11/3/2016

Sponsored by
Monitoring Active Directory
Changes for Compliance:
Top 32 Security Events IDs to
Watch and What They Mean

2016 Monterey Technology Group Inc.

Made possible by

Thanks to
LOG & EVENT MANAGER

www.solarwinds.com/lem

1
 11/3/2016

1. Elevation to privileged user

2. Domain administrators password reset
Preview of 3. Logon as domain admin

Key Points 4. AD permission change

5. Domain security policy change
6. Group policy change
7. Account enabled
8. Accounts deleted/disabled

Regulations SOX COBIT/ISO

and HIPAA - 45 CFR Part 164

PCI DSS
frameworks
FISMA NIST 800-53
GLBA ISO 27001

2
 11/3/2016

A new member was Account Operators

added to an
administrative group or
another group that gives
1. Elevation members some type of
privileged access.
to privileged Verify the new member
is appropriate. Is the
user new member itself a
group? If so the rule
that generated this alert
must be modified to
alert you on new
members to that group.
Events
4728, 4732, 4756
Administrators
Backup Operators
Cryptographic Operators
Distributed COM Users
Incoming Forest Trust Builders
Network Configuration Operators
Performance Log Users
Performance Monitor Users
Print Operators
Remote Desktop Users
Replicator
Server Operators
Windows Authorization Access
Group
Cert Publishers
DHCP Administrators
DnsAdmins
DnsUpdateProxy
Domain Admins
Domain Controllers
Enterprise Admins
Enterprise Read-only Domain
Controllers
Group Policy Creator Owners
RAS and IAS Servers
Read-only Domain Controllers
Schema Admins

2. Domain
administrator Domain's Administrator password reset
The domain's built-in Administrator password was reset. Verify
password this is a legitimate change controlled event. An administrator
intending to avoid accountability could reset Administrator's
reset password and then logon as Administrator.
Event 4724 for Administrator
Domain Administrator logon
3. Domain Administrator should only be used in emergencies when all
admin and other administrators account are unavailable. Investigate who
logged on as Administrator and why.
logon Event ID 4624 for Administrator

3
 11/3/2016

COBIT
AI2.3 Application Control and Auditability
AI2.4 Application Security and Availability
AI6 Manage Changes
AI6.4 Change Status Tracking and Reporting
AI6.5 Change Closure and Documentation;
DS5 Ensure System Security
1 -3 DS5.4 User Account Management
Compliance

DS5.5 Security Testing, Surveillance and Monitoring
ME2 Monitor and Evaluate Internal Control
Mappings ME2.3 Control Exceptions
ME2.5 Assurance of Internal Control,
ME3.4 Positive Assurance of Compliance
ME4 Provide IT Governance
ME4.4 Risk Management
ME4.7 Independent Assurance
PO4.11 Segregation of Duties
PO7 Manage IT Human Resources
PO7.8 Job Change and Termination

ISO
10.1 Operational procedures and responsibilities
10.1.2 Change management
10.1.3 Segregation of duties
1 -3 10.10 Monitoring
Compliance

10.10.1 Audit logging
10.10.3 Protection of log information
Mappings 10.10.4 Administrator and operator logs
12.5.1 Change control procedures
13.2.1 Responsibilities and procedures
15.1.3 Protection of organizational records
15.2 Compliance with security policies and standards, and
technical compliance,
15.3.1 Information systems audit controls

4
 11/3/2016

NIST 800-53
1 -3 AC-2 ACCOUNT MANAGEMENT
Compliance AC-13 SUPERVISION AND REVIEW ACCESS CONTROL
AU-2 AUDITABLE EVENTS
Mappings AU-3 CONTENT OF AUDIT RECORDS; AU-6 AUDIT
MONITORING, ANALYSIS, AND REPORTING; AU-7 AUDIT
REDUCTION AND REPORT GENERATION
AU-9 PROTECTION OF AUDIT INFORMATION

PCI DSS
6.4 Follow change control procedures for all system and
software configuration changes.
7.1 Limit access to computing resources only to those
individuals whose job requires such access. Rationale: Limiting
1 -3 access is usually accomplished via group membership.
10.1 Establish a process for linking all access to system
Compliance components (especially access done with administrative
privileges) to each individual user.
Mappings 10.2 Implement automated audit trails for all system
components to reconstruct the following events. Pay particular
attention to groups that have administrative privileges and
other sensitive groups.
10.2.2 actions taken by any individual with administrative
privileges.
10.3 This report includes the minimum entries specified for PCI
compliance
10.5 Secure audit trails so they cannot be altered
10.6 Review logs on a daily basis.
10.7 Retain audit trail history for at least one year with a
minimum of three months immediately available for analysis

5
 11/3/2016

HIPAA
1 -3 164.306 Standard: Audit controls.
164.308(a)(1) Security Management Process. Develop and
Compliance Deploy the Information System Activity Review Process
164.308(a)(1)(ii)(D) requires a covered entity to implement a
Mappings procedure to regularly review records of information system
activity.
164.308(a)(1)(i) Detect security violations.
164.312(a)(1) Access Control
164.312(b) Audit Controls

Permissions were modified on an Active Directory object

4. AD which generally indicates some type of administrative
authority was delegated
permission Events
change 4661 and Object Server: is not Security Account Manager
4662
Accesses: includes WRITE_DAC

6
 11/3/2016

COBIT
AI2.3 Application Control and Auditability
4. AD

AI6 Manage Changes
AI6.4 Change Status Tracking and Reporting
permission AI6.5 Change Closure and Documentation
DS5 Ensure System Security
change DS5.5 Security Testing, Surveillance and Monitoring
ME2 Monitor and Evaluate Internal Control
ME2.5 Assurance of Internal Control
ME3 Ensure Regulatory Compliance
ME3.4 Positive Assurance of Compliance
ME4 Provide IT Governance
PO4.11 Segregation of Duties

ISO
10.1 Operational procedures and responsibilities
10.1.2 Change management
4. AD 10.1.3 Segregation of duties
10.10.1 Audit logging
permission 10.10.2 Monitoring system use
change 10.10.3 Protection of log information
10.10.4 Administrator and operator logs
12.5.1 Change control procedures
13.2.1 Responsibilities and procedures
15.2 Compliance with security policies and standards, and
technical compliance
15.2.1 Compliance with security policies and standards
15.3.1 Information systems audit controls

7
 11/3/2016

4. AD NIST 800-53
AC-3 ACCESS ENFORCEMENT
permission AC-13 SUPERVISION AND REVIEW ACCESS
CONTROL
change AU-2 AUDITABLE EVENTS
AU-3 CONTENT OF AUDIT RECORDS; AU-6 AUDIT
MONITORING, ANALYSIS, AND REPORTING; AU-7
AUDIT REDUCTION AND REPORT GENERATION
AU-9 PROTECTION OF AUDIT INFORMATION

PCI DSS
6.4 Follow change control procedures for all system
configuration changes.
10.1 Establish a process for linking all access to system
components (especially access done with administrative
4. AD privileges) to each individual user.
permission 10.2 Implement automated audit trails for all system
components (AD Objects) to reconstruct events.
change 10.2.2 actions taken by any individual with
administrative privileges (account operators and admins)
10.2.7 Creation and deletion of system-level objects.
(SACLs must be set for AD Objects i.e. GPOs etc.)
10.3 This report includes the minimum entries specified
for PCI compliance
10.5 Secure audit trails so they cannot be altered: 10.5.1
Limit Viewing; 10.5.2 Protect Audit Trail; 10.5.2 Backup
Audit Trail
10.6 Review logs on a daily basis.

8
 11/3/2016

HIPAA
4. AD 164.306 Standard: Audit controls.
permission 164.308(a)(1) Security Management Process
164.308(a)(1)(ii)(D) requires a covered entity to implement a
change procedure to regularly review records of information system
activity.
164.308(a)(1)(i) Detect security violations.
164.312(a)(1) Access Control
164.312(b) Audit Controls
164.312(d) Person or Entity Authentication

Important changes to security policies affecting the entire

domain.
Daily review for evidence of intrusion, misconfigurations or
unauthorized changes and sign off. This is important for
change control and to ensure misconfigurations do not expose
5. Domain the domain to intrusion.

security Events
1102 Audit log cleared
policy change 4616 System time changed
4697 Service installed on system
4704, 4705 User right assigned/removed
4706, 4707, 4716 Trust relationship change
4719 System audit policy changed
4713 Kerberos policy changed
4717,4718 Logon right granted removed
4739 Domain policy changed
4906 CrashOnAuditFail value changed

9
 11/3/2016

5. Domain
security
policy change Compliance mappings shared with 6. Group Policy Changes

A group policy object or a group policy related attribute on a

domain, organizational unit or site was changed.
6. Group Group policy changes can have wide reaching impacts on user
restrictions and Windows security settings. Confirm the
policy change change was a legitimate change controlled operation.
Events
4661 and 4662
With: gpList, gpOptions, grouPolicyContainer
And: Write, Create or Delete

10
 11/3/2016

COBIT
AI2.3 Application Control and Auditability
5, 6 AI2.4 Application Security and Availability
Compliance

AI6.4 Change Status Tracking and Reporting
AI6.5 Change Closure and Documentation
Mappings DS5.5 Security Testing, Surveillance and Monitoring
ME2.3 Control Exceptions
ME4.5 Risk Management
PO4.11 Segregation of Duties

ISO
10.10.1 Audit logging
5, 6 10.10.2 Monitoring system use
10.10.4 Administrator and operator logs
Compliance 12.5.1 Change control procedures
Mappings 13.2 Management of information security incidents and
improvements
15.2 Compliance with security policies and standards, and
technical compliance

11
 11/3/2016

PCI DSS
10.1 Link access to system components to each individual
user.
10.2 Implement automated audit trails for all system
components (policy change) to reconstruct events
5, 6 10.2.2 actions taken by any individual with
Compliance administrative privileges
10.3 This report includes the minimum entries specified
Mappings for PCI compliance
10.5 Secure audit trails so they cannot be altered
10.6 Review logs on a daily basis.
10.7 Retain audit trail history for at least one year with a
minimum of three months immediately available for
analysis

NIST 800-53
5, 6

AC-3 ACCESS ENFORCEMENT
AC-13 SUPERVISION AND REVIEW ACCESS CONTROL
Compliance AU-2 AUDITABLE EVENTS
AU-3 CONTENT OF AUDIT RECORDS; AU-6 AUDIT
Mappings MONITORING, ANALYSIS, AND REPORTING; AU-7 AUDIT
REDUCTION AND REPORT GENERATION
AU-9 PROTECTION OF AUDIT INFORMATION

12
 11/3/2016

HIPAA
164.306 Standard: Audit controls
164.308(a)(1) Security Management Process
5, 6 Develop and Deploy the Information System Activity Review
Process
Compliance 164.308(a)(1)(ii)(D) requires a covered entity to implement a
procedure to regularly review records of information system
Mappings activity.
164.308(a)(1)(i) Detect security violations
164.312(a)(1) Access Control
164.312(b) Audit Controls
164.312(c) Integrity
164.312(d) Person and Entity Authentication

This covers both newly created accounts and those re-

enabled
7. Account Verify new user accounts correspond to new hires and check
for accounts of terminated employees that have been
enabled mistakenly enabled. Enabled user accounts except in
connection with return from sabbatical should be fairly
infrequent; investigate. Compare to your naming convention
and any other account provisioning policies or standards.
Event 4722

13
 11/3/2016

7. Account
enabled Compliance mappings shared with Deleted/Disabled

8. Accounts
deleted/ AD users deleted/disabled
Document AD user account deletions or accounts previously
disabled enabled that are now disabled
Events
4725, 4726

14
 11/3/2016

COBIT
AI2.4 Application Security and Availability
AI6 Manage Changes
AI6.4 Change Status Tracking and Reporting
DS5 Ensure System Security
DS5.4 User Account Management
DS5.5 Security Testing, Surveillance and Monitoring
7, 8 ME2 Monitor and Evaluate Internal Control
Compliance ME2.5 Assurance of Internal Control
ME3 Ensure Regulatory Compliance
Mappings ME3.4 Positive Assurance of Compliance
ME4 Provide IT Governance
ME4.5 Risk Management
PO4.11 Segregation of Duties,
PO4.14 Contracted Staff Policies and Procedures
PO7 Manage IT Human Resources
PO7.8 Job Change and Termination

ISO
8.3.3 Removal of access rights (termination or job change)
10.1 Operational procedures and responsibilities
10.10.1 Audit logging
10.10.4 Administrator and operator logs
11 Access control
7, 8 11.1 Business requirement for access control

Compliance

11.1.1 Access control policy
12.5.1 Change control procedures
Mappings 13.2 Management of information security incidents and
improvements
13.2.1 Responsibilities and procedures
15.2 Compliance with security policies and standards, and
technical compliance
15.2.1 Compliance with security policies and standards
15.3.1 Information systems audit controls

15
 11/3/2016

NIST 800-53
AC-2 ACCOUNT MANAGEMENT
7, 8 AU-2 AUDITABLE EVENTS
Compliance AU-3 CONTENT OF AUDIT RECORDS; AU-6 AUDIT
MONITORING, ANALYSIS, AND REPORTING; AU-7
Mappings AUDIT REDUCTION AND REPORT GENERATION
AU-9 PROTECTION OF AUDIT INFORMATION

HIPAA
164.306 Standard: Audit controls.
164.308(a)(1) Security Management Process
7, 8 164.308(a)(1)(ii)(D) requires a covered entity to implement a
procedure to regularly review records of information system
Compliance activity.
164.308(a)(1)(i) Detect security violations.
Mappings 164.312(a)(1) Access Control
164.312(b) Audit Controls
164.312(d) Person and Entity Authentication
164.312(e) Transmission - Security Integrity Controls

16
 11/3/2016

AD is central to security
and therefore central to compliance
Closely monitoring changes in AD
Directly fulfills certain requirements pertaining to
Bottom line Monitoring
Audit
Control verification
Provides documentation of control procedures related to IAM
Contributes to compliance with many other controls
There is no way to monitor these events without automation
Check out SolarWinds Log & Event Manager

17