AD Administrators often face questions such as: When and Why was userX made an administrator? Have any new user accounts been added that they didn't know about? Why can't user X access this folder anymore? Where did this user account come from!?

The Active Directory Challenge

When an employee begins his/her employment at an organization, there is not a moment to lose. They must be given the right permissions, the right software, and the right access to servers, folders, and even files. Multiply this task across all levels of an organization, and with additional layers. Now think of the various group memberships each individual has permission to access.  

Are the AD settings up to date for each and every employee? More importantly, is monitoring for AD changes part of an organization's security culture? Most likely, this is not the case.

However, as previously mentioned by Active Directory: Do You Need a Change Management Strategy, in today’s technology climate, monitoring for changes should be part of the organization’s security culture. Skyport’s recent report notes  AD mismanagement can be to blame for 90 percent of enterprise security breaches. 


Who Has Access?

As detailed by Active Directory Security, determining the access each group has within AD is the challenge. AD rights are more than group memberships.

The combined rights of Active Directory can include:

  • Active Directory group membership.
  • AD groups with privileged rights on computers
  • Delegated rights to AD objects by modifying the default permissions (for security principles, both direct and indirect).
  • Rights assigned to SIDs in SIDHistory to AD objects.
  • Delegated rights to Group Policy Objects.
  • User Rights Assignments configured on workstations, servers, and Domain Controllers via Group Policy (or Local Policy) define elevated rights and permissions on these systems.
  • Local group membership on a computer or computers (similar to GPO assigned settings).
  • Delegated rights to shared folders.

Source: Sean Metcalf: Active Directory Security


Understanding Your Organization

New hires, new fires. New buildings, new access. Though organizations do their best to keep IT departments informed with the latest employee news, do they provide the tools needed to keep an infrastructure not just compliant but also secure?

To implement change management with Active Directory, an organization will need a combined smart policy and automation-based tools. Specifically, smart tools are needed to effectively monitor for changes.


Best Practices for AD monitoring can include:
  • Mechanisms for Change Control: organizations need to implement controls around users with the ability to make changes. Logs should include sufficient information to detect red flags that could indicate account compromises, such as location, device, and time.
  • Ability to Understand the "Quality" of Changes:  Changes via AD can move your organization out of compliance in a matter of seconds. Using a file integrity monitoring tool allows you to accurately determine if changes are negative, positive, or neutral.
  • Structured Change Workflows:  This can be accomplished with a comprehensive information security policy, which is required for PCI and other regulatory compliance. Built-in processes for the implementation and administration of changes are critical for organizations of any size.
  • Ability to Understand and Act on Audits in Real-Time:  A FIM solution with human-readable intelligence about changes, can immediately piece together the context of a change, including where it originated, who is responsible, and how it impacts your network. Contextually rich, human-readable audit logs can enable true real-time change management with Active Directory.

 For more information on high-level Active Directory Monitoring and Management, we recommend Change Monitoring vs. Control vs Management: What's the Difference?


Understanding the Risks

Because the Active Directory allows for the network to be managed centrally if changes occurring to a network are not being monitored, how can they effectively stay managed? Monitoring for change is a necessity with the number of breaches occurring annually.

In Attack Methods for Gaining Domain Admin Rights in Active Directory, the attack occurs once an attacker is on the inside, and running the malicious code inside of the network. the next steps that can occur may include:

  • Malware Injection (Spear-Phish, Web Exploits, etc)
  • Reconnaissance (Internal)
  • Credential Theft
  • Exploitation & Privilege Escalation
  • Data Access & Exfiltration
  • Persistence (retaining access)

Source: Sean Metcalf, Active Directory Security

Systematic monitoring is necessary to ensure consistent service delivery in a large environment with many domain controllers, domains, or physical sites. As a distributed service, Active Directory relies upon many interdependent services distributed across many devices and in many remote locations.

As you increase the size of your network to take advantage of the scalability of Active Directory, monitoring becomes more important. It helps you avoid potentially serious problems, including:

  • Security Policy Failure: Effective application of security policies requires correct replication of the SYSVOL policy.
  • Account Lockout: Accounts and logins can fail if there are issues with your PDC emulator
  • Domain Controller: Without sufficient disk space, you can experience domain controller functionality issues.
  • Application Issues: Critical applications can cease operations if queries do not work.
  • Directory Data Quality Problems: Data replication failures can require extensive time to resolve.


CimTrak for Active Directory

Monitoring Active Directory does not have to be a challenge. As comprehensive security, integrity, and compliance software offering agent-based coverage for a wide array of endpoints, CimTrak for Active Directory helps monitor directory services for deviations that may go unnoticed in larger environments.

Designed for awareness, CimTrak's human-readable logs, built-in intelligence, and accountability keeps organizations protected. Learn more about CimTrak today.


Jacqueline von Ogden
Post by Jacqueline von Ogden
August 8, 2017
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".

About Cimcor

Cimcor’s File Integrity Monitoring solution, CimTrak, helps enterprise IT and security teams secure critical assets and simplify compliance. Easily identify, prohibit, and remediate unknown or unauthorized changes in real-time

Our Top Cybersecurity & Compliance Tools

AI-Powered Compliance Automation Icon
AI-Powered Compliance Automation

Make audit prep hands-off, guaranteed to keep you

Fortify Cybersecurity Posture Icon
Fortify Cybersecurity Posture

Say goodbye to 97% of security alerts, block unauthorized changes across your IT stack.