I just finished a class where I had both auditors and administrators in attendance. It was one of the best groups I have had for that reason. From the class I learned that it is not always “known” what the difference is between auditing and monitoring. Auditing is performed by auditors and monitoring is typically performed by administrators. There is only a slight difference between the two, but the difference is rather important and can make a world of difference when it’s time to report on your log data..
Auditing is both a technology and a role. The technology is built into every Windows computer and has been for years. Going back to Windows NT, Microsoft has provided auditing. Domain controllers, servers, and desktops can all track (audit) activity that occurs on the computer.
Auditing is also a role, which is desperately needed in all corporations. The reason that auditors are needed is due to the reality that some security settings drift from their desired states, not to mention some security settings might fail to be set. So, the auditing role is to verify that computers are correctly secured to meet corporate and industry mandates.
An auditor typically does a “point-in-time” verification of security setting over a “sampling” of computers within the Active Directory domain(s). Often, these checks only occur one time a year. Some auditors create scripts and use other tools to gather this information in intervals, called continuous auditing.
Ideally, auditors should be performing “true continuous auditing,” which ensures a baseline of security settings is established and tracks all changes related to these controls. Instead of looking at points in time, the auditor can now look at the complete log of changes to know what has changed from the baseline.
Monitoring is really what administrators want, but often find difficult to implement. Actually, the “auditing technology” that Windows provides is the same technology that administrators should implement to monitor changes to Active Directory and servers. Monitoring is the ability to know when any change occurs to Active Directory or a server. For monitoring, the details of each tracked change should include who made the change, what changed (old and new setting), when the change occurred, and other details.
The issue with attempting to monitor using the traditional auditing/tracking that Microsoft provides is that there is no ability to report on the voluminous data that is created. There might be a hundred log files, containing millions of events, created within a single month on a typical Active Directory domain. Without some technology to generate reports from this data, it would take hours, if not days, to find the information that you need from the log entries. Of course, Microsoft provides event log forwarding, subscriptions, scheduled tasks for events, and filtering, but even these technologies don’t provide a solution that makes digging through this information feasible.
So, the auditing that Microsoft provides is awesome, just not the reporting! So, download ADAudit Plus now and see how you can leverage the logs that are generated, as both an auditor and administrator!