Active Directory Monitoring: Why You Need It and How To Do It Right

Active Directory (AD) is in many ways the lifeblood of your network, especially in terms of user and identity management. AD has become the core directory service for most enterprises, keeping track of users and IT assets, allowing all these to be identified and manipulated.

Because Active Directory houses all these identities and logs the enterprise’s IT assets, IT can spot breaches and abnormal behavior through this directory data. If you aren't watching Active Directory, chances are you're missing when the bad actors begin encroaching upon your network.

Active Directory itself is an attack surface. If cybercriminals breach Active Directory, they can breach all the services, assets and users that are integrated within the directory.

Like most pieces of software (and indeed devices) Active Directory creates logs of events. An IT infrastructure monitoring solution (ITIM) can monitor these logs and alert IT pros to anomalies and trends that may need tending to.

It is well known that breaches can take months or years to discover. But did you know that all the evidence may be right there in your event logs, especially Active Directory logs? Monitoring these logs and having alerts set up to indicate problems can nip breaches in the bud.

At the same time, this Active Directory data can point to the overall health and security of the network. “The apparent ineffectiveness of event monitoring and log analysis continues to be somewhat of an enigma. The opportunity for detection is there; investigators noted that 66 percent of victims had sufficient evidence available within their logs to discover the breach had they been more diligent in analyzing such resources,” Microsoft argued on its Security Best Practices: Monitoring Active Directory for Signs of Compromise page.

What is Active Directory? Diving Deep

Active Directory is an important way that IT manages network and computing infrastructure, and is the very underpinning of Microsoft’s Identity and Access Management (IAM) system. This directory service records data (commonly through logs) on users, devices, applications and groups. It also creates a hierarchical structure that shows how the network is organized and which applications and services rely upon others. With this approach, everything connected to the network is viewed from a single location.

Active Directory is a key way end users access application services and other resources. AD leverages both Kerberos Authentication and Single Sign-On (SSO). Using SSO, Kerberos can authenticate multiple resources using a single set of credentials. With this approach, and with all the identifying data Active Directory contains, Active Directory is a core repository for user information – including privileges and authentication.

Don’t Hand Hackers a Map to Your Data

Active Directory is not just a road map to users, applications and other pieces of IT infrastructure — it can also show cybercriminals right where your critical data lies. “If you think about all the data and files you have stored across your network, it would be nearly impossible to recall the exact name and location of every file. A directory service solves this problem by creating a container that provides a hierarchical structure. It allows you to store objects that can quickly be located and easily accessed. Whenever you search, you’re using a directory service,” explained the Progress WhatsUp Gold What is Active Directory and How Does it Work? blog.

How Active Directory Monitoring Works

Ironically, by monitoring Active Directory you are monitoring the network itself. Active Directory shows at a high level what is happening with all the objects it contains. However, if you're not monitoring Active Directory properly, you cannot make use of this critical data. The central management aspect of Active Directory is what makes it such a great window into the entire network.

At the same time Active Directory itself, as we've mentioned, is a highly desirable attack surface, and should be watched for signs of disorder. “A solid event log monitoring system is a crucial part of any secure Active Directory design. Many computer security compromises could be discovered early in the event if the targets enacted appropriate event log monitoring and alerting. Independent reports have long supported this conclusion,” the Verizon Data Breach Report states.

But having monitoring means nothing if the data it produces is not surfaced to IT. “The apparent ineffectiveness of event monitoring and log analysis continues to be somewhat of an enigma. The opportunity for detection is there; investigators noted that 66 percent of victims had sufficient evidence available within their logs to discover the breach had they been more diligent in analyzing such resources,” the Microsoft Active Directory monitoring page explained.

Here is one example of AD monitoring. “When abnormal behavior, such as a drop in performance or unauthorized access, is detected, AD monitoring can flag the behavior and trigger alarms. This can be especially important in detecting breaches where hackers try to escalate privileges.  When malicious activity is identified quickly, it can often be stopped before it causes significant damage,” the WhatsUp Gold blog said.

AD monitoring can track many items, including:

  • Changes in group policies
  • Changes in privileges
  • Directory replication
  • Directory service access
  • Locked or deactivated users
  • Domain controller performance
  • Domain controller authentication
  • Service directory files (NTDS)
  • System events
  • Credential validation

All this data can be used to create an AD user audit, which can detail individual performance and behavior, including login monitoring or remote desktop services sessions.

What Can Go Wrong When You Don’t Monitor Active Directory?

We've already mentioned that many breaches can be detected and stopped early, before they take hold and cause damage, by monitoring Active Directory and spotting telltale signs of a cybercriminal. In fact, many (if not most) breaches touch Active Directory in some way.

This is the number one reason to monitor Active Directory. And here are a few reasons hackers are drawn to Active Directory:

  • Because Active Directory contains a complete hierarchical view of your network associated users, hackers can gain a blueprint of your network and use that to plan widespread attacks.
  • Once hackers have breached Active Directory they can move throughout your organization, often laterally, and rummage through your applications, data and user identity and privilege information.
  • With this identity information, they can then launch elevation of privilege attacks and really get the keys to the kingdom.
  • Data theft is one key aim of cybercriminals. But, with high level privileges, they can deploy widespread ransomware attacks, hobbling your organization and leading to huge payoff demands.
  • The ubiquity of AD, along with its complexity, make it a tantalizing hacker target.


Get Started with WhatsUp Gold

Subscribe to our mailing list

Get our latest blog posts delivered in a monthly email.

Loading animation


Comments are disabled in preview mode.