The SOX (Sarbanes-Oxley) and other auditing compliance have a great impact on the need of monitoring and auditing of IT environments. Experts says that many attacks gain access through a user account that has one or more incorrect and insecure settings, it makes sense to focus on user account properties during the audit.

Here are the key user account properties that need to be audited in windows Active Directory environment.

Basic User Account Properties to be AuditedLogonScript ? this is important if the logon script performs any tasks that might establish some security settings, copy key security files, or any other security related task. If the incorrect logon script is being applied, it could leave the computer less secure.Workstations ? this is an important setting if your company uses this setting to restrict user accounts to logon to only a single or few computers. Typically this setting is left for service accounts, not typically used for user accounts used by employees.Last time password was set ? this setting can help determine stale user accounts. If a user has not changed the password within the time frame dictated by the password policy for maximum time that the password is valid, then this might be an indication that the user account is no longer being used. Another important issue to always consider is a malicious administrator who does not have his user account configured to expire the password. In this instance, the administrator will toggle the user account to expire the password, run the report for the audit, then toggle the password not to expire. If the password has not been changed in a year, but the password policy requires that all passwords be changed every 30 days, it is clear the administrator is trying to fool the audit report.Password is required ? in a Windows Active Directory environment, it is not easily possible to configure one user to have a password that expires and another that does not. There are some user accounts that are configured to not require a password by default, which includes the Guest account and IWAM_{computername} account.Password Expires ? when a user account is configured to not have the password expire, the password is not under the same rules as the domain Password Policy. This allows the user to keep the same password for an unlimited time and potentially have a weak password. Of course, this is not desired and standard user accounts (including administrators and other IT staff) should have the password expire.

Password Expires Time ? not only can you determine whether the password expires, you can also audit when the password will expire next. The key audit point here is to ensure that all users will have their password expire within the password policy which requires that the password be changed within a set number of days. If the password expiration time is outside this range, it means that there might be an error within the user property or someone has modified the property to make the password expire later than desired.

Account is Disabled ? this is an important property to audit for accounts that have been disabled and might need to be deleted. Most companies have a standard policy for when to delete user accounts. This might be 6 months, one year, or longer after the account is disabled. The main reason for such a long time for deletion is that a user account can?t be recreated after it is deleted, it can only be recovered, which is not an easy process.

Last Logon Time ? this setting will indicate a key aspect for each user account. It will indicate whether or not users are logging off at night, which is important to ensure that users change their passwords to adhere to Password Policy settings. If a user has not logged in for quite some time, it would be important to investigate whether the user account should be disabled, or why the user has not logged out in the recent past.

Advanced User Properties to be Audited

There are still other properties that need to be considered when performing an audit on user accounts. Some of these might be on your basic list, were others might be completely omitted. Regardless, you should consider including these in your next audit.

Remote Access ? Both dial-up and virtual private network (VPN) access is controlled through Active Directory. The catch with Active Directory is whether the setting is configured for Allow, Deny, or Use Remote Access Policy. If set for the latter, then you will need to also investigate the Remote Access Policies configured on the RAS server or the RADIUS (Remote Authentication Dial-In User Service) server.

Terminal Service access ? With Terminal Services being such an important aspect of Windows 2000/2003/XP, it is essential to audit whether users can logon using this service. With the Terminal Service access, you need to not only check the user property for this access, but also the user rights. For Windows 2000 the user right that must be audited is ?Logon Locally.? For Windows XP and Server 2003, the user right that allows users to logon with Terminal Services is ?Allow logon through Terminal Services.?

As the vulnerability of IT environment is increasing day by day, a transparent and reliable auditing system is deserved to ensure the security of information. Auditing of all the user properties mentioned above will serve the purpose of Secured IT.

Senthil Nath

  1. My name Is Sajjad Ali And i am Network Administrator

    Thanks for Acknowledgement.

    But i have some queries about active directory means Domain Server, These Are as under;

    1. user can’t turn off system
    2. user can’t view desktop icons (my computer, my documents, my internet and ETC.)
    3.User also can’t view taskbar.
    4. User Only Come And Login its account and Work Some Application.

    Please reply Detailed Information About My Queries
    and also cantact me

    my email address is


  2. Amod

    I also face n found while checking
    Attacks through user account.