ADAudit Plus Best Practices

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

well I would like to welcome you all back for those of you have been attending the first couple of workshops on 80 on it and for those of you that are new to this workshop we will be sending out a link to the recordings of both workshop 1 and workshop 2 and any documents that we delivered at the end of this workshop so just as a quick recap on the workshops that we've done for 80 audit the first workshop was on more configuration making sure that you're getting the most out of 80 audit with the configurations so he made sure that we had security in place we had a learning in place we had all of your audit policy in advance on a policy in place and some other configurations last week we dove into kind of a tour of ad audit plus with a highlight of privileged access at the forefront so we talked about some of the default reports we talked about how to customize reports we talked about how to create custom reports as well as set up alerts for your environment so that was last week's workshop I will say at the beginning that we strongly encourage all of you that have whether it be a tea audit or any of the managed engine Active Directory products to please communicate with us with regard to other workshops that you're looking for we have had workshops on ad manager plus if you want to have those we can send you a link I'm assuming that most of you that are attending the ad audit + have also attended the ad manager + workshops and if you just want to email me or the events team we can get you that information anyway so that's where I want to start off for those of you that don't know who I am my name is Derrick Melbourne and I am the Technical Evangelist for the ad solutions team here at managed engine and what that means as I get to go around the world meeting administrators of Active Directory meeting companies that are running Active Directory and I try in every way that I can to help them become more efficient more secure and just better understand Active Directory better so I have a pretty awesome job so just to kind of give you a recap I know I mentioned this last week we manage engine will be doing seminars in Orange County California Pleasant Sidon California which is right outside of San Francisco Chicago and Dallas the second and third week of August so if you live in those areas please come register for these events there are fantastic events you get to hear me talk about different things other managed engine Active Directory gurus will also be talking you can ask your personal questions it's just a great environment and we feed you lunch so that's even best right ok so let's get into this week's workshop in this week's workshop what I want to do is I want to talk about some best practices as I talk with the others here in the AV solutions team about 80 audit plus there seems to be trends of questions comments posts about things and how to do things inside of 80 audit plus so what we wanted to do was try to help you better understand the solution by kind of taking the cream of the crop questions and giving you answers for those so one of the things that we had questions about was in regard to the audit policy in the advanced audit policy now if we go down to group policy and we look at the GPO that I have set up to establish the auditing in my environment now again we went over this and week one but I'm not gonna go in detail I'm just gonna show you what I have set up so you can see here that I have my audit policy set up and in my environment because I actually have a Windows Server 2008 r2 domain controller I have advanced auditing setup and I have advanced auditing being triggered so the question that we often get is a concern around if these policies change and if the policy changes can a be on it plus track that and of course the answer is yes so if you come here under your advanced GPO reports and you look at your security settings changes you can see that you have the ability to track when the audit policy changes now this is a new setting let's see if I can get anything to show up here here we go so you'll see the old version the new version and you can see that the maximum password age changed now this is telling you that in these areas the lists the password policy that's actually good go back to go back in time a little bit here I should have changes maybe over the last year I don't change this often for obvious reasons so if I come in here I can actually see if I can actually instead of new changes they should be showing me the changes themselves I apologize for this I'm not really showing a changes I'm not showing my changes you think here for a second they should be showing up there under my security settings and I don't know why they're not so if I did have a change and I know I have a change in here somewhere I just looked at the darn thing but now I'm not finding it but it will show here the audit policy change so the idea is you can actually set up alerts if certain aspects of your the group policy changes now in my opinion you not only want to know if the audit policy changes you want to know if any GPO changes now under the alerts and you can view this information you can actually see and you can configure when certain things are modified now last week I kind of talked a little bit about how alerts work with regard to reports now let's just look at this GPO deleted alert so the idea is that if I have a GPO that's deleted and it would show up on the GPO deleted report then I'm going to get an alert about that so the idea here is that you can actually go in here and you can determine what you want to alert on and so all of these are actually reports so you would want to set up a GPO modified alert that is associated with changes in the GPO every time a GPO changes you are gonna get some type of an alert now remember alerts by default show up in the dashboard and the alerts page as well as you can send email notifications so this is the idea that you can actually go in and you can look to see when things are changing inside of group policy which would be the audit policy and the advanced audit policy the audit policy and the advanced auto policy are located under the security settings okay now kind of a bigger picture of these cheap Hill reports we do not have them all broken down but group policy objects are broken down by client side extension CSE's there is a CSE for security which includes password policy and account lockout policy there's a CSE for administrative templates there's a CSE for user rights so we've gone in and we've helped you break down some of the most common client side extensions giving you reports on them because there is a report on that particular area you can actually set up an alert for that particular area okay so when you want to track changes and get alerts on things that are changing around ad audit plus you can do that so that you know when something changes now another question that we get and this is actually quite common is someone will go into Active Directory they'll make a change they'll go back to 80 on it plus they'll do a refresh and nothing will show up well some customers that have had 80 on a plus for a while didn't see or haven't upgraded to the version that has the ability to do real-time information fetch e now this real-time information fetching we feel is a vital aspect of ad audit plus you'll see here that you can either go to real-time or you can schedule it historically 80 on it plus was on a schedule every 15 minutes and with a schedule of every 15 minutes that sounds like a really good configuration when you start looking at the the amount of information that is being sent across the network or really most important how often a domain controller is going to be tapped on the shoulder for its events but let's look at both of those considerations if you have a 15-minute fetch time that means every 15 minutes your domain controllers are going to be sending all of the changes that they have out of the security log to 80 on it plus now that's nice that every 15 minutes your domain controller is being touched instead of constant but the idea that we put in place is we use a Microsoft API and when something goes into the security log that is vital to us we fetch it in real time that means that your domain controller is sending less information only when it needs it and the overall bandwidth on the network is reduced over time versus big spikes every 15 minutes now what does this mean for the administrator well I just got off the phone with a group and the group talks about products and whatnot and I was really emphasizing the idea of a tiata plus and how it can help administrators now for me as an old administrator if I'm an active directory I know when I'm changing something but if I have up there administrators that can come into Active Directory and they can perform tasks such as disabling accounts I can't see that now I want you to take a step back and think about how you deal with fires around Active Directory I'm gonna guess that most of the time when you have a fire it came from a phone call someone called someone worse stop in your office and said my team my application me I'm not being productive and I don't know why things were working all of a sudden it doesn't work that could potentially be because someone made a modification and Active Directory that directly effected that access now of course service accounts are critical for this but it could also be some of your built-in privilege groups it can also just be a group such as Finance accounts receivable if someone is removed from that now they won't have access to those resources so the idea of real time helps you the administrator understand when things change so for example let's say that someone decides to go in and someone decides to change the enterprise admins group now if someone is added to this group let's see if we add Vanessa if I add someone to the group today if you don't have a TI plus or you don't have this configured how do you know when that group was modified well I know when the group was modified because I receive an immediate alert now I only receive these alerts in real time if I have real time established and I have an alert setup for that particular report so you see that I have modified admin group setup here i modified admin groups points to my modified admin groups report and then my actual modified admin group report is customized to include Enterprise admins plus these particular groups that aren't by default so you see how the bigger picture really starts coming together and these configurations are vital for you they're vital for you because this is the way for you to see what's changing in real time with regard to Active Directory now I'm not saying you go into every single report and you set up an alert for everything cuz that's not required but you can see that if you set up reports for GPO changes and you set up reports for admin groups being modified this gives you a huge upper hand on seeing things in the background which are hard to see okay let's move on and talk about a third best practice this is somewhat of a new configuration if you go under the admin tab and you go to technicians you have the ability to define what let's see roles you have the ability to define what the particular role is going to include so you now get to define new roles and in the roles you define which reports they have access to so depending on which area you want them to have access you can allow them to see different reports so I just had an email from someone that is an oh you administrator well that oh you administrator might only need to see oh you type of changes so this is a way that you can carve out who gets to see which reports and how those reports are displayed and not only do you get to delegate who gets reports but you also have the ability to change who can administer who can set up an alerts archive events plus general settings and whatnot so reports is one area administration is another area and then configuration is yet another area and you can see you have read and write capabilities here depending on what you want to give someone the ability to control an ad on it plus so what we've tried to do with is is go through the different critical areas within ad on it plus and give you the administrator the ability to give someone else the ability to view that information now why is this important well I'm gonna go back to reports most of you on this workshop you have auditors those auditors seem sometimes to constantly ask you questions about I need a report for this I need a report for that well since the auditor is already on the security team and the security team has the ability to access this information why not just give them the ability to access the information themselves that is going to get them out of your hair for ninety percent of what they're asking about because they now can just use 80 audit plus to come across and get the information that they need when they need it so this idea of technicians or delegation is extremely and important when you start looking at the overall picture of how you can set up a tiata plus in your environment okay now a little side note here if you do have any questions there are some I have some great resources working with me today and if you ask questions through the interface they should be able to get to those questions as we go along if the question is so pressing or so important they'll mention the question towards the end just so that everybody hears the question and if your question isn't answered we'll get you back we'll get back to you and an email with the answer so that's how we're taking care of questions so we can keep the flow going so we've talked about alerting with critical aspects such as the audit policy and group membership we talked about how real-time helps give you insight new things that are happening right now and then we just talked about the delegation model which the delegation model really allows you to offload some of the report generation to someone else now another critical area is with is with regard to archiving now the archive is here under the administrative tab your admin tab and when you start looking at the archive we've tried to give you flexibility of how you need to archive events now sometimes you want to have a longer history of information inside of a tea audit plus that you can query as you notice I just went back to a year other times you may only need to go back a month and you may only want to go back a month based on the amount of information that's being generated so when you start looking at logon information you may want to only go back you know two to four weeks because this archive the I'm sorry the database is going to fill up especially if you have a tremendous number of users but when you start looking at maybe computer modification or you start looking at you know network policy server or file integrity these things may not be that important to you and they may not even change that often so in one case you may want to make them short 30 days or more and then other times if it isn't changed then often you may just want to increase to maybe 90 days on how often you want to keep it in the database until you go in and you archive that information the default archive is here and you can change that of course and you can also run the archives now so if for some reason you know you're running out of data you've had a big spike and log ons or spike in something else and you want to make sure you archive the data before something fills up you can actually run it before 2 a.m. with just a click and it will archive that information so we've tried to give you as much granular control around the archive eNOS would possibly could just so you have more control of what's live in the database and when things are being archived now another thing that we are are releasing is the ability for you to actually search the archives so the searching of the archives is a very important piece and for those of you that like to stay up on the newer versions of Abia plus that archiving is something that you want to get your hands on so so please be be alert to what we're sending you with regard to upgrades and get that latest upgrade now with regard to upgrades that's my next step my next step is talking about the correct you such that you don't have to update the client piece just the server piece so how do you upgrade well for those of you that might be new to 80 on it plus let me walk you through some things first if you go to our main web page and you go and click on Active Directory and you go to Active Directory auditing and you go to download you're going to be sent to this page which of course is the main download for 32 and 64-bit but you also have these service packs and these service packs are really how we go and we allow you to upgrade now we give you the version the build numbers here and if you go back to 80 on it + and you go to your license you can see what you're on I'm on four six nine oh and we can go I can go to four six nine one or four six nine up to three okay so the service pack upgrades are vital for you to get the new features okay these steps down here are very important what we don't want is one for you to for some reason corrupt your database and without a backup so notice we're saying stop the service then run a backup how many of you have heard in your entire IT career back up back up back up well guess what we're encouraging you to back up okay we tell you how to back it up and and we give you the step-by-step here on how to backup your database okay then you update and after the update that's when you go and you make sure things are in place and then you do not terminate the upgrade process prematurely and then you start things up again alright so make sure that you're performing your backups there is any issue we want you to immediately email with an exclamation point high priority to the support team at support at 80 odd it plus calm please okay that is the way that we can help you if for some reason something went wrong please we even give you the access right here alright so so we try to put everything in one spot and of course some things fall through the cracks whether it be on your end or our end but we feel that if you follow the protocol of what we list for you for the upgrades even if something goes wrong and you email us that goes a long way in to us helping you get through your problem the quickest okay so that's how you can go and you can do your upgrades now let's talk about excluding user accounts I am NOT a huge proponent of administrators excluding their user accounts from ad audit plus I know that you may want to do that but think about the bigger picture of things and not only you know I don't want to say that anyone is gonna try to do something malicious but if you exclude your account someone finds it they're gonna wonder why you excluded your account so be a little cautious about that but what about situations where do you want to exclude an account if you come over here to the admin tab you can exclude user accounts and these will be excluded from logon auditing from everything else just logon oddity and you can simply come in and exclude those accounts which accounts might you want to exclude well we have many customers that are excluding their service accounts because service accounts have a constant heartbeat and they are depending on the application and how often they go and and re log on or we authenticate you may have a multitude log ons per day for service accounts so you know really care about those service accounts on where they log on so you can actually exclude them now I have had some customers want the opposite and that is they have actually built custom reports in such a way that they're they're leveraging these success log ons user logon activity and instead of them going through see if I can get some information here right so instead of them just saying okay I don't care about service accounts what they want to do is if a service account logs on write user name loves on from a wrong host name they want to alert now how often is that can happen not very often so the rub is do I want to eliminate all service accounts from being reported for logins to free up my database or do I want to allow that and then set up an alert of when a service account logs onto the wrong computer I do not believe that the second one is critical if you have the correct service account configuration it's now if you go out to our our blog the Active Directory blog there are blogs on how to securely configure your service accounts let me just run through one of my favorite settings if you go to service accounts you go to the service account properties and the account you can actually control which computers the account logs into so with this configuration the service account can't successfully log on so having Alert for a successful log onto the wrong computer wouldn't even be valid so what what we recommend is you exclude the account set up the service accounts securely and now you don't have to worry about that okay now another setting that we highly come in did I went over last week and I want to quickly review again is to actually set up custom reports for your service account modifications so I have a service account modification report here and if I go back to the last six months you will see all the changes that have occurred for my service accounts right account enabled user account control configured all these things this is important because if someone goes in and modifies a service account configuration most likely it's going to be detrimental to that service running and you're going to get a phone call within five minutes to five days saying sorry the application doesn't run so what I have done is I have created custom reports around service account modifications so you'll see here that I've gone in and I've created one that says if anything around these user accounts is modified then I'm gonna go in and I'm going to run a report and also an alert on that so this is a very important aspect and the best practice that we encourage because service accounts are so important and you have to track them so much and they can cause so many issues okay now the next one that we want to talk about is really under file on it now remember that file on it is is a small component here compared to our other product which is file audit plus file out of here yes works fantastic it's just not in real time like file audit pluses so the file audit here can can give you the control that you want it just may not be in enough time that you need it and if you need that real time please go look at file audit plus but what I want to focus on here within the file audit are the configurations especially of the X clue sometimes you don't care about certain file types you don't care about a certain name so what you want to do is you want to come in here and you want to exclude all the things you're not going to have to sift through when you look at the torch and you look at the data that are being pulled up so this is a way for you to go in and you can exclude certain areas of your file auditing to make sure that you're not wasting the time of 80 audit plus to gather that information so again you have file types you have the process name and then you have certain users that you can exclude from the file on it as well people that maybe should have access to that you know because again if we start looking at users that should have access and someone logs in as that user and gaez accesses that user how do you know if it was to correct human well you don't unless you really have good surveillance which kind of borders on some you know sketchy issues in an organization but we definitely want you to consider the exclusion here so you're not filling up your logs faster than you need to now another area that we wanted to focus on and of course the security being at the forefront is the idea of SSL so with SSL we give you the option to enable SSL so that you are communicating with a di+ securely now 880 on the plus has its own onboard certificate so you can come here and you could just enable it now if you want to integrate some third party certificate that we have online the steps for that we don't have too many customers doing that but we do have a step-by-step if you do want to use your own certificate authority to set up SSL so again we're giving you this time we're giving you the options on on how you want to communicate with a be out of plus whether it be normal which is we would default as port 8081 or through SSL now last we are actually the first week we talked about some configurations here in the admin tab with regard to alerting now the alerting is extremely important when you want to make sure that information is being collected so we wanted to cover this again as a best practice if for some reason a domain controller stops reporting backlog information the email address here is going to be emailed as a notification for that so this not only is a best practice this is almost a vital configuration to make sure that you're being alerted on when things aren't working anymore we also prefer that you set up a alert when the disk space gets to a certain limit so both of these we feel are vital to the tool and communication with you so that you are getting the information that you need about the tool you have many tools many services many servers and we just wanted to give the ability for the tool to tell you when things maybe aren't working the way that they should okay now another good practice best practice which we feel is not only for this tool but all of our tools is to make sure that you configure this tool to run as a service now if you go under the bin folder from wherever you installed 80 on it plus you are gonna see an install inti service dot bat so we have a batch file called install NT service and what that does is it actually engages a PD audit plus to be a service so here if we come under manage engine you'll see that I have my 80 on it plus functioning as a service and I have a service account 80 audit that is configured to run so this is my service account running as that in week 1 we covered the critical configure a around the service account that runs ad audit plus to make sure that it has least privilege and this idea of least privilege again we feel is very important because of of the ideas of the attacks that are going on in most organizations today so in order to make this a least privileged account again go back and look at the workshop video on that but you need read access to the security logs that's a user right you need the event log readers membership which is a group we talked about in the video on workshop one if you want to make it a group pause or creator or owner my recommendation is to make it that and then take it away because you only need it for the set up and then if you're looking at workstations and servers you need to have that account and the local administrators on your member servers and your workstations to pull the information out of the security log so those are some critical configurations around the service account making sure that you have that setup alright so make sure under the bin folder install nt service will get this initiated here then you set it up and now if you bounce the server if you do anything else with the server the service will come back automatically and you don't have to worry about starting the service manually okay so those are some best practices as you run down now I I wanted to throw in a couple of more here and and really these came up this morning when I was talking with my publisher friend and I I want to make sure that you guys understand the power of 80 on it plus I'm assuming that most of you on this workshop are the administrators and I wanted to show you the alerts that I have set up because I actually went through and I've been I've been doing so much teaching on compliance as well as just making sure that things are secure and you'll notice all of the alerts that I have set up you'll notice that I have fine-grained passwords I have the domain password policy I have information about ACLs for OU's GPO permissions I want to know if the default administrator account is modified in any way I want to make sure that access their group membership is correct especially those that have administrative privileges down to the server and even the domain controllers user rights I want to make sure those are being tracked so what I encourage you to do and this is this is a bigger concept is I'm gonna point you back to our main manage Engine website and if you click on Active Directory and you go to security hardening and at the bottom of the security hardening page you'll see all these areas these are ways to harden your Active Directory environment and you will notice that most of these I have alerts set up for them inside a baby on it plus because if anything changes around these areas that are related to hardening of your domain controllers if they're changed now your domain controller may not be secure and you need to be notified of that so if we start tying the bigger picture together with best practices 80 on it plus service account has leased privilege we have alerts set up the alerts are real-time so eighty on a plus is set to real-time and then we have all of these areas the default reports and the custom reports that we set up alerts for so that we can get emails in real time when critical things change so this is really the best practice but it's not a best practice it's a combination of best practices put together now of course you do have the admin piece for the alerting for when things are going on but that really fits into the bigger picture of alerting we designed the tool to alert you when things are wrong whether it be with the tool or whether it be outside of the tool with regard to Active Directory now I'm gonna finish up with talking about the fact that some want this interface these functions this ease of use with everything else that can route that generates events if you want that then you want event log analyzer Event log analyzer is a big brother to 80 on it plus when it comes to running reports on everything else you'll notice that I have UNIX I have some applications here network devices this is a pretty awesome huge tool that can do everything beyond the security log of your Windows machines so if you want to come in here and you want to set up gathering information from your application log or your system log you can do that that's what he ventilators about you'll have three reports you have alerts that you can set up you you have this capability so that you can see what's going on with regard to your environment okay so setting up these reports I set up this report on my own right it's very easy to set up I just went in I I want to go to this particular machine this particular log this event ID and voila now it's pulling in the information within a couple of clicks I can actually review this information so I think it's over 500 by default devices that we can actually pull the log information from and generate reports for you of course you can add things under compliance and now you're getting compliance you'll notice here that we have all the different compliance regulations broken out for you so they so you don't have to do the heavy lifting the tools doing the heavy lifting what you need to do is you need to define for your custom environment anything beyond what we give you for the default reports because you're gonna have some things that we don't think of but inside of here there are some pretty awesome things that you can run reports on whether it be your UNIX environment your Windows environment or even other devices so if you want to go beyond what 80 audit plus does which is only the security log on Windows machines that's when event log analyzer comes in and that's kind of a best practice of what we were pointing you to okay so I hope this was very informational for you we kind of ran through some different areas of 80 on it plus again that the team went through tons of information looking at the most common questions so hopefully if you had one of those questions we answered it and if we didn't answer a question of a best-practice please send us the question that you have we'd be more than happy to address that you can send it to me you can post it on on the support you can go to the the blog area you can go to anywhere you want please just communicate with us it's a way for us to help you so with that that concludes our three-part series on 80 on it plus we probably will have one or two more eighty on it plus workshops within the next two months so please keep an eyeball out for an email and invite about that I know that we continue to go through 80 manager plus and giving workshops on those I think we'll probably doing some workshops because these have been so successful and some other products that we have if you don't have the free versions of our products please go download them they're so easy to download it install and and you get a lot for free so please just hit our main website look at the different tools if you like one tool my guess is you're gonna like the rest of the tools because they're just as easy to use just as lightweight and just as cost-effective so with that I hope that you were able to ask some good questions and get your answers please utilize the resources that we have we have this hardening website if you go back we also have our blog which is through our community and we have many Active Directory blogs that are coming out constantly so please utilize these this is not your best bet to look at features of the product these are definitely more generic blogs some are detailed on products like this is an ad manager plus blog but sometimes it's just generic so that's really the idea of the blog is to give you a wide variety but please communicate with us with questions I hope you've got some great information I see that that most of the questions were answered so with that this is Derrick Melbourne and for myself and the rest of the 80 solutions team here managed engine thank you so much for attending thank you for your support of our products and we hope to hear from you very soon and please have a great rest of your day this is Derrick Melbourne thanks a lot you

Info

Channel: ManageEngine ADSolutions

Views: 10,826

Rating: undefined out of 5

Keywords: ADAudit Plus Best Practices, ADAudit Plus, Active Directory Guide, Active Directory Auditing, AD Audit features, Active Directory video

Id: X6sJrLSDQqU

Channel Id: undefined

Length: 45min 45sec (2745 seconds)

Published: Mon Aug 01 2016