TECHNICAL BRIEF

Written byRandy Franklin Smith

CEO, Monterey Technology Group, Inc.Publisher of UltimateWindowsSecurity.com

Protecting and Auditing Active Directory with Quest Solutions

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 1

© 2010 Quest Software, Inc.

ALL RIGHTS RESERVED.

This document contains proprietary information protected by copyright. No part of this document may be

reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying

and recording for any purpose without the written permission of Quest Software, Inc. (―Quest‖).

The information in this document is provided in connection with Quest products. No license, express or

implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in

connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND

CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST

ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR

STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE

IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-

INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,

CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT

LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF

INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF

QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no

representations or warranties with respect to the accuracy or completeness of the contents of this

document and reserves the right to make changes to specifications and product descriptions at any time

without notice. Quest does not make any commitment to update the information contained in this

document.

If you have any questions regarding your potential use of this material, contact:

Quest Software World Headquarters

LEGAL Dept

5 Polaris Way

Aliso Viejo, CA 92656

www.quest.com

E-mail: legal@quest.com

Refer to our Web site for regional and international office information.

Trademarks

Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix,

AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch,

BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop

Authority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin,

Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe,

LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool,

NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest

Central, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle

Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab,

Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator,

vControl, vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA, VizionCore, Vizioncore

vAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator, Vizioncore

vReplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of

Quest Software, Inc in the United States of America and other countries. Other trademarks and registered

trademarks used in this guide are property of their respective owners.

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 2

Contents Executive Summary ...................................................................................................................................... 3

Key Audit and Protection Requirements for Active Directory ....................................................................... 4

Why Protect and Audit Active Directory ..................................................................................................... 4

Key Components for Protection and Auditing of Active Directory ............................................................. 4

Change Tracking .................................................................................................................................... 5

Real-Time Monitoring............................................................................................................................. 6

Reporting ............................................................................................................................................... 7

Security Event Management and Correlation ........................................................................................ 8

Secure Audit Trail .................................................................................................................................. 8

Providing Comprehensive Audit and Protection for Active Directory ............................................................ 9

Introduction ................................................................................................................................................ 9

ChangeAuditor for Active Directory ......................................................................................................... 10

Intelligent AD Auditing.......................................................................................................................... 10

Quest InTrust ........................................................................................................................................... 14

Integration of InTrust and ChangeAuditor ........................................................................................... 15

Summary ..................................................................................................................................................... 16

About the Author ......................................................................................................................................... 17

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 3

Executive Summary Active Directory (AD) is the core of enterprise IT; for this reason, comprehensive protection and auditing

of AD changes is critical. Together Quest ChangeAuditor for Active Directory and InTrust provide the

monitoring, reporting and audit trail capabilities required to fulfill operational, planning, security and

compliance requirements for AD. ChangeAuditor tracks, monitors and reports on core changes; InTrust

provides a long-term, secure audit trail and correlates AD data with other enterprise IT activity.

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 4

Key Audit and Protection Requirements for Active Directory Why Protect and Audit Active Directory On many levels, Active Directory (AD) is the core of enterprise IT: AD is where you find user accounts,

groups for access control, encryption policies, certificates and CRLs, network IPSec polices—the list goes

on and on. Moreover, nearly every system component integrates with AD, from databases to applications,

UNIX systems and wireless access points to VPNs, as well as business partners and cloud services

through federation services.

Because AD is critical to your business operations, comprehensive protection and auditing of changes is

a must. One unauthorized or accidental change to AD can have devastating cost, security, downtime and

compliance consequences. For instance, group policy objects (GPOs) provide centralized and automated

configuration control of all computers on your network; a poorly edited GPO can spread a configuration

change to thousands of computers in minutes, possibly compromising the security or availability of your

network.

In addition, AD must be managed by all-powerful domain administrators. Malicious actions by rogue

administrators can be deterred by a high-integrity audit trail that detects changes and enforces

accountability.

Key Components for Protection and Auditing of Active Directory Many monitoring, reporting and audit trail capabilities are required to fulfill AD’s operational, planning,

security and compliance requirements. But as shown in Figure 1. The comprehensive protection and

auditing components of Active Directory, the foundation is change tracking. It should supply real-time

changes and detailed event data to be consumed downstream monitoring, reporting and audit trail

components.

Figure 1. The comprehensive protection and auditing components of Active Directory

Change TrackingReal-time

Monitoring•Alerting

•Object protection

• Integration with systems management solutions

Reporting• Planning and analysis

•Compliance documentation

• Forensic analysis and security incident response

•Operational accountability

•Directory integration/synchronizatio

n monitoring

Secure Audit Trail• Long-term and high-

integrity

•Admissible as evidence

•Accountability over AD administrators

Security Event Management

(SEM) and Correlation

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 5

Change Tracking

All objects in Active Directory (e.g., users, groups, computer accounts, OUs and group policy objects) are

structured according to AD’s schema of object classes and properties. Therefore, in general, AD change

tracking can be implemented using a uniform process that works no matter what type of object is

changed. The key elements to any AD change event should include the:

Time of the change

Object modified

User that modified the object

Operation performed

If applicable, properties modified and their values before and after the change

Domain controller where the change was made

IP address of the workstation or client machine from which the change originated

AD includes built-in auditing that might, at first glance, seem to be a viable option for tracking changes.

However, the native AD audit log has architectural limitations that prevent it from satisfying audit and

protection requirements. This is detailed in the Architectural Limitations of the Native Active Directory

Audit Log inset below. Moreover, the native audit log fails to audit the following critical types of

information:

Nested group changes – Although the basic, schema-based change tracking engine of AD

native auditing tracks first-level group membership changes, nested membership changes go

unnoticed. For instance, if John is a member of the group Directory Services Engineers which is a

member of Enterprise Admins (an all-powerful forest-level group), native AD auditing will not

generate any event alerting you that John now has Enterprise Admins authority.

Group policy settings – Unlike other AD objects, GPOs have only a pointer (or ―stub‖) object

stored in AD; the actual configuration settings comprising a GPO reside in the file system of each

domain controller. Simple schema-based tracking like the native AD audit log only monitors

changes to the ―stub‖ of the GPO, such name changes or deletions. At best, the native audit log

can tell you that a GPO was modified, but not which of the thousand settings was defined or the

setting’s values before and after the change.

Permission changes – In Windows Server 2003, the native audit log can report only that the

Discretionary Access Control List (DACL) of an AD object was modified—not which permissions

were added or removed for which users or groups. In Windows Server 2008, the native audit log

reports the before and after values of the entire DACL—but it uses cryptic security descriptor

definition language (SDDL):

D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;

CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BO)S:(AU;FA;CCDCLCSW

RPWPDTLOCRSDRCWDWO;;;WD).

Cryptic AD schema – The native AD audit log reports the actual class and property names as

defined in AD’s schema. These names are sometimes highly cryptic, which can make it

impossible to understand what was actually changed without significant research in the AD

schema. For instance, a change to a user’s last name is reported as a modification of the ―sn‖

property.

Comprehensive auditing and protection of Active Directory requires an intelligent change tracking engine

that monitors all modifications to Active Directory, looks for subtle impacts such as nested group

membership changes, and translates cryptic data into information that IT, security, and compliance staff

can understand and act upon. ChangeAuditor for Active Directory’s sophisticated change tracking engine

meets these requirements, as explained in greater detail later in this tech brief.

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 6

Real-Time Monitoring

Protecting Active Directory requires real-time monitoring that identifies high impact, suspicious or

prohibited changes and automatically takes appropriate actions, such as reversing the change or

informing appropriate personnel.

Alerting – Administrators need to be able to define changes that may not necessarily be

prohibited but are suspicious or high- impact. These changes need to be reviewed immediately to

determine an appropriate response. For instance, when a group policy object is modified,

potentially thousands of computers or users could be impacted. At the same time, once

stabilized, most GPOs are fairly static and seldom need modification. Therefore, administrators

should be able to designate stable GPOs and receive immediate notification of any modifications.

Upon such notification, administrators can confirm that the GPO change was approved and

executed in compliance with the organization’s normal configuration change control process.

Architectural Limitations of the Native Active Directory Audit Log

Because Active Directory monitoring and auditing is so important, Windows Server provides

some native functionality for auditing changes and other high-priority AD events. Despite the

valuable functionality provided by the Windows security log, significant gaps and limitations

remain. The following limitations compromise an organization’s ability to fulfill security and

regulatory requirements for monitoring and auditing Active Directory:

Audit data scattered among domain controllers - While directory information is

replicated between domain controllers, security logs are not. Each domain controller has

its own security log, which contains only the events associated with operations

performed against that particular domain controller. Therefore, an organization’s overall

audit trail is fragmented across many domain controllers within the AD environment.

No reporting or alerting - Windows Server provides no real reporting or analysis

capabilities for the Windows security log. The one native tool for viewing security log

activity is the Event Viewer Microsoft Management Console, which provides only basic

filtering capabilities. The task triggering capability introduced in Windows Server 2008

could provide some rudimentary alerting but would require significant scripting and

management effort.

No protection from administrators – Since the audit data remains on the domain

controllers, it cannot be used as a reliable audit trail of administrator actions because

administrators can erase or modify any file on the system.

High volume of audit data - Because of the low-level, generalized nature of the

Directory Service Access category, the Windows security log can produce huge

amounts of data when used to audit AD changes. With each domain controller

producing potentially hundreds of megabytes of audit data every day, locating critical

events is like looking for a needle in a haystack—and vast storage is required to archive

the audit data.

Performance risks - Given the huge amounts of audit data and the arcane nature of

policy definition, it is easy to define AD audit policies that may overwhelm any amount of

domain controller hardware.

For a full discussion of AD’s native audit log, its limitations and impact on compliance with key

regulatory requirements please see the white paper ―Overcoming Active Directory Audit Log

Limitations‖ available at http://www.quest.com/common/registration.aspx?requestdefid=26188.

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 7

Integration with system management solutions - While direct e-mail notification may be

appropriate in some situations, enterprises need the ability to receive alerts generated by AD

monitoring directly into systems management solutions such as System Center Operations

Manager (SCOM) or Tivoli via SNMP traps or other interfaces.

Object protection – Some changes should not be allowed at all. For instance, administrators

may create an organizational unit (OU) that holds critical objects intended for emergencies, This

OU may contain an emergency administrator account to be used if all other administrator

accounts are deleted, locked out or unavailable, possibly due to a denial of service attach. Or a

top level group policy object may ensure certain critical security policies are deployed to all

computers. In both cases, an organization needs the ability to lock down such objects to prevent

any modification that could jeopardize their purpose – even by administrators.

Reporting

Most AD changes are not severe enough to generate an alert or object protection response, but needed

to be reported. Organizations need to report Active Directory changes to fulfill a wide array of analytical

and documentation needs, including:

Planning and analysis – Because enterprises are constantly changing, they need to be able to

analyze historical data to predict future capacity requirements. They also need to determine how

frequently certain changes are made to assess the benefit of automating certain processes or the

impact of modifying an operation. For instance, an organization considering adopting a self-

service password reset solution needs to know how often accounts are locked out due to

forgotten passwords and how many corresponding calls are made to the help desk for password

resets.

Compliance documentation – To satisfy regulators and auditors, organizations must not only

demonstrate that a certain security process or control is in place, but also produce documentation

that the process is being used in specific cases. For instance, organizations need to document

how promptly accounts are disabled after employee terminations and when group membership is

revoked in due to job changes.

Forensic analysis and security incident response – When a system intrusion or other security

incident occurs, analysts may be hampered without an audit trail of all relevant AD changes.

Analysts need to be able to search the audit trail left by the intruder or malicious insider using a

variety of sorting and grouping techniques.

Operational accountability – The dire consequences of erroneous changes to Active Directory

has already been discussed in this document. When an operational mistake is made,

management must be able to determine how the mistake was made, by whom and when. Without

this information, the enterprise can’t prevent the problem from happening again, nor can it assign

responsibility or take appropriate action against policy violations.

Enterprise activity correlation – AD changes are only a portion of the overall IT activity that

organizations must be able to monitor and analyze. Other typical sources of event data include

logon and authentication auditing, network connection, and access to applications and resources.

Analysts frequently need to correlate events from these different kinds of log data to see the

complete picture of what is happening on the network. Therefore, ultimately AD change tracking

data needs to be aggregated with the rest of an organization’s log data into a single repository for

detailed analysis.

Directory integration/synchronization monitoring – To improve security, operational

efficiency, organizational responsiveness, and compliance, organizations are increasingly

integrating or synchronizing directory information between systems to automate identity and

access management. Debugging and managing the flow of identity information between Active

Directory can be complicated, and engineers need visibility into changes made by

synchronization processes.

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 8

Security Event Management and Correlation

Active Directory changes are only one channel of the wider stream of security activity. Information

security analysts must correlate AD changes with related activity such as AD authentication events and

Windows server security events. Ultimately AD audit events need to be aggregated with the rest of the

organization’s security monitoring.

This is especially important in larger enterprises where AD administrators are separate from information

security staff. AD change events must be merged into their overall view of enterprise-wide security

activity.

Secure Audit Trail

Most organizations ultimately depend on audit logs as evidence for internal investigations and legal

proceedings. For audit logs to be admissible as evidence, organizations must produce the original audit

logs and demonstrate that they were not altered. Because audit data tends to be both voluminous and

redundant, organizations may reduce storage requirements by normalizing audit data into different tables.

However, such restructuring of the data can create the perception that audit record has been modified,

rendering it inadmissible. Furthermore, normalization can create indexing problems and performance

issues at insertion and query time. Unfortunately, the dynamic accessibility and block-oriented format of

databases means they do not function well as an unalterable repository for large amounts of redundant

data.

Most reporting and analysis processes require that AD audit data reside in a relational database for

efficient query capability. However, security and compliance requirements demand that audit logs be

protected from modification and stored for long periods of time. So while a relational database may be

required for temporary storage of audit data for reporting and analysis, audit logs must ultimately be

preserved in a high-integrity repository that supports digital signatures and compression.

This repository must also be segregated from AD’s operational administrators, because a database within

the forest is accessible to all forest administrators and can be modified or even erased. Therefore, to

deter or detect unauthorized changes, the permanent copy of any audit data must reside in a repository

outside of the jurisdiction of its administrators.

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 9

Providing Comprehensive Audit and Protection for Active Directory Introduction By combining ChangeAuditor for Active Directory (CAAD) with Quest InTrust, Quest Software provides

comprehensive audit and protection for Active Directory:

ChangeAuditor provides core change tracking, monitoring and reporting.

InTrust provides a long-term, secure audit trail and correlates audit data with other IT activity.

Figure 2 - ChangeAuditor and InTrust provide comprehensive auditing and protection for AD.

Change TrackingReal-time

Monitoring•Alerting

•Object protection

• Integration with systems management solutions

Reporting• Planning and analysis

•Compliance documentation

• Forensic analysis and security incident response

•Operational accountability

• Directory integration/synchronization

monitoring

Secure Audit Trail

• Long-term and high-integrity

•Admissible as evidence

•Accountability over AD administrators

Security Event Management

(SEM) and Correlation

Quest InTrust

ChangeAuditor for

Active Directory

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 10

ChangeAuditor for Active Directory ChangeAuditor monitors Active Directory domain controllers in real time, preventing unauthorized

changes to protected objects and recording allowed changes for specified objects, users and actions. It

also provides advanced alerting and reporting.

ChangeAuditor’s architecture is comprised of three components. These work with the SQL Server

relational database that contains ChangeAuditor’s audit data and configuration:

ChangeAuditor

Agent

ChangeAuditor

Agent

ChangeAuditor

Agent Domain Controllers

ChangeAuditor

Database

ChangeAuditor

Client

ChangeAuditor

Coordinator

SQL Server

Reporting

Services

SMTP Email Alerts

SNMP

Systems Center Operations Manager

ChangeAuditor

Coordinator

Figure 3 - ChangeAuditor architecture

ChangeAuditor Agent – ChangeAuditor’s change tracking engine resides in the ChangeAuditor

agent, which runs on each domain controller. As the agent monitors any attempts to change

various objects in AD, it compares each requested change to the object protection policies

previously defined by ChangeAuditor users. If the change matches a prohibited combination of

user, action and object, ChangeAuditor prevents the change from being made. Otherwise,

ChangeAuditor records the event to the ChangeAuditor database according to the organization’s

CAAD configuration policy that defines which objects, users and actions are audited.

ChangeAuditor Coordinator – The ChangeAuditor Coordinator monitors new activity being

logged to the ChangeAuditor database and generates SMTP e-mail alerts and SNMP traps. It can

also send events to SCOM, depending on the activity and ChangeAuditor’s configured alert

policy. Additional ChangeAuditor Coordinators and a SQL Server cluster can be implemented for

fault-tolerance.

ChangeAuditor Client – IT staff use the ChangeAuditor Client to access and configure

ChangeAuditor, as well as run reports and conduct analysis. Reports can also be scheduled and

automatically delivered via SQL Reporting Services, which integrates directly with the

ChangeAuditor Client. With this client, staff can quickly determine who changed what, when the

change occurred, and where the change originated.

Intelligent AD Auditing

Unlike native AD auditing, which is limited to simple object/property schema-based auditing, the

ChangeAuditor agent provides intelligent auditing of AD changes. It addresses the specialized auditing

requirements arcane to Active Directory as described in the Change Tracking section earlier in this

document.

Nested group changes fully expanded

ChangeAuditor intelligently monitors nested group memberships and faithfully reports indirect group

membership additions. To use the example given earlier, if John is made a member of the group

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 11

Directory Services Engineers, which in turn is a member of Enterprise Admins, ChangeAuditor alerts you

that a new member has gained all-powerful Enterprise Admins membership.

Scenario: User added to nested group

Directory Services

Engineers

Enterprise Admins

Native AD

audit event:

(none)

ChangeAuditor

event

Figure 4. Nested group membership changes are reported by ChangeAuditor

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 12

Changes to group policy settings reported in detail

As explained earlier, a GPO’s configuration settings reside in the file system of each domain controller, so

the native audit log can tell you only that a GPO was modified, but not which settings were changed or

their values before and after the change. ChangeAuditor, on the other hand, reports exactly which

settings within the GPO were changed and provides the before and after values for the settings, as

shown below:

Scenario: Group Policy Object Modified

Native AD

audit event

ChangeAuditor

event

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 13

Permission changes fully reported, without redundant notifications

At best, native AD auditing can report only that there was some kind of permission change on a given

OU; moreover, it floods the security log with hundreds or thousands of additional notifications for each

child object within that OU and its sub-OUs. ChangeAuditor, however, reports a single permission change

event for the object where the permissions were actually modified, and specifies exactly which entries

were deleted and/or added:

Scenario: Active Directory permissions delegated for a given organizational unit

Native AD audit

event

ChangeAuditor

event

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 14

Plain language used instead of cryptic AD schema

While the native AD audit log reports changes using cryptic schema names for objects and properties,

ChangeAuditor reports AD changes in plain language easily understood by IT staff:

Scenario: Last name of user account changed

Native AD audit

event

ChangeAuditor

event

Quest InTrust While ChangeAuditor provides real-time monitoring and reporting, Quest InTrust provides the security

audit trail and security event management (SEM) for comprehensive auditing and protection of Active

Directory. InTrust is a modular log management and change auditing platform with optional integration

with ChangeAuditor for specialized monitoring functionality, and knowledge packs for expert analysis of

log and monitoring data.

The InTrust platform provides log collection, alerting, archival and reporting. InTrust has built-in support

for the common log formats, including Windows event logs and any type of text file log, as well as syslog

streams for support of UNIX, Linux and network devices such as routers and firewalls.

In addition, InTrust provides a secure log-based repository that can securely and efficiently store large

amounts of audit data. This protects the data from tampering and keeps it separate from the operational

AD administrators, providing deterrence and detection control.

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 15

Integration of InTrust and ChangeAuditor

In larger enterprises where AD administrators are separate from information security staff, AD change

events must be merged into one overall view of enterprise-wide security activity. Quest delivers this view

by integrating the ChangeAuditor auditor event stream into InTrust’s enterprise-wide security event

management capabilities.

ChangeAuditor agents can be configured to write Active Directory change events to a local Windows

event log in addition to the normal SQL Server database used for alerting and short-term reporting. Then,

as shown in Figure 5, InTrust collects the ChangeAuditor event logs from each domain controller and

aggregates them with other log data, including logs from servers, firewalls, authentication events from

domain controllers, application logs and more:

ChangeAuditor

Agent

ChangeAuditor

Agent

ChangeAuditor

Agent

Domain Controllers

Quest InTrustWindows

Event

Logs

InTrust Log

Repository

(Secure and

Compressed)

Security Event Management

Correlation to other AD security events such as authentication

Long term, security audit trail for compliance, legal and forensic needs

Other log

data

Figure 5 – Integration of ChangeAuditor with InTrust for an enterprise view of security

Once the AD audit data is safely in the InTrust repository, it is protected from tampering by anyone who

gains administrator authority in Active Directory. Moreover, AD change events can be correlated with

other log data (such as domain controller authentication events) by security personal for full security

event management.

AD audit data and other logs can be efficiently stored for years in the InTrust repository in compressed

format. However, the logs can be immediately reproduced in their original format to satisfy compliance

requirements, legal discovery or investigations. InTrust even allows log data repositories to be indexed so

that large amounts of historical log data can be quickly searched without the time-consuming and

expensive process of re-importing logs into a reporting database.

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 16

Summary Active Directory (AD) is the core of enterprise IT and requires comprehensive protection and auditing.

Together, ChangeAuditor for Active Directory and Quest InTrust provide the monitoring, reporting and

audit trail capabilities needed to fulfill AD’s operational, planning, security and compliance requirements.

Key Component Quest Solution

Intelligent change tracking

ChangeAuditor

for Active

Directory

ChangeAuditor reports all details of each change,

including ―who, what, when, and where.‖

Complex changes involving nested groups,

permission inheritance, group policy objects, and

cryptic AD schema are fully reported in plain

language and without the loss of information

common to AD’s native audit log.

Monitoring Critical objects can be protected from accidental or

malicious changes.

Administrators are alerted when suspicious or high-

impact changes occur

Monitoring of directory integration and

synchronization improves visibility into AD and

facilitates troubleshooting.

Reporting ChangeAuditor provides:

Reports for planning and analysis

Compliance documentation

Forensic analysis and security incident response

Operational accountability

Secure audit trail

Quest InTrust

Long-term storage is facilitated by efficient and

compressed storage of original logs.

Repositories are secure and protected from

tampering, so they are admissible for legal

proceedings.

Repositories can be indexed for quick querying

without lengthy database import.

Tamper-proof repository provides deterrent and

detective control over all-powerful AD

administrators.

Security event management

and correlation Active Directory changes are aggregated with the

rest of the enterprise’s audit logs for

comprehensive security event management.

InTrust collects relevant AD security events not

captured by ChangeAuditor, including AD

authentication activity.

Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 17

About the Author Randy Franklin Smith is president of Monterey Technology Group, Inc. and creator of the

UltimateWindowsSecurity.com Web site and training course series. As a Systems Security Certified

Professional (SSCP), a Microsoft Most Valued Professional (MVP), and a Certified Information Systems

Auditor (CISA), Randy specializes in Windows security. Randy is an award-winning author of almost 300

articles on Windows security issues for publications such as Windows IT Pro, for which he is a

contributing editor and author of the popular Windows Security log series. He can be reached at

rsmith@ultimatewindowssecurity.com.

5 Polaris Way, Aliso Viejo, CA 92656 | PHONE 800.306.9329 | WEB www.quest.com | E-MAIL sales@quest.com

If you are located outside North America, you can find your local office information on our Web site

TECHNICAL BRIEF

About Quest Software, Inc.

Now more than ever, organizations need to work smart and improve efficiency. Quest Software

creates and supports smart systems management products—helping our customers solve

everyday IT challenges faster and easier. Visit www.quest.com for more information.

Contacting Quest Software

PHONE 800.306.9329 (United States and Canada)

If you are located outside North America, you can find your

local office information on our Web site.

E-MAIL sales@quest.com

MAIL Quest Software, Inc.

World Headquarters

5 Polaris Way

Aliso Viejo, CA 92656

USA

WEB SITE www.quest.com

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who

have purchased a commercial version and have a valid maintenance contract.

Quest Support provides around-the-clock coverage with SupportLink, our Web self-service.

Visit SupportLink at https://support.quest.com.

SupportLink gives users of Quest Software products the ability to:

• Search Quest’s online Knowledgebase

• Download the latest releases, documentation, and patches for Quest products

• Log support cases

• Manage existing support cases

View the Global Support Guide for a detailed explanation of support programs, online services,

contact information, and policies and procedures.

© 2010 Quest Software, Inc. ALL RIGHTS RESERVED.

Quest Software is a registered trademark of Quest Software, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. TBW-AuditAD-Manuel-US-MJ-20100513