Chat now with support
Chat with Support

Change Auditor for Active Directory 7.3 - User Guide

Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane

Introduction

Change Auditor allows you to monitor the Active Directory database (NTDS.dit) file for possible unauthorized access attempts.

Extraction of this file could lead to parsing of usernames and passwords resulting in a security breach. The ability to audit changes to this file reduces the risk of the user account information from being accessed and tampered with by unwanted processes or users.

To capture Active Directory database events, you must:
Create an Active Directory Database template.
Add this template to an agent configuration.
Assign the agent configuration to agents.

This chapter includes a description of the Active Directory Database auditing pages in the Administration Tasks tab, the procedure for creating and working with Active Directory Database auditing templates.

 

 

Active Directory Database Auditing page

The Active Directory Database Auditing page is displayed when Active Directory Database is selected from the Auditing task list in the navigation pane of the Administration Tasks page. From this page you can start the Active Directory Auditing wizard to monitor your Active Directory database for unauthorized access. You can also edit existing templates, disable/enable templates and remove templates that are no longer being used.

* 
NOTE: By default, Change Auditor captures events regardless of the result of the operation mentioned in the event. However, you can specify which events to capture based on an event’s result:
All Results (default)
Success Only
Success and Failed Only
Success and Protected Only

See the Change Auditor User Guide for more information about defining the events to be captured based on result.

The Active Directory Database Auditing page contains an expandable view of all the templates that have been previously defined. To add a new template to the list, use the Add tool bar button.

* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Change Auditor User Guide for more information about how to gain access.

Once added, the following information is provided for the template:

Template
Displays the name assigned to the template when it was created.
Status
Indicates whether the template is enabled or disabled. To enable/disable the template, place your cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down menu.
Exempt Process Filter
Displays a list of processes which bypass Active Directory database auditing.

Active Directory Database auditing templates

To create an auditing template:
1
Open the Administration Tasks page.
2
Click Auditing.
3
Select Active Directory Database in the Auditing task list.
4
Click Add to open the Active Directory Auditing wizard.
5
Enter a name for the Active Directory Database auditing template.
6
(Optional) Select the processes to exclude from auditing (for example, changes made by the processes specified on this page will be excluded from auditing).
7
Select one or more processes from the process list and click Add to move these processes to the exclusion list. By default, all processes (except lsass.exe) will be audited.
* 
NOTE: You can also view processes on a different server or enter a process not listed in the process list.
8
Click Finish or Finish and Assign to Agent Configuration to assign the template to an agent configuration.
9
On the Configuration Setup dialog, use one of the following methods to assign this template to an agent configuration:
Select the newly created template and drag and drop it onto a configuration in the Configuration list.
Select a configuration from the Configuration list and ‘drag and drop’ it onto the newly created template.
Select a configuration, then select the newly created template, right-click and select Assign.
Select a configuration, then select the newly created template, click in the corresponding Assigned cell and click Yes.
10
If this configuration is not assigned to any agents, you will need to assign it to agents installed on your Domain Controllers to apply the Active Directory database auditing.
* 
NOTE:  
Agents should be installed on all Domain Controllers to ensure auditing has complete coverage.
The auditing should be applied on all Domain Controllers to ensure complete coverage.
On the Agent Configuration page, select one or more agents from the agent list and click Assign.
On the Agent Assignment dialog, select the configuration definition to be assigned to the selected agents and click OK.
On the Agent Configuration page, select the agents assigned to use the modified agent configuration and click Refresh Configuration to ensure the agents are using the latest configuration.
* 
NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
To modify an Active Directory Database auditing template:
1
On the Active Directory Database Auditing page, select the required template and click Edit. This opens the Active Directory Database auditing wizard where you can modify the current settings.
2
Click Finish to save your changes and return to the Active Directory Database Auditing page.
To disable and enable an Active Directory Database auditing template:

Disabling a template temporarily stops auditing without having to remove the auditing template.

1
On the Active Directory Database auditing page, place your cursor in the Status cell for the auditing template to disable, click the arrow control, and select Disabled.
-OR-
Right-click the template to disable and select Disable.
The entry in the Status column for the template changes to ‘Disabled’.
2
To enable the auditing template, select Enable in the Status cell.
To delete an Active Directory Database auditing template:
1
On the Active Directory Database Auditing page, select the required template and click Delete | Delete Template.
2
Click Yes to confirm.

Active Directory Database Auditing Wizard

The Active Directory Database Auditing wizard opens when you select Add on the Active Directory Database auditing page. This wizard steps you through the process of defining the Active Directory database processes to audit.

The following table provides a description of the available fields and controls:
Table 6. Active Directory Database Auditing wizard
Select Active Directory Database processes to audit: On the first page of the wizard, enter a name for the template and select the Active Directory database processes that are exempt from auditing.

Template Name

Enter a descriptive name for the auditing template.

(Optional) Select processes exempt from auditing: Select the processes to exclude from auditing (for example, changes made by the processes specified on this page will be excluded from auditing).

Add

Select one or more processes from the process list and click Add to move these processes to the exclusion list. By default, all processes (except lsass.exe) will be audited.

You can also view processes on a different server or enter a process not listed in the process list.

Remove

The list box across the bottom of the page displays the objects that are exempt from auditing. Click Remove to remove a process from the exemption list.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating