Monitoring service account password changes in Active Directory

Service accounts are dedicated Active Directory (AD) accounts that are used to manage Windows services and other network applications. These accounts have privileged access to applications, resources, and network access. Just like any other privileged account, it’s important to closely monitor all logons and accesses these accounts make. However, the native monitoring capabilities in AD are far from what today’s enterprises need to thoroughly monitor this behavior. For instance, reporting on and analyzing service account password changes in AD using just the native tools is a challenge, which, when performed incorrectly, can easily lead to serious security concerns or failed services.

Auditing service accounts using native tools in AD

To detect password changes using native auditing, you can access the Group Policy Management Console for configuring Group Policy settings.

• Navigate to the GPO that you want to modify (the GPO needs to be linked to a domain or a domain controller OU).

• In the Group Policy Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies.

• Select Audit Policy to list all the sub-policies.

• Double-click Audit account management to view its properties.

• Enable Define these policy settings, and check the Success option to audit successful events. Refer to Figure 1.

• Click Apply and OK.

Figure 1. Configure Audit account management properties.

In addition to configuring GPO settings, security access control lists (SACLs) must also be configured for the respective AD objects. To learn about setting up the SACLs, click here.

Once auditing is enabled, do the following to view events:

• Go to Administrative Tools, and open Event Viewer.

• Under Windows Logs, select Security. Search for the event ID 4724 and/or 4723. Event ID 4724 corresponds to a password reset attempt by an administrator, whereas event ID 4723 corresponds to a password change attempt by a user. Refer to Figure 2.

Figure 2. Event 4724 monitors when a user’s password is changed.

In AD, security logs are continuously recording events on the domain controllers. Every action is identified by a specific event ID, as you may have noticed from Figure 2, and requires a certain level of expertise to adequately respond to such an action. With continuous logging of data on domain controllers, huge volumes of data can quickly pile up. There’s a good chance that critical information requiring immediate action will end up lost among the normal event logs. That’s why a real-time AD solution that can inform administrators of key events is important for any enterprise.

A good auditing mechanism will effectively track and alert on all service account activities, including changes made in real time. This will help IT admins react faster in case of an emerging threat.

Responding to password changes with ADAudit Plus

ADAudit Pus enhances native auditing capabilities by providing real-time alerts on password changes. You can configure alerts to notify you if a service account password changes, as shown in Figures 3 and 5. You’ll also be able to receive reports on services running on a specific computer, with information about the service, service account, and service status, as shown in Figure 6.

Figure 3. Real-time alerts in ADAudit Plus.

Figure 4. User-Based Password Changes report in ADAudit Plus.

Figure 5. All AD Changes report in ADAudit Plus.

Figure 6. Real-time User Services report in ADAudit Plus.

Summary

Monitoring changes to service account passwords is paramount for security and service availability. With the comprehensive monitoring and real-time alerting provided by ADAudit Plus, you can spot and tackle threats before they cripple your organization.

To try ADAudit Plus out for your service accounts, download a free, 30-day trial.