What is Active Directory monitoring and why is it important?

Active Directory monitoring is essential for a wide range of critical goals, including the following:

• Faster threat detection and response — AD monitoring empowers you to promptly detect suspicious activity, such as multiple failed login attempts, unusual access to sensitive resources, and changes to critical objects like powerful security groups and Group Policy objects (GPOs). Quick threat detection is vital to limiting or even preventing damage from attacks and mistakes.

• Accountability and compliance — AD monitoring provides a detailed audit trail of all changes and other activity, enabling organizations to hold individuals accountable for their actions and simplifying compliance with legal mandates and industry standards.

• Performance optimization and capacity planning — AD monitoring helps you spot bottlenecks and other performance issues in your AD infrastructure so you can ensure a smooth user experience and efficient network operations. Plus, Active Directory monitoring can help you predict when the infrastructure is reaching its capacity limits and plan effectively to handle increasing workloads.
• Business productivity — Active Directory monitoring helps you promptly identify login difficulties, resource access problems and other user-related issues so you can resolve them promptly to ensure smooth business operations. Moreover, using an enterprise-quality Active Directory security tool can empower your IT teams to be far more efficient and effective.

A comprehensive Active Directory monitoring strategy should address all of the following elements:

Domain controllers

Domain controllers (DCs) are special servers that run the Windows Server operating system and provide Active Directory services. In particular, be sure your Active Directory monitoring plan covers the following:

• DC configuration — It’s vital to ensure that your DCs are configured properly and stay that way, since a single improper modification can result in everything from authentication slowdowns to catastrophic outages. For example, FSMO roles determine which domain controller handles key Active Directory functions like schema changes.
• DC replication — Organizations normally have multiple DCs, and each one has a copy of the directory for the AD domain. Any change made to the directory on one DC (such as a user changing their password or a user account being locked out for too many incorrect passwords) is replicated to the other DCs so they all stay up to date. Issues with replication can result in users experiencing problems logging in or accessing the resources they need to do their jobs. Moreover, adversaries can abuse the replication process as part of a cyberattack; one example is a DCSync attack, which can be a key step in a broader Golden Ticket attack.
• DC availability and resource utilization — It’s also vital to ensure that your DCs remain online and functioning properly. Be sure to establish normal baselines for metrics like CPU, memory, disk space and network bandwidth usage so you can spot suspicious changes. Tracking resources on your Windows servers over time also empowers to you avoid reaching warning thresholds and putting business continuity at risk.
• DC activity — It’s also vital to audit the activity on your DCs as part of AD monitoring. In particular, each DC hosts a copy of the domain directory, the NTDS.dit file. Because this file stores critical data about AD users, groups, computers, password hashes and directory configuration, adversaries often try to exfiltrate it; for instance, this technique can be an indication of an impending Golden Ticket attack.

Identity and privilege

Identity and access management (IAM) is vital to ensuring security, compliance, productivity and cyber resilience. Key areas of concern for any Active Directory monitoring strategy include:

• Changes to privileged groups — Active Directory includes multiple built-in security groups that give their members significant power in the IT environment, such as Enterprise Admins and Domain Admins. Organizations can also create their own privileged AD groups to control access to sensitive data, applications and other IT assets. It’s critical to closely monitor any changes to the rights or membership of any of these powerful Active Directory security groups.
• Changes to Azure AD roles — Assigning Azure AD roles to users empowers them to access and manage critical resources. It’s vital to promptly spot any unauthorized change to role membership or privileges, since it could be an adversary attempting to escalate their rights in the environment.
• Creation of new user accounts — Creation of a new user account is not inherently suspicious, since many organizations are constantly onboarding new employees and contractors. But since an AD account typically grants access to critical resources, it’s vital to watch for unauthorized provisioning activity as part of your AD monitoring strategy.
• Inactive accounts — Smart adversaries know that IT pros monitor AD account creation. To avoid getting caught, they often use another tactic to gain or expand their access: taking over inactive AD accounts. 

Activity

• Activity of privileged accounts — Administrators and other privileged users can misuse their accounts, either accidentally or deliberately, and those powerful accounts are a prime target for takeover by attackers. Remember to also closely audit the activity of all service accounts that have elevated rights.
• User account lockouts — Most user account lockouts are not a sign of a threat, but they can disrupt business processes, so it’s important to monitor them. However, a surge in account lockouts can be a sign of a brute-force attack on your network.
• Authentication activity — Tracking user logon and logoff activity as part of Active Directory monitoring is vital because it helps you understand normal user behavior and spot unusual activity that could be a threat. It’s also important to monitor use of the older and riskier NTLM authentication protocol, and watch for attempts to exploit the Kerberos authentication protocol, which can indicate Golden Ticket and Pass-the-Ticket attacks.
• Azure AD sign-ins — In a hybrid environment, it’s also crucial to track sign-in and sign-off activity in Azure AD. Ideally, you want to have this activity correlated with on-premises logon and logoff events to provide a coherent picture that can uncover more complex threats.
• Changes to DNS — DNS is a critical service that translates computer names into their corresponding IP addresses. In particular, when an AD user logs on, DNS queries the DNS server to locate a Windows domain controller to perform the authentication. Because the DNS database is stored in AD, Active Directory monitoring is vital to detecting unauthorized DNS changes that could lead to a security incident or service disruption.

Group Policy

Group Policy is an exceeding powerful feature of Active Directory. It has literally thousands of settings that enable IT pros to control deploy software, enforce password policies, block use of less-secure Active Directory authentication protocols and much, much more.

Any improper modification to a GPO — whether it’s deliberate or accidental — can disrupt critical services and block legitimate user access to resources, hurting business operations. For example, a single change could give adversaries unlimited attempts to guess account passwords, enable unidentified users to connect to a network share that stores regulated data, or permit the use of USB devices that could unleash ransomware. Therefore, every Active Directory monitoring strategy needs to pay careful attention to Group Policy.

Microsoft offers two types of audit policy settings for monitoring Active Directory users and activity. (Note that Microsoft advises not using both of these options together, since doing so can cause “unexpected results” in audit reporting).

The two types of settings are:

• Basic audit settings— These nine settings are available in Security Settings\Local Policies\Audit Policy. They enable you control auditing of account logon events, account management, directory service access, logon events, object access, policy change, privilege use, process tracking and system events.

• Advanced policy settings— The 53 settings in Security Settings\Advanced Audit Policy Configuration enable you to define a much more granular policy for auditing Active Directory. For example, you can audit when a group administrator has changed settings on a server that contains financial information. You can access these settings through the Local Security Policy snap-in (secpol.msc) on the local device or by using Group Policy.

For more comprehensive and effective auditing of user activity, many organizations invest in a third-party AD monitoring solution.

Microsoft provides several Active Directory monitoring tools, including Microsoft System Center Operations Manager (SCOM), Windows PowerShell, Active Directory Users and Computers (ADUC), and the Active Directory Schema snap-ins for Microsoft Management Console (MMC).

However, the functionality of native tools is limited; it’s awkward at best to keep switching between tools; and tasks are often manual, time-consuming and error-prone. Additional important include the following:

• Limited visibility into access rights — Native AD monitoring tools and manual processes do not provide a deep understanding of who has access to what, how access was granted, who has elevated permissions, and which objects and systems are vulnerable to security threats. 

• Lack of critical details — Native logs often fail to record important details about events. For example, while the log will show that a GPO was changed, it will not reveal the critical before and after settings.

• Lack of context — Event details contain limited context, and there is no comprehensive view of all changes from all the many native log sources. Therefore, it can be hard to understand broader patterns or more complex attack strategies.

• Lack of clarity about Tier 0 assets — Native tools fail to provide insight into the organization’s Tier 0 assets, such as domain controllers, other powerful servers, and accounts that have direct or indirect administrative control over the AD forest, domains or DCs. This includes not just members of powerful security groups like Domain Admins and Enterprise Admins, but accounts that could gain elevated privileges due to AD security weaknesses like nested group membership in a series of steps known as an attack path.

• Cryptic and noisy logs — Native logs are notoriously cryptic and voluminous, so wading them requires a lot of time and effort. But even when performed by skilled IT pros, it is extremely prone to errors. It is nearly impossible to spot the truly suspicious events in the vast sea of data.

• Lack of supporting capabilities — Native AD monitoring also does not offer the following important functionality:
  • There is no proactive alerting on suspicious events.
  • There is no reporting capability to satisfy internal security groups or external compliance requirements.
  • There is no way to prevent unwanted changes to the most sensitive Active Directory objects.

To address these limitations, some organizations implement a security information and event management (SIEM) system. However, many SIEM tools rely on the native system event logs, which do not provide a complete picture of what is happening in Active Directory — especially since attackers actively look for ways to circumvent logging in order to avoid detection.

Accordingly, for more comprehensive, reliable and accurate AD monitoring, organizations often invest in third-party Active Directory security solutions that do not rely solely on Windows event logs and that provide a broad suite of valuable functionality.