Security of elevated privileged access is becoming more and more important with every Active Directory installation. Attacks are going to happen and ensuring you know who has privileged access will help reduce the overall effectiveness of these attacks. Microsoft auditing can help you track every change that occurs to to groups that provide privileged access; however, the key is finding a solution that helps you simplify the tracking of such changes. Also, knowing which groups have elevated privileges is going to be crucial in your attempt to track such groups.
To help you discover the groups that have elevated privileges, as well as discover a better way to sift through the voluminous data created by Microsoft auditing, I want to provide you helpful guidance with this blog post.
First, let’s break down the groups that have elevated privileges in your Active Directory domain. When you install Active Directory, you are provided with default groups that have elevated privileges. The key groups that you should always be tracking membership of include:
- Enterprise Admins
- Schema Admins
- Domain Admins
- Group Policy Creator Owners
- Cert Publishers
- Backup Operators
- Account Operators
You will also have two more types of groups that you should add to this list of default groups. The first type includes all of the groups associated with the applications and services you install because these groups are granted elevated privileges. Examples of such applications or services include:
- SQL Server
- VMware products
The other group type would be those groups that were created by the administrators to help control privileged access for the IT staff. There is no way for me to know what these group names are, as each organization has an unlimited naming scheme for these groups. Groups might have been created for the following tasks:
- Domain administration
- Help desk
- IT projects
- Server administration
- Desktop administration
As for trying to “find” where your administrative groups changed membership by sifting through the security logs on each domain controller, that is a very tough, nearly impossible task. Trust me, I have done the math on a medium-sized domain with 10 domain controllers, and such a domain will generate millions of events across all 10 domain controllers in just a few days. So trying to find just the privileged groups within these millions of events will be nearly impossible using Microsoft Event Viewer.
However, when you use ADAudit Plus, you can find them with just a simple click! Figure 1 illustrates the results of what you could see when you have ADAudit Plus reporting on just the privileged groups and their changes in a domain.
Figure 1. ADAudit Plus can report on privileged group modifications with just a quick click.
Of course, you will need to customize your report in ADAudit Plus, so you can include your additional, non-default, privileged groups. For full details on customization and reporting on these groups using ADAudit Plus, view the video at https://www.youtube.com/watch?v=cW9YsAlH4vU.