Imagine you’re an admin in a company that prides itself on its security practices, which includes using firewalls, IDP systems, and IPS systems. You have an employee who is a local administrator with highly sensitive data on their computer. This employee constantly forgets to lock their computer before going out for lunch.
This is a bad practice by itself, but the situation becomes worse when a nefarious individual notices the unlocked computer and decides to take a chance. One quick look at the control panel will tell this rogue user that the computer is logged in with an administrator account. Taking this opportunity, the rogue simply creates a new local administrator user account, places it in the local administrators group, and grabs the computer’s name. They can now log on from any computer in the network and access any file they want.
How would you know if this has ever happened at your organization? Routine monitoring can help you discover the unknown account that was added with full access, but even that could be too late.
ADAudit Plus allows administrators to perform audit functions in real time, including monitoring user object life cycle changes like user creation, deletion, or modification.
ADAudit Plus can monitor changes to the local Administrators group on workstations, on a real-time basis, and by date, as shown in Figure 1. To do so, simply follow these steps:
Step 1: Click on Server Audit from the menu bar.
Step 2: Select the Local Account Management drop-down.
Step 3: Choose the type of report you want to view.
Step 4: Select the Time Period you want the report for.
Figure 1. The different types of reports available for monitoring purposes.
Summary
One administrator’s negligence could lead to unwarranted security threats. But regular auditing of local user management actions strengthens the overall security of your Active Directory environment. ADAudit Plus helps you accomplish that effortlessly. Try your hands on our product now.
