Auditing – and a little housework

First of all, I would like to point you at my GitHub repository. The GPOs I create as part of this blog will be backed up and uploaded to the following repository:
Feel free to download from here and then import the settings.
OK, so I’ve got the two DC’s provisioned and a management workstation where I will be doing all of the configuration work. Earlier, I associated the subnet in Active Directory Sites and Services. Designing a reliable Sites and Services topology does need some thought and if you are running multiple sites you definitely should make sure that it’s right. I have performed several overhauls where it has been neglected in the past and the design process is outside of the scope for now.
As previously mentioned, I am using Azure for this so I also set up an Operations Management Suite Workspace. Once the workspace was setup, I added several solutions:

  • Security and Audit
  • Antimalware Assessment
  • AD Replication Status
  • Update Management
  • Automation Hybrid Worker
  • Agent Health
  • AD Assessment

I was then able to add the Azure virtual machines to report in to OMS through the Azure portal (  These solutions will go through and start monitoring the servers and checking that the configuration adheres to Microsoft’s best practices. I will cover OMS more later as I start setting up alerts from the auditing. There are several ways to get machines to report in to OMS including via SCOM if you have it.
Microsoft produce a document on the best practice for auditing Active Directory. This document covers the default audit settings, baseline reccomendation and a stronger reccomendation. For this environment, I am going to create the stronger recommendation audit policy. As it stands, I am not using IPSec for comms between hosts so will leave this section out. The following audit policies are required, unless specified, you should enable success and failure events:
Account Logon
Audit Credential Validation
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events
Account Management
Audit Computer Account Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management
Detailed Tracking
Audit DPAPI Activity
Audit Process Creation
DS Access
Audit Directory Service Access
Audit Directory Service Changes
Logon and Logoff
Audit Account Lockout (Success only)
Audit Logoff (Success only)
Audit Logon
Audit Other Logon/Logoff Events
Audit Special Logon
Policy Change
Audit Audit Policy Change
Audit Authentication Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit IPsec Driver
Audit Security State Change
Audit Security System Extension
Audit System Integrity
As well as configuring the group policy to audit these events we will also need to create a system access control list (SACL) to record the changes. We will go through this later when we start delegating the access to the domain.
If you create a group policy within Group Policy Management Console, you can either manually edit the GPO to start auditing the above actions or you can import the version from my GitHub repository at the start of the post. After the settings are all configured, don’t forget to link the GPO to the Domain Controllers OU in your directory. I have found the above group policy to be extremely valuable in real world situations where I’ve needed to know who changed something. It’s one of my go-to policies to ensure everything is traceable. This policy along with a correlation engine such as OMS has proved invaluable.
The policy will create a large amount of entries and the log files will grow rapidly. I will go through setting up a PowerShell script to archive them to an Azure storage account in another post. This will help manage disk space use and more importantly allow you to go back as far as you can in the event of having to perform an investigation.
URL To MS Best practice :

Leave a Reply

Your email address will not be published. Required fields are marked *