Change Auditor for Active Directory 7.2 - User Guide

Introduction

Enabling Active Directory protection allows you to lock down critical objects and attributes to prevent accidental or unauthorized creations, modifications, or deletions. This allows you to protect the environment from harmful changes that could open security holes or cause resources to become unavailable. Once enabled, if an unauthorized user attempts to modify or delete a protected object, Change Auditor prevents the operation and captures an event.

Protection can be defined for any Active Directory, Group Policy, or ADAM (AD LDS) object that you consider critical such as Organizational Units, Group Policy Object, and service accounts.

NOTE: Protection Notes and Recommendations: 1 Reserve protection for locking only critical objects. 2 Do not protect regular user accounts as it could prevent users from actions such as changing their passwords. 3 Certain applications and services need to make harmless changes to the Configuration and Schema NCs through the LocalSystem account. Therefore, Quest recommends that you do not protect the following applications and services: • Active Directory Knowledge Consistency Checker (KCC) • Quest Directory Analyzer • Microsoft Operations Manager (MOM) • Microsoft Licensing Computer • Microsoft Message Queuing Service (MSMQ) • Terminal Services Licensing Computer • HP OpenView’s Active Directory SPI • Microsoft Exchange If you protect a User object and prevent it from being deleted or modified, you are protecting all the user attributes and the forward links. You are not protecting any back linked attributes as back links are maintained by the system to ensure referential integrity only. If you modify the user’s memberOf attribute and add the user to a group, although you get an error or warning message, the user gets added to any group that is not protected. To prevent anyone from being added to a Group, you would protect the Group object and prevent it from being modified. By locking the Group object, you are locking its member attribute. Hence its membership cannot be modified. 4 Before you can set up ADAM auditing or protection, you must enable the File and Printer Sharing feature under the Windows Firewall. 5 If you have Quest GPOADmin integrated with your Change Auditor deployment, the GPOADmin service account is exempt from protection. 6 A protected GPO can only be changed by override accounts that are excluded from protection.

Active Directory object protection

When configured, Change Auditor prevents changes from occurring to a protected object regardless of who attempts to change the object and the tool or method used. Attempts to change or delete a protected object fail and an event is generated. These ‘failed’ events are identified in the client by displaying ‘Protected’ in the Result column on the Search Results page and Result field in an event’s detail pane.

NOTE: By default, Change Auditor captures events regardless of the result of the operation mentioned in the event. However, you can specify which events to capture based on an event’s result: • All Results (default) • Success Only • Success and Failed Only • Success and Protected Only See the Change Auditor User Guide for more information about defining the events to be captured based on result.

Active Directory protection page

This page displays when you select Active Directory from the Protection task list in the navigation pane of the Administration Tasks tab. From here, you can start the Active Directory Protection wizard to define critical Active Directory objects to protect from unauthorized modifications. You can also edit existing templates, disable and enable templates, and remove templates that are no longer being used.

The Active Directory protection page contains an expandable view of all previously defined Active Directory protection templates. To add new template, use the Add button.

NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Change Auditor User Guide for more information about how to gain access.

Once added, the following information is provided for each template:

NOTE: This field is only displayed when your Active Directory and Group Policy protection templates are stored in SQL, which is the default location for storing these templates.

Click the expansion box to the left of the template name to expand this view and display the following details for each template:

NOTE: This field is not displayed when there are no override accounts specified in the Active Directory Protection wizard.

NOTE: This field is displayed only when there is at least one account specified on the last page of the protection wizard and your protection templates are being stored in SQL.

NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see the Change Auditor User Guide.

Active Directory protection templates

The Active Directory protection templates are global settings and apply to all agents.

NOTE:   • If you are planning to use multiple Active Directory Protection templates, see the Change Auditor Technical Insight Guide for more information about how multiple protection templates are evaluated. • Agents should be installed on all Domain Controllers to ensure that protection is fully covered. For example, if a user is restricted from making changes and accesses a Domain Controller that does not have an agent installed, they are allowed to make changes. • To use protection templates, you must be logged in to Change Auditor with an account with Enterprise Admin privileges. • You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button. • If Active Directory integrated DNS is deployed, you can access the ForestDNSZones or DomainDNSZones partitions by right-clicking on the top-level domain object in the directory object picker.

NOTE: You can select a root domain object to prevent users from linking GPOs. However, if you do so, the gPLink attribute will be added by default and you will not be able to add other Active Directory objects or additional attributes to protect.

NOTE: CSV File Details The file must follow this format: <Canonical Name>, <Protection Scope>, <Protected Operation 1><Protected Operation 2> <Protected Operation n>, <Foreign Agent Forest FQDN> Valid protection scope values include: • This object only • This object and child objects only • This object and all child objects Valid protected operations include: • Create • Modify • Delete • Move Foreign Agent Forest FQDN is not required for objects in the local forest of the coordinator. If left blank, the local forest is assumed. The import supports the list separator defined for the locale of the operating system.   Example of CSV file entry for local forest object: Forest1.com/users/TestUser1, This object only, Create Delete Modify   Example of CSV file entry for foreign forest object: Forest2.com/users/TestUser2, This object only, Create Delete Modify, Forest2.com

NOTE: Allow is selected by default indicating that the selected users or groups can change the protected objects. However, you can select the Deny option and select individual users or groups that are not allowed to change the protected objects. When using the Deny option, you are allowing all users and groups to change the protected objects except for those selected on this page.

NOTE: This page only appears when your Active Directory and Group Policy protection templates are stored in SQL, which is the default location for storing these templates.

IMPORTANT: By default members of the Change Auditor Administrators group are authorized to access the Administration Tasks tab and perform administration tasks, including defining Active Directory and Group Policy protection; however, after you enter a user or group account on this page you are relinquishing your rights to modify the selected protection template to the users or groups specified on the last page of this protection wizard.

NOTE: If the users or groups specified are not members of the Change Auditor Administrators group, you must add them to the AD Protection Role for them to view the Administration Tasks tab to access Active Directory and Group Policy protection templates. For more information about adding members to the AD Protection role using the Application User Interface Authorization page (in the Configuration task list of the Administration Tasks tab), see the Change Auditor User Guide.

NOTE: If you have denied specific users or groups the ability to change the protected objects and you have enabled a protection schedule, those users or groups are denied access only during this time. Anytime outside of when the schedule is set to enabled, these denied accounts can access the protected object. When the schedule is disabled, all options are disabled with it, including any denied access to the specified users. The scheduling options override all other protection settings.

NOTE: If you have denied specific users or groups access to protected objects, but you have specified locations that can access the protected object, the denied user or group will be able to access the protected objects from these locations. The location options override all other protection settings.

IMPORTANT: If the current user who is creating the protection template is not in the authorized accounts list, a warning message displays prompting the user to continue or stop with the creation of the protection template. If you are in the authorized accounts list at template creation time, you may find yourself locked out later if someone else in the authorized accounts list decides to edit the template and remove you.

NOTE: You can select a root domain object to prevent users from linking GPOs. However, if you do so, the gPLink attribute will be added by default and you will not be able to add other Active Directory objects or additional attributes to protect.

Disabling a template temporarily stops protection for the specified objects without having to remove the protection template.

NOTE: If you disable all the objects in a protection template, the template itself becomes disabled. Similarly, when you re-enable an object in the protection template, the template is automatically re-enabled.

NOTE: When you delete the last object in a protect template, the entire protection template is deleted.