NetVision

NetVision Company Blog

A Discussion on Effective Audit of User Access

Comparative Review: Active Directory Auditing Tools

Tags: , , , , , ,

NetVision was recently featured in a Windows IT Pro product comparative review on Active Directory audit solutions. The full article is available in the September issue and on the Windows IT Pro web site under the title Comparative Review: Active Directory Auditing Tools. But, we just wanted to call out a few of our favorite quotes:

Trying to find the culprit using Event Viewer is like looking for a needle in a haystack. You need a tool that can lay out the data in a clear and concise manner—you need a good Active Directory (AD) auditing tool.

NetVision should be your first choice if you’re looking for a turnkey solution. No matter whether you want to use the physical appliance, virtual appliance, or managed service, it’s the best for hands-free AD auditing.

Overall, I was impressed with [NetVision's] product. It’s extremely robust

Each one has its own strengths and weaknesses, but the one that impressed me the most was [NetVision] NVAssess, which is why it earns the Editor’s Choice award.

Well said Windows IT Pro!

Of course, to get the details, please read the full article. And let us know if you have any questions.

Dormant Accounts

Tags: , , ,

I spend so much time thinking about the bleeding edge of access reporting that I often forget to mention the basics. In the next few posts, I’ll write about a few of those basic reporting needs  starting today with Dormant Accounts on both Microsoft Active Directory and Novell eDirectory.

These are accounts that have been dormant or unused for some period of time. The most obvious indicator of a user account being dormant is that it has not been used to authenticate in a while. You can easily see this by looking at the user object’s attributes. Obviously, a monitoring-only approach would not be able to tell you what’s NOT happening. So, to effectively report on inactivity, you need a solution that would query your network directory on your schedule. NetVision’s NVAssess does exactly that. And rather than ONLY offering a list of dormant accounts based on your criteria (30 days ? 90 days?), we have built-in ability to provide a nice chart that quickly identifies the dormant user accounts that are still enabled and therefore represent a greater security risk. And we can take that a step further.

Many of our manufacturing customers, as an example, have a significant subset of users that do not regularly authenticate. These employees don’t use computers for their day-to-day routines but occasionally need to log on to the network to access HR or other information. In these instances, we can extend our dormant account reporting to include additional logic. For example, members of a certain group or with a given attribute value can be identified separately from other employees. This makes it easy to see which dormant accounts are expected (or normal) and which may represent a higher risk profile.

NVAssess can also auto-process the dormant accounts based the your selected criteria to disable those accounts, revoke permissions, remove group memberships, and move the account to a specified OU within the directory. This makes the entire process automated and hands-off. When your executive staff or auditors run periodic reports, they’ll never find a list of still enabled dormant accounts that are in breach of your security policy.

NVAssess has been on the market for over 15 years. Dormant accounts reporting is just one drop in the bucket in terms of what it can do. Let us know if you’d like more details.

Setting up Windows and Active Directory Event Log Auditing

Tags: , , ,

There is more than meets the eye when it comes to Windows event log auditing for Active Directory or Windows file system. You can’t just “switch it on” as some might have you think. A recent NetVision white paper takes a lighthearted look at the steps involved in setting up Windows audit and event logging. It identifies some of the considerations and complexity related to Windows event log auditing. You can find the paper on our knowledge page. We invite you to take a look (quick registration required).

For an abbreviated version, take a look at our recent newsletter on this topic.

Reporting on Delegated Admin Rights

Tags: , ,

Management of Active Directory is commonly delegated to local or departmental administrators.  This means that certain individuals are (for example) granted permission to create user accounts and manage security groups within a given area of the directory.  Microsoft provides a built-in wizard (known as the Delegation of Control Wizard) to delegate these tasks which does the work of applying all the underlying permissions associated to the task.

For example, here are just a few of the many underlying permissions granted when you delegate the task [Create, delete, and manage user accounts] over an OU:

  • List Contents
  • List Object
  • Delete Object
  • Delete Subtree
  • Read Permissions
  • Read All Properties
  • Modify Permissions
  • Modify Owner
  • etc.

There are potentially hundreds of underlying permissions for any given delegated task.  The challenge, therefore, lies in being able to understand and report-on which rights have been delegated over time.  How do you know who has been delegated those permissions?  How do you know when underlying permissions are updated after the wizard has applied the task?  Or when rights are applied directly without using the wizard?  How do you know who has rights to create accounts through their group memberships when groups may be several levels deep?

NetVision’s Access Rights Inspector has built-in ability for in-depth reporting on rights over Active Directory objects and that includes reporting on the tasks delegated via the Delegation of Control Wizard.  It provides extremely useful reports and removes the guesswork and manual effort associated with understanding what tasks have been delegated throughout Active Directory.

Active Directory Group Clean Up

Tags: , ,

A recent edition of NetVision’s monthly newsletter AuditMonthly discussed the issues of permission bloat and group clean up.  There are some focus areas outlined in one of our solutions pages: Active Directory Group Clean Up.  We can help you get your arms around the issue, identify low hanging fruit, and clean things up.

Link – Why Add Active Directory Domains?

Tags: ,

An interesting article on SearchWindowsSecurity.com discusses when it’s useful to add new domains to your Active Directory network environment.

Active Directory UserAccountControl

Tags: , , ,

Here’s a link to our Active Directory UserAccountControl Quick Reference Guide.  It’s not intended to be a complete reference on the UserAccountControl attribute, but rather a quick reference for common values related to Access Rights.

It includes things like checking for password not required, password set to not expire, disabled accounts, and smart card required.

Tracking Failed Logon attempts to Active Directory

Tags: , , ,

One method of monitoring possible inappropriate access attempts to Active Directory is to watch for Failed Logon attempts.  One way to do that is to monitor specific events in the Security Event Log on ALL servers within an environment.  The challenge with this has always been trying to monitor and gather all the appropriate information across all systems within an environment.

NetVision has greatly simplified this by centralizing the effort and applying filters at the event source that allow the system to gather only appropriate data and act upon the event information according to pre-defined rules (record it, write to file, send an alert, etc.)

NetVision reports on the following types of Failed Logons:

  1. Failed Logon attempts to the Local System
  2. Failed Logon because an account is Disabled
  3. Failed Logon because an account is Expired
  4. Failed Logon because an account is Locked
  5. Failed Logon because of Machine Restrictions
  6. Failed Logon because of an accounts Password is Expired
  7. Failed Logon because of a Time Restriction
  8. Failed Logon because of an account Type Restriction
  9. Failed Logon because an account is Unknown

NetVision allows you to gather and process ALL Failed Logons centrally so you can evaluate the events, build appropriate reports, and take action on possibly inappropriate behaviors within your environment.

UPDATED: We can also track and report on failed logon attempts without relying on the security event log, making it easy to capture and report on a subset of users (such as system administrators) without having to store ALL failed logon attempts across the enterprise.  …forgot to mention that in the original post.

3-Minute Introductory Demo

Tags: , ,

We put together this quick-and-dirty 3-minute introduction into one of NetVision’s core product offerings – directory monitoring.  In this example, we make a few common changes in Active Directory and show how the changes show up in our reports.

Active Directory Last Logoff

Tags: ,

If you’re trying to audit the Last Logoff time of users in Active Directory or to programmaticly confirm whether someone is still logged on, your intuition might tell you to monitor the lastLogoff attribute. Unfortunately, you’d be wrong.

Active Directory does provide a User object attribute named lastLogoff where logoff Information should theoretically be stored. However, Microsoft currently does NOT utilize this attribute to store logoff information.  [more info on that]

In order to monitor User logoff activity on your own, you would need to watch the Security Event Log at every DC.  And you’d need to configure the Security Event Log policy on each relevant server to monitor logoff events. You would also also need to ensure that the event logs aren’t being overwritten before you capture the information (which can be tricky in large environments if you’re capturing all logon and logoff activity).  And you would have no ability to filter the events so that you’re getting only relevant information.

Because Microsoft doesn’t update Active Directory information during a logoff event, NetVision also monitors the event logs to capture logoff events.  But, because we’re already installed, there’s nothing else you need to do.  And we give you the ability to filter events based on what’s important to you (such as limiting Logoff events to a particular subset of Users).  The resulting reports are easy to read, exportable, and stored independent of logs so they’ll never get overwritten.

Note: Monitoring Logoff events is never 100% reliable. This blog entry from the Windows auditing team explains why.

© 2009 NetVision Company Blog. All Rights Reserved.

This blog is powered by Wordpress and Magatheme by Bryan Helmig.