Active Directory Auditing
Reactive Active Directory Auditing helps detect the occurrence of potential Active Directory Security incidents.
Active Directory Auditing, a reactive security measure, is important for Active Directory Security because it helps maintain accountability and detect the occurrence of a potential security incident. Auditing helps detect the occurrence of actions / tasks that could potentially indicate that a security incident may be in progress.
Active Directory Auditing Checklist
The following Active Directory Auditing Checklist may be used to identify what to audit in Active Directory –
Active Directory Audit List
The Top 25 Tasks to Audit
In addition, because audit events generated on domain controllers (DCs) are not replicated, organizations are advised to possess adequate mechanisms that can help them obtain a unified view of all Active Directory audit events generated on all DCs in the forest.
Comparatively speaking, auditing is helpful when it comes to incident detection and damage containment, but because prevention is always better than cure, its value is limited, compared to that of proactive audits, which can help precisely identify who can perform which actions, and thus help ensure that only authorized individuals have sufficient privileges to enact sensitive actions to begin with, thus preventing security incidents.
Active Directory Auditing is helpful but it only provides reactive insight once an action has been enacted, which can help detect a security incident. While reactive Active Directory Auditing can help detect an incident, the proactive insight obtained from Active Directory Audits can help prevent a security incident, and is thus more valuable than auditing.
For instance, it is better to know that only 10 IT admins can enact a certain task, than it is to have no idea (or just an approximate idea/hunch) as to how many IT admins can perform the task and rely solely on auditing to detect the enactment of the task.
In the worst case scenario, depending on the skill of the perpetrator, the enactment of a single malicious administrative task may be sufficient to inflict substantial and possibly irreversible damage. In such situations, although auditing could detect the occurrence of this task, by then, it may very well be too late.