abysmal.
Ping Castle shines in that it backs up all of its findings (which are extensive) with documentation to support best-practices, knowledge base articles on the subject, and recommendations. One of those findings was the lack of good auditing configured on my AD domain. The following list is what is recommended. This is referenced in adsecurity.org but I couldn’t find the exact settings. After more searching I did find it eventually on some other site, and re-running the analysis confirms my settings are now correct.
Here are those settings for future reference:
Default Domain Controller Policy
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy
Audit account logon events: Failure
Audit account management: Success & Failure
Audit directory service access: Failure
Audit logon events: Failure
Audit policy change: Success & Failure
Audit privilege use: Success & Failure
Audit system events: Success & Failure
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies
Account Logon
Audit Credential Validation: Success & Failure
Audit Kerberos Authentication: Service Success & Failure
Audit Kerberos Service Ticket: Operations Success & Failure
Account Management
Audit Computer Account Management: Success & Failure
Audit Other Account Management Events: Success & Failure
Audit Security Group Management: Success & Failure
Audit User Account Management: Success & Failure
Detailed Tracking
Audit DPAPI Activity Success & Failure
Audit Process Creation Success & Failure
DS Access
Audit Directory Service Access Success & Failure
Audit Directory Service Changes Success & Failure
Logon/Logoff
Audit Account Lockout Success
Audit Logoff Success
Audit Logon Success & Failure
Audit Special Logon Success & Failure
Policy Change
Audit Audit Policy Change Success & Failure
Audit Authentication Policy Change Success & Failure
System
Audit IPsec Driver Success & Failure
Audit Other System Events Success & Failure
Audit Security State Change Success & Failure
Audit Security System Extension Success & Failure
Audit System Integrity Success & Failure
I would imagine the Default Domain Policy should also be updated, or another GPO applied at the root of the domain specifically for auditing, but those settings would be more lax as we’d only be interested in logging the actual logins to the workstations as opposed to these settings which are tracking changes to security around authentication and key objects.
On the workstation these policy settings should be sufficient:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy
Audit account logon events: Failure
Audit account management: Success & Failure
Audit directory service access: Failure
Audit logon events: Failure
Audit policy change: Success & Failure
Audit privilege use: Success & Failure
Audit system events: Success & Failure
I will write more about the Ping Castle findings later.