Add Centralized Auditing to AD
Control and map change with Change Auditor for Active Directory.
by Danielle Ruest and Nelson Ruest
September 23, 2004
You have your work cut out for you when you want to track changes in your network and you're armed with only the default tools in Windows. Although Windows does a good job of logging security events, especially those in Active Directory (AD), it does so in a completely distributed manner. Change a computer account here, add a new user there, modify a group membership, or add a Group Policy object, and you can be sure Windows will record it if auditing is turned on in Active Directory.
The problem lies in where the auditing information is stored. Each event is stored locally. In a distributed network including multiple domain controllers, tracking change in AD means viewing each of the security event logs for each domain controller. If you want to have a global view of change in your network, you have to devise a method to collect and collate these event logs into a central deposit.
Windows system administrators can always use Windows Scripting Host (WSH) scripts to collect these logs and store them centrally. In fact, sample scripts for this purpose are available on the TechNet Script Center (see Resources). Or you could use Microsoft Operations Manager to collect and collate the logs into a central location. Microsoft is also working on the Audit Collection System (MACS), a free Windows Server 2003 add-on that is designed to collect security event logs from distributed systems and store them into a central deposit. It is unclear when Microsoft will release MACS.
If you're serious about tracking change in the network and you want to do it today, consider Change Auditor for Active Directory (CAAD) from NetPro Computing Inc. CAAD is an agent-driven system that records all the changes you make on any domain controller and forwards it in real time to a central SQL Server, or rather, Microsoft SQL Server Desktop Engine (MSDE). In addition, CAAD allows you to add comments to each event that is tracked so that you can know why a change was made down the road.
"Change Auditor has been designed to answer the five Ws: who, what, when, where, and why," said Richard Hoey, product manager for Change Auditor at NetPro. "It records all changes, tells you who made the change, what change was made, when it was made, and on which domain controller the change occurred. As for the why, you can add your own comments to events recorded in CAAD," Hoey said (see Figure 1). Change Auditor captures every change to AD, from schema changes to simple user additions. All changes are recorded into a central database. The CAAD interface provides quick and easy access to this data, which can be stored anywhere on the network (see Figure 2).
Installation is easy and consists of three steps. First, install the database engine, MSDE with Service Pack 3a, which comes with CAAD or a complete copy of SQL Server 2000. You should use a real installation of SQL Server in production environments. Second, install and configure the CAAD data repository. Finally, install the CAAD console and agent. Once installed, you'll have access to two shortcuts: the console itself and an agent deployment wizard. To deploy the agent in a multiforest domain, you'll need enterprise administrator credentials, but you can also deploy it only in a subdomain if you wish. In that case, all you need is domain administrator rights. There are no schema changes and there is no impact on your directory itself. There is a small performance impact on domain controllers because that is where the realtime agent sits, watching for AD modifications and forwarding them to the central database as they occur. There is also a small impact on your network bandwidth because there will be some CAAD communications in addition to the normal AD replication you already live with.
Your administrators might not even know that CAAD is installed because nothing is changed in AD. Administrators continue to use the standard AD consoles to make their changes. CAAD tracks these changes so that a central auditor can see what is going on in the network. In addition to recording changed values, CAAD also records the original value before the change. As a result, if someone modifies something that should not be modified, you'll know what to set it back to if necessary. In addition, if an administrator turns off the CAAD agent, you'll know that too because CAAD records this automatically as a significant event.
As you can imagine, the CAAD database can grow quickly because there can be many changes in AD in a single day, especially in large organizations. That's where CAAD's search engine comes in handy. Though it has more than 35 built-in searches, you can use it to build your own custom searches. This will let you find anything from domain controller modifications to single attribute additions, anything in fact that can be performed through one of the AD consoles. Databases can be archived for future use. This might mean that to track an event over time, you'll have to search multiple databases. Because they are based on SQL Server, multiple databases can be integrated and searched through SQL Server Reporting Services. In addition, each event type can be set as the cause for an alert. Alerts can be dispatched via the SMTP, SNMP, or Windows Management Instrumentation. This means you can be made aware of critical modifications immediately, especially the unauthorized kind.
This is great news for security-conscious organizations. In fact, some have been using Active Directory as an archival database because they didn't want to overwrite the security identifiers (SID) that were assigned to user accounts. When users left the organization, instead of reusing their SID and reassigning it to the next person in that role, they would park it in AD to make sure they could track anything associated with this SID. Because this information is stored in the CAAD database, organizations no longer need to archive this type of data in their AD, which should have a positive impact on replication. If an account is reassigned to a new person, it can be recorded in the comments of the event. Should a mishap occur later, the organization will have a clear trail of who did what and when.
Our recommendation: If your organization doesn't have an immediate need for this type of auditing tool, wait for Microsoft to deliver Audit Collection System. If your organization is security conscious and wants to know about everything that is going on in Active Directorynot just security events as with MACSand why it is going on in your network, consider Change Auditor for Active Directory. CAAD uses a simple, low-impact architecture that blends well with your directory service without requiring schema or other complex rollout procedures. It scales with the largest and most complex networks, and it will allow you to manage changes in your directory. It might seem expensive, but if you want to do AD change management the right way, Change Auditor is a smart bet.
About the Authors
Back to top
Danielle Ruest and Nelson Ruest (MCSE, MCT) are multiple book authors focusing on systems design, administration, and management. They run a consulting company that concentrates on IT infrastructure architecture and change and configuration management. You can reach them at [email protected].