Active Directory Auditing

Running security audits against client active directory domains can be pretty daunting. There’s so much to look at and it takes a long time to go through it and be thorough. There are, however, several tools available that can simplify this process.

I started testing Ping Castle on my own Active Directory (mostly a lab environment) and scored way worse than I expected. Ping Castle is like golf – the lower the score the better. It’s scored based on findings in 4 categories, each category scored out of 100, with an overall total of 100 for all 4 categories. I scored a 92/100. Abysmal.

Ping Castle shines in that it backs up all of its findings (which are extensive) with documentation to support best-practices, knowledge base articles on the subject, and recommendations. One of those findings was the lack of good auditing configured on my AD domain. The following list is what is recommended. This is referenced in adsecurity.org but I couldn’t find the exact settings. After more searching I did find it eventually on some other site, and re-running the analysis confirms my settings are now correct.

Here are those settings for future reference:

Default Domain Controller Policy

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy

Audit account logon events: Failure
Audit account management: Success & Failure
Audit directory service access: Failure
Audit logon events: Failure
Audit policy change: Success & Failure
Audit privilege use: Success & Failure
Audit system events: Success & Failure

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies

Account Logon

Audit Credential Validation: Success & Failure
Audit Kerberos Authentication: Service Success & Failure
Audit Kerberos Service Ticket: Operations Success & Failure

Account Management

Audit Computer Account Management: Success & Failure
Audit Other Account Management Events: Success & Failure
Audit Security Group Management: Success & Failure
Audit User Account Management: Success & Failure

Detailed Tracking

Audit DPAPI Activity Success & Failure
Audit Process Creation Success & Failure

DS Access

Audit Directory Service Access Success & Failure
Audit Directory Service Changes Success & Failure

Logon/Logoff

Audit Account Lockout Success
Audit Logoff Success
Audit Logon Success & Failure
Audit Special Logon Success & Failure

Policy Change

Audit Audit Policy Change Success & Failure
Audit Authentication Policy Change Success & Failure

System

Audit IPsec Driver Success & Failure
Audit Other System Events Success & Failure
Audit Security State Change Success & Failure
Audit Security System Extension Success & Failure
Audit System Integrity Success & Failure

I would imagine the Default Domain Policy should also be updated, or another GPO applied at the root of the domain specifically for auditing, but those settings would be more lax as we’d only be interested in logging the actual logins to the workstations as opposed to these settings which are tracking changes to security around authentication and key objects.

On the workstation these policy settings should be sufficient:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy

I will write more about the Ping Castle findings later.

By admin|2022-10-20T11:27:19-08:00October 20th, 2022|Active Directory, Microsoft Server, Microsoft Workstation|Comments Off

About the Author: admin

An IT Specialist with humble beginnings at an ISP here in BC in 1996. Since then WiReDWoLF has expanded his knowledge and expertise in many areas of the IT field and is proficient with networking, applications, servers, and general application of all of the above.