SCOM – Audit Active Directory Without ACS

In some situation you may want to audit your Active Directory  but didn’t have the ressource to install the Audit Collection Services (ACS). Scom provide the ability to do a lot by using rules/monitor based on eventID.  For most of the alerts,  I’ve  follow the recommandation of the Randy Franklin Smith’s ( 11 ways to detect System Intrusions with security log).  So Basically, these alerts are based on Event Description and Keep in mind that these event will be store in the same Database vs ACS, which  has his own DB… so be carefull in the sizing.

Also, if you want to make  better rules, you should install log parser and look at the log parameters ( which are delimited by a “|”) and parser the event you want to monitor to get the appropriate information

So Here what I’ve find usefull to monitor.

  • Users added/removed to privileged groups, ex;  domain admin, enterprise admin, schema admin, and their nested groups ( pay attention to the scope of the group, because depending on this it will not generate the same eventid). If you want you could  even monitor when members are removed.
  • Local and Domain Administrator –  Login failed / success ( read this to avoid false positive http://support.microsoft.com/kb/2002335… )
  • New Domain and Local account (you could filter this based on some user attribut ex; office)
  • New Computer Account in the Domain
  • Password  Changed for Domain and Local Administrator
  • Passwords set to never expired, Event 642
  • Services / scheduled task creation, Event 601 and 602
  • Systems Restarted , Event 512,  allow you to check if this match with your maintenance windows
  •  Audit policy Change, Event 612
  • Security Logs Cleared, Event 517
  • Unknow user account or bad password, Event 529
Beware,  Ideally activated these rules one by one to give you the time to filter and analyze the performance

Now, I’ll show you a example on how you could create some rule (Make sure to not add it to the default MP, because it will cause you some hard time when you’ll try to update MP) and get result like this

First, ,create new rule from scom console, and select the MP the add the rule. In my case I’ve create a MP “CompagnyName – Auditing”.

Then select the appropriate Log Type and Build the Event Expression.


#################################

Reference:

– 11 ways to detect System Intrusions with security log

http://www.ultimatewindowssecurity.com/webinars/register.aspx?id=75

– Using Event Description as criteria for a rules

http://blogs.technet.com/b/kevinholman/archive/2008/04/22/using-event-description-as-criteria-for-a-rule.aspx

– OpsMgr2007: Parameters explained

http://blogs.technet.com/b/stefan_stranger/archive/2008/05/13/opsmgr-2007-parameters-explained.aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s