WIXLIB

Bridging the GapBetween NativeActive Directory Auditing& Successful ComplianceAuthorRandy Franklin SmithPresidentMonterey Technology Group, Inc.WHITE PAPER

2011 Quest Software, Inc.ALL RIGHTS RESERVED.This document contains proprietary information protected by copyright. No part of this document may bereproduced or transmitted in any form or by any means, electronic or mechanical, including photocopyingand recording, for any purpose without the written permission of Quest Software, Inc. (“Quest”).The information in this document is provided in connection with Quest products. No license, express orimplied, by estoppel or otherwise, to any intellectual property right is granted by this document or inconnection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS ANDCONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUESTASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED ORSTATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUTLIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OFINFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IFQUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes norepresentations or warranties with respect to the accuracy or completeness of the contents of thisdocument and reserves the right to make changes to specifications and product descriptions at any timewithout notice. Quest does not make any commitment to update the information contained in thisdocument.If you have any questions regarding your potential use of this material, contact:Quest Software, Inc.Attn: Legal Department5 Polaris WayAliso Viejo, CA 92656www.quest.comemail: legal@quest.comRefer to our Web site for regional and international office information.TrademarksQuest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix,AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch,BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, DesktopAuthority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin,Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe,LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool,NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, QuestCentral, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, Security LifecycleMap, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab,Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator,vControl, vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA, VizionCore, VizioncorevAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator, VizioncorevReplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks ofQuest Software, Inc in the United States of America and other countries. Other trademarks and registeredtrademarks used in this guide are property of their respective owners.White Paper: Bridging the Gap Between Native Active Directory Auditing & Successful Compliance1

ContentsAbstract . 3Introduction. 4Key Regulatory Provisions for Monitoring Active Directory . 5The Sarbanes-Oxley Act of 2002 (SOX). 5Payment Card Industry Data Security Standard (PCI DSS) . 5The Federal Information Security Management Act of 2002 (FISMA) . 6How Far Does the Native Audit Log Take You? . 7Account Management . 7Directory Service Access . 8Important Gaps & Limitations . 8No Centralized Audit Trail . 8No Reporting or Analysis . 8High Volume of Audit Data . 8Performance Risks. 8Missing or Limited Information . 9Lack of Real-time Monitoring & Alerting . 9No Protection from Privileged Administrators . 9Bridging the Gap: Quest OnDemand Log Management . 10Conclusion. 11About the Author . 12White Paper: Bridging the Gap Between Native Active Directory Auditing & Successful Compliance2

AbstractMuch of the security and control of an enterprise IT environment rests on Active Directory. It providesauthentication and access control for Windows users and applications, as well as for UNIX, Linux andmainframes. Even VPNs, extranets and internal network security technologies all use Active Directory forpolicy and identity information.To comply with information security best practices and compliance requirements, Active Directory mustbe regularly monitored and audited. However, the native Windows security log provides only limitedActive Directory audit capabilities, preventing organizations from achieving full compliance with bestpractices and security requirements.Quest OnDemand Log Management bridges the gaps in the native security log by enabling organizationsto efficiently monitor high-impact and suspicious modifications to Active Directory, as well as comply withregulatory and industry requirements.White Paper: Bridging the Gap Between Native Active Directory Auditing & Successful Compliance3

IntroductionActive Directory is the cornerstone of security and control in today’s corporate network. Active Directoryaccounts are the first point of authentication and access control when users log on to their workstations.Also, many applications integrate with Active Directory and use those accounts to authenticate andcontrol access to their hosted information and transactions. Active Directory groups are used throughoutthe Microsoft environment to control access to resources; applications use them to control entitlementsand authorization.Beyond identity services, Active Directory also hosts security configuration policies for the many Windowscomputers within an enterprise network. Thanks to the wide support of LDAP and Kerberos, ActiveDirectory also provides authentication and directory services to other operating systems and platforms,including UNIX, Linux and mainframes. Active Directory also provides the automation and policy storagerequired by public key infrastructures based on Windows Certificate Services. VPNs, extranets andinternal network security technologies such as Network Access Protection (NAP) and Network AccessControl (NAC) all depend on Active Directory for policy and identity information.Because nearly every component of the enterprise IT environment relies on Active Directory, theimportance of the security and health of Active Directory cannot be overstated. In addition, to comply withregulatory requirements, organizations must monitor and quickly respond to high-impact or suspiciouschanges in Active Directory and produce audit trails documenting that key controls and securityprocesses were followed.This white paper outlines key provisions of several regulations that affect many organizations, explainshow the native audit log can help organizations achieve compliance and discusses the log’s limitations. Itthen explains how Quest OnDemand Log Management can address those limitations and bringorganizations into full regulatory compliance.White Paper: Bridging the Gap Between Native Active Directory Auditing & Successful Compliance4

Key Regulatory Provisions forMonitoring Active DirectoryThis brief overview describes key provisions in several regulations that illustrate why it is critical tomonitor and audit Active Directory. While compliance regulations may differ in scope and the types ofprotected information, they all share common requirements. Protecting any type of information involvescommon best practices.The Sarbanes-Oxley Act of 2002 (SOX)SOX applies to most publicly traded companies and seeks “to protect investors by improving the accuracyand reliability of corporate disclosures.” To reach this goal, SOX makes corporate executives and publicaccounting firms liable for the quality of financial reports and other disclosures to investors. But SOX goesfurther; it mandates that certain “best practice” activities are now law and requires directors of publiclyheld companies to report on their performance of these activities. Companies are required to select anduse a control framework to evaluate the effectiveness of the company's internal financial reportingicontrols. COBIT is the most commonly used framework.Monitoring is a prominent component of COBIT; in fact, “Monitor and evaluate” is one of its “FourInterrelated Domains.” Monitoring and auditability requirements are specified by multiple controls definedin COBIT, includingDS5 Ensure Systems SecurityoDS5.3 Identity ManagementoActive Directory is the core technology used by organizations for identity management. COBITrequires organizations to “confirm that user access rights to systems and data are in line withdefined and documented business needs and that job requirements are attached to user identities.Ensure that user access rights are requested by user management, approved by system ownersand implemented by the security-responsible person.”oDS5.4 User Account ManagementoDS5.5 Security Testing, Surveillance, and MonitoringDS9 Manage the ConfigurationoDS9.2 Identification and Maintenance of Configuration Itemso“Record new, modified and deleted configuration items”oDS9.3 Configuration Integrity Reviewo“Review and verify on a regular basis, using, where necessary, appropriate tools, the status ofconfiguration items.”Payment Card Industry Data Security Standard (PCI DSS)Developed by an alliance of credit card companies to protect payment account data, PCI mandates veryspecific monitoring and availability controls. Requirement 10 of PCI’s 12 requirements is “Track andmonitor all access to network resources and cardholder data.” At many organizations, Active Directory isa key component of the cardholder data network (CDN) defined by PCI.White Paper: Bridging the Gap Between Native Active Directory Auditing & Successful Compliance5

The Federal Information Security Management Act of 2002(FISMA)FISMA requires all federal agencies to improve the security of federal information and informationsystems. FISMA also affects many commercial companies, because the requirements apply equally tofederal systems as well as information maintained by government contractors. The National Institute ofStandards and Technology developed NIST Special Publication 800-53, “Recommended SecurityControls for Federal Information Systems,” as a technical guide to implementing FISMA controls.NIST SP 800-53 defines the controls for monitoring and auditability in any organization using ActiveDirectory. For example, the Audit and Accountability section includes nine different controls that must beapplied to any core technology component such as Active Directory:AU-1 - Audit and Accountability Policy and ProceduresAU-2 - Auditable EventsAU-3 - Content of Audit RecordsAU-4 - Audit Storage CapacityAU-5 - Audit ProcessingAU-6 - Audit Monitoring, Analysis, and ReportingAU-7 - Audit Reduction and Report GenerationAU-8 - Time StampsAU-9 - Protection of Audit InformationOther notable controls in NIST SP 800-53 include:CA-7 Continuous MonitoringCM-4 Monitoring Configuration ChangesIR-5 Incident MonitoringTo summarize, compliance regulations are simply best practices in legislative or contractual form.Although this section does not cover every regulation, it is safe to assume that proper Active Directorymonitoring and auditability is required to achieve compliance with many internal and externalrequirements.White Paper: Bridging the Gap Between Native Active Directory Auditing & Successful Compliance6