The Administrator Shortcut Guide to Active Directory Security Chapter 3

{LANG_NAVORIGIN} Operating System Microsoft
By: Derek Melber, Dave Kearns, and Beth Sheresh, 04/14/2005

Auditing Group Policy

The concept of auditing has been around OSs and resources for a long time. However, the concept of auditing GPO management is new. There is, in essence, nothing built-in to AD or Win2K or later to help with auditing of GPO management.

Certainly, there is the Event Viewer and advanced GPO logging, but these tools are not centralized, produce less than coherent log results, and don’t provide for the detailed information that is required for a good audit trail. The built-in tools also fail miserably when it comes to any form of reporting or alerting when an event does occur.

Therefore, when it comes to auditing GPOs, you are best off obtaining a third-party tool. Not even the illustrious GPMC can touch auditing of GPOs. What do these third-party tools provide that is so important for auditing of GPOs?

• Change management—This benefit includes tracking the old and new values of the GPO, who performed the change, when the change occurred, and archiving the old versions of the GPOs for future reference.
• Reporting—When you have a multitude of GPOs in AD, you will also have a multitude of changes that need to be queried and summarized. The reporting features should allow for custom searches, reports, and documentation based on a variety of variables, such as date, time, user, GPO name, domain controller, and policy.
• Alerting—If an errant or malicious change to a GPO occurs without notice, damage can be done long before the change is ever tracked and remedied. Alerting provides an immediate notification that something has changed, so the IT staff is aware of all possible vulnerabilities or outages based on GPO mistakes. These alerts can be via email, pager, or phone.

There Isn’t Much Natively

The only capabilities that are provided natively in Windows include the basic event logs and additional capabilities for verbose logging. The native event logs are usually so cryptic, they are not worth the effort to decipher them. However, with enough experience and event ID tracking, they can be useful to an experienced administrator. For advanced logging, this does provide for advanced and detailed tracking of GPO management. However, the logs are not stored centrally, they are stored in different files for each log activity, and there is no reporting or alerting capabilities. The advanced logging is also difficult to configure on many computers, because they require registry updates to be triggered. The following list highlights the categories of the different logs that can be configured natively for GPO logging:

• GPO core logging
• Security logging
• Folder redirection logging
• Software installation logging
• Windows Installer logging
• GPMC error logging
• GPMC error and verbose logging
• GPMC editor logging

Change Management

When you are auditing GPO change management, you are highly concerned about what changed, who changed it, when it changed, what it was changed to, and what it was changed from. Any good GPO auditing tool will provide this information to ensure GPOs are tracked and can be audited. If any of this information is omitted, it is difficult to audit the process of GPO management, because at least one important piece of the puzzle would be missing. Most of the third-party GPO auditing tools will categorize the change management within a graphical interface, breaking down the information into the following areas:

• Date/time of the change
• User who performed the action or change to the GPO
• Domain controller on which the change originated
• GPO name and GUID of GPO
• Section of GPO that the change occurred
• Old value of policy setting
• New value of policy setting

These changes should be archived in a central location so that they can be referenced later. Also, there should be a query option built-in to the archive to allow for manipulation of the data, showing trends and dates when changes have occurred.

Reporting

The reporting tools for GPO auditing should interface seamlessly with the archived change management system. This system should provide access to all of the archived information, offering pre-built and custom reports on the data. The reporting tool should also incorporate a custom query function so that reports can be generated based on the information that is archived from the change management tool.

Another feature that is important for reporting on GPO auditing is to have the reporting tool support HTML. This support can provide a means to access the archive of information from any computer. When a problem arises that might be associated with GPOs, the administrator can quickly go online and determine whether any changes have occurred in the recent past. The HTML interface can also provide a means to access management reports and documentation.

Alerts

When a GPO is undesirably changed, bad things can happen—an executive might not have access to the Internet, security could be omitted from a server configuration, or an application could be removed from an HR workstation. If one of these problems occurs, or possibly a worse problem arises from a GPO configuration, you need to be alerted of the change that can cause the problem.

Many of the GPO auditing tools won’t do so natively; they will instead rely on the existing real- time alert infrastructure that the network provides. This capability could be provided by ScriptLogic, Microsoft, NetIQ, Tivoli, or another third-party vendor. If the GPO auditing tool provides this functionality natively, that is just a bonus of the tool, because you won’t need to implement another real-time alert tool or interface with your existing tool.

Other Capabilities

We have looked at a variety of GPO requirements, features, tools, and functions. There are even more considerations as you move forward with GPOs to secure your AD infrastructure. Most of these additional capabilities will not be supported in the built-in tools that Microsoft provides. You will need to head to the GPMC or a third-party vendor solution to get these features. However, once you see what these tools provide, you will quickly determine that it is not a want but a need for GPO management.

Rollback Capability

Many of the GPO management tools provide an archive of historic GPOs. These archived GPOs maintain their policy settings and can be brought back from the archive into production at any time. This feature is an excellent solution for a large organization that needs to implement the latest and greatest security changes, regardless of the compatibility issues they might cause. In this case, security is more important than functionality. However, if the changes from the GPO provide too strict an environment for any production to occur, the old GPO can be brought back online to the production environment.

Review and Compare Old GPOs

After many changes to GPOs, you will have a large archive of GPO versions. There will be cases in which you want to investigate the settings that have occurred over time, comparing and contrasting different settings that are set in the different GPOs. Most GPO management tools provide a mechanism to compare one or more GPOs. This functionality can help track down a problem that a computer or user is having on the network, for example. If a virus or worm has entered your network, this feature can also provide insight into where the vulnerability might have come from, based on the archive of GPOs that were in production at the time of the attack.

RSoP

RSoP is essential for troubleshooting and evaluating new GPO settings. Almost every tool provides two views of the RSoP from the GPOs. The RSoP will accommodate for the inheritance, blocked policies, forced GPOs, security group filters, and WMI filters. If you were to try to manually evaluate all of these permeations for GPO application after the introduction of a new GPO, it would take many hours and cause much frustration.

Most tools provide two options for the RSoP evaluation. The first is used for troubleshooting. This feature will evaluate a specific computer account and user account, providing the final policies that affect the different accounts. The evaluation result will also indicate where the final policy settings were applied from, and in some cases, the result will include all GPOs where the policy was set, indicating any alterations to the default inheritance behavior of the GPOs.

The second RSoP feature is related to changes to computer and user account location in the AD. If a computer account is going to be moved to a different OU, it is ideal to first evaluate what the final GPO settings will be on the object before the move. The evaluation will help indicate any potential compatibility, security risk, or access issues that might occur due to the interaction of GPOs.

Backup and Restore GPOs

It is a great idea to have good documentation and a physical backup for GPOs. In Win2K AD, there are only a few tools that provide backup and restore options for GPOs. This capability is a routine function for all of the GPO management tools. As we investigated the migration of the GPOs earlier, you were introduced to different aspects of the GPO that can cause problems when moved from one environment to another. Likewise, when a GPO is backed up, it must be treated with care upon restoration.

The tools that you will use to backup and restore GPOs take this additional care, but in case there is a problem, you might need to step in and assist with the situation. If you need to assist with the restoration of a GPO, you will want to check the following characteristics of the GPO to ensure a valid restoration:

• GUID—The GUID must be the same for the GPO stored in AD and the one stored in the SYSVOL. Not only on one domain controller, but all domain controllers. If there is a mismatch or one portion of the GPO is missing, you might need to force replication of the AD or the SYSVOL to converge the restoration.
• GPO version—Each section of the GPO, computer and user, are managed by the version number of the GPO. When a change occurs to the section, the version number is incremented. Be sure the version numbers match for the GPO parts stored in AD and in SYSVOL. Like the GUID, if there is a mismatch, be sure to force replication.
• GPO timestamp—When dealing with a backed up GPO, you are dealing with an older version of the GPO. Be sure to verify that the restored GPO has replicated to all domain controllers or you will experience strange behavior and results on some of the computers that receive GPO settings from the domain controllers that have not received the replicated changes to the GPOs.

Troubleshoot Client-Side GPOs

When a problem arises from the application of a GPO on the client, it is logged on the client. These logs are not always useful, but if verbose logging is enabled, they can be helpful in diagnosing the problem. Some third-party tools allow for the advanced capability of viewing these remote logs on client computers. They also provide capabilities for configuring the advanced logging on one or more remote client computers. This feature provides the consistency and capability required to troubleshoot GPO problems that come up due to client-side issues.

Summary

In this chapter, we focused on GPOs and how they provide security control for computer and user accounts in the enterprise. We saw that GPOs are extremely logical, but have many features, settings, and options that make them a bit complex. With the built-in tools, GPOs can become a bit overwhelming to manage. There are plenty of good GPO management tools that can help implement, manage, troubleshoot, and monitor GPOs.

Next, we will finish off talking about AD security by taking an in-depth look into delegation of administration. We will need to refer back to parts of this chapter, as the interaction of delegation and GPO implementation overlap.

[Editor’s Note: This content was excerpted from the free eBook The Administrator Shortcut Guide to Active Directory Security (Realtimepublishers.com) written by Derek Melber, Dave Kearns, and Beth Sheresh and available from a link at http://cc.realtimepublishers.com/portal.aspx?pubid=289.]














Your IP address will be sent with this e-mail

From e-mail to e-mail