Active Directory Change Notifier Quick Start Guide Software version 3.0 General Information: info@cionsystems.com Online Support: support@cionsystems.com Copyright 2017 CionSystems Inc., All Rights Reserved Page 1
2017 CionSystems Inc. ALL RIGHTS RESERVED. This guide may not be reproduced or transmitted in part or in whole by any means, electronic or mechanical, including photo copying and recording for any purpose other than the purchaser's use under the licensing agreement, without the written permission of CionSystems Inc. The software application in this guide is provided under a software license (EULA) or nondisclosure agreement. This product may only be used in accordance with the terms of the applicable licensing agreement. This guide contains proprietary information protected by copyright. For questions regarding the use of this material and product, contact us at: CionSystems Inc. 6640 185 th Ave NE Redmond, WA-98052, USA http://www.cionsystems.com Ph: +1.425.605.5325 Trademarks CionSystems, CionSystems Inc., the CionSystems Inc. logo, CionSystems Active Directory Change Notifier, Active Directory Change Notifier, ADCN are trademarks of CionSystems. Other trademarks and registered trademarks used in this guide are property of their respective owners. Copyright 2017 CionSystems Inc., All Rights Reserved Page 2
Table of Contents Active Directory Change Notifier- Introduction... 4 Active Directory Overview... 4 Objects in Active Directory... 5 Installation... 5 System Requirements... 5 Installing the application... 5 Installation Wizard..6 Configuring the Active Directory Change Notifier..9 Configure an Audit Policy Setting for a Domain Controller. 14 Report types and descriptions.22 Copyright 2017 CionSystems Inc., All Rights Reserved Page 3
Active Directory Change Notifier- Introduction Change notification is a critical procedure for managing and limiting authorized and unauthorized changes and errors to the Active Directory configuration. A single unauthorized change can put your organization at risk, introducing security breaches and compliance issues. The built-in Active Directory auditing (if you enable auditing) lacks real time notification capabilities for authorized and unauthorized changes. Security logs can take up enormous space and resources, and taken alone will never paint the whole picture. CionSystems Active Directory Change Notifier is an easy to use, flexible application that notifies you of the changes made to Active Directory in REAL TIME. Notifications contain the 4 W's Who, What, When, and Where for all changes to made to Active Directory as well as Exchange configurations- for example: mailboxes, Group Policy, Active Directory schema, and other Active Directory objects. You can additionally limit noise by choosing to monitor only the objects you care about, and limit the number of notifications. Additionally, these notifications are archived in a log file allowing organizations to analyze any policy violations, adhere to security best practices and maintain established internal policies. You can use these notifications to: 1. Revert unauthorized changes 2. Improve the security policies 3. Monitor day-to-day administrative activities. 4. Prepare compliance reports for your SOX, GLBA and HIPAA auditors. Active Directory Overview Active Directory is a directory service offered by the Windows environment. The term directory service refers to two things a directory where information about users and resources is stored and a service or set of services that let you access and manipulate those resources. AD is a way to manage all elements of your network, including computers, groups, users, domains, security policies, and all types of user-defined objects. It combines several Windows NT services and tools that have functioned separately in the past User Manager for Domains, Server Manager, Domain Name Server and provides additional functionality beyond these services and tools. AD is built around Domain Name System (DNS) and lightweight directory access protocol (LDAP) DNS (Domain Name System) because it is the standard on the Internet and is familiar, LDAP (Lightweight Directory Access Protocol) because most vendors support it. Active Directory clients use DNS and LDAP to locate and access any type of resource on the network. Because these are platform-independent protocols, Unix, Macintosh, and other clients can access resources the same way as Windows clients. The Microsoft Management Console (MMC) is used to implement and manage Active Directory. The two most important goals of this console are: Users should be accessing resources throughout the domain using a single logon. Administrators should be able to centrally manage both users and resources. Copyright 2017 CionSystems Inc., All Rights Reserved Page 4
Objects in Active Directory Contacts - Used to store information about external users Computers - Used to maintain information about computers on the domain Users - Used to allow a user access to resources and contain information defining that user Groups - Group objects are a collection of other objects such as users, contacts or computers, and are used to grant access to resources or to distribute e-mail Local Groups: The scope is limited to the machine on which they exist. Mainly used to grant permissions to access resources. Domain Local Groups: These objects have domain-wide scope. They grant resource permissions to any of the machines in that domain. Global Groups: They have domain-wide scope. They grant Global access to the entire domain for the group. Universal Groups: These objects can grant permissions in any domain, including domains in other forests. Printers - Printer objects are network printers, or shared local printers that have been published either automatically or manually in the Active Directory Group Policies - Group policy objects are used to configure the desktop environment of Windows 2000 and XP Professional machines Shared Folders - Shared folder objects are pointers to a network share that has been published in Active Directory OU S - Organizational Units are containers for other Active Directory objects Installation System Requirements CionSystems Active Directory Change Notifier needs: 8GB RAM (16GB Recommended) 16 MB of disk space Windows Server 2008, 2008R2, 2012, 2012R2, 2016 Microsoft.NET 2.0 Framework and later versions CionSystems Active Directory Change Notifier can be installed from a CD or can be downloaded from a web link. This application has to be installed on Domain controller or it can be installed on domain join machine by the user with domain admin privileges to allow connection to the Active Directory for the configuration process. We recommend installing it from a domain admin level account. Installing the application 1. Insert CionSystems Active Directory Change Notifier CD into your CD drive. The Setup window should start. If not please follow the steps below: 2. Go to your CD Drive 3. Double click on ADChangeNotifier.msi file This will start the setup process. Go to Step 1 in the Installation Wizard. Copyright 2017 CionSystems Inc., All Rights Reserved Page 5
Installation Wizard Once you start the install you ll see the Welcome Screen 1. Click Next 2. Agree to the License Agreement/EULA and Click Next Copyright 2017 CionSystems Inc., All Rights Reserved Page 6
3. Select your required option to for yourself or for anyone who uses this computer 4. Click Next 5. Confirm installation and Click Next Copyright 2017 CionSystems Inc., All Rights Reserved Page 7
6. Active Directory Change Notifier will start installing 7. When the installation is complete, click Close Copyright 2017 CionSystems Inc., All Rights Reserved Page 8
Configuring the Active Directory Change Notifier Before starting the application, right click on AD Notifier icongo to propertiesselect Compatibility tabmake sure Run this program as an administrator check box is selected. Copyright 2017 CionSystems Inc., All Rights Reserved Page 9
1. Start the application 2. Click on Configuration, choose Domain Settings Enter the domain name, domain controller name Copyright 2017 CionSystems Inc., All Rights Reserved Page 10
Enter the Username (Do not enter domain name before the username), Password and to start AD monitoring click on Start and click on Save button. The account has to be privileged enough to permit a connection to the Active Directory. Click on OK 3. Click on Configuration, choose Email Settings Enter the SMTP Server, Configure the Email settings, If SMTP server requires authentication then enter the user name and password, select User Secure Connection checkbox, enter the port number in textbox. Now click on Test Mail button, ensure you have received email (Check Email inbox which has given in To Email Address textbox) 4. Click on Configuration, choose Audit Settings Copyright 2017 CionSystems Inc., All Rights Reserved Page 11
Uncheck any objects you do not want to be notified about, and click Save. 5. Click on Configuration, choose SQL Server Configuration Copyright 2017 CionSystems Inc., All Rights Reserved Page 12
Select required Authentication type Enter the SQL Server name, If selected authentication type is SQL server authentication then enter user name and password, Provide interval in hours. To save change history in the database then please select Yes save changes into Database radio button and then click on Save. The database that provide here is the same database at Active Directory Manager Pro/Active Directory Reporter will create at the time of installation. You can use Active Directory Reporter application s Audit reports tab to generate different auditing reports. 6. Click on Configuration, choose Set Rules Rule1: Enter those user names in Rule1 textbox, when they create any new objects (users, groups, contacts, GPO ), a notification mail should not be sent. Note: The user names that you enter in Rule1 textbox must have admin privileges, so that they can create new objects. Rule2: Enter those usernames in Rule2 textbox, when their accounts get locked, a notification mail should be sent Copyright 2017 CionSystems Inc., All Rights Reserved Page 13
Rule3: Enter the Built- in- Group names(for eg: Enterprise Admins, Domain Admins, etc )in Rule3 textbox. When a user is added/removed to/from these groups, a notification mail should be sent. Rule4: Enter user created group names in Rule4 textbox. When a user is added/removed to/from these groups, a notification mail should be sent. Configure an Audit Policy Setting for a Domain Controller To enable Audit Policy settings in every Domain Controller, We need to configure audit settings in Default Domain Controllers Policy Follow the below steps to enable change auditing via Default Domain Controllers Policy. 1. Navigate to Start -->Administrative Tools -->Group Policy Management. 2. Expand domainselect Domain Controllers OU and expand Right-click the Default Domain Controllers Policy, and click Edit. - refer the below image. Copyright 2017 CionSystems Inc., All Rights Reserved Page 14
Configuring Account Lockout Policy Navigate to the node Account Lockout Policy (Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout Policy). Right click the Account Lockout PolicyopenSet the values for the policies as shown in the below image. How to set? Right click the policy (Eg: Account lockout duration)propertiesselect the check box Define this policy setting Set Account is locked out for: to 2minutes (set minutes as per your requirement). Refer the below image. Copyright 2017 CionSystems Inc., All Rights Reserved Page 15
Similarly configure Account lockout threshold to 3 invalid logon attempts (set as per your requirement) and configure Reset account lockout counter after to 2 minutes. Configuring Audit Policy Navigate to the node Audit Policy (Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesAudit Policy). Refer the below image. In the right pane, right-click Audit account management, and then click Properties. Click Define These Policy Settings, and then click to select Success or both Success and Failure check boxes: Success: Success audits generate an audit entry when any account management event succeeds. Failure: Failure audits generate an audit entry when any account management event fails. Click on Applyclick on OK button. Similarly configure Audit directory service access and Audit logon events Configuring Advanced Audit Policy Configuration Navigate to the node Account Management (Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit PoliciesAccount Management). Refer the below image. Copyright 2017 CionSystems Inc., All Rights Reserved Page 16
In the right pane, right-click Audit User Account Management, and then click Properties. Click configure the following audit events, and then click to select Success or both Success and Failure check boxes. Click on Applyclick on OK button Navigate to the node DSAccess (Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit PoliciesDS Access).Refer the below image. Copyright 2017 CionSystems Inc., All Rights Reserved Page 17
In the right pane, right-click Audit Directory Service Access, and then click Properties. Click configure the following audit events, and then click to select Success or both Success and Failure check boxes. Click on Applyclick on OK button. Enable Object Level Security Audit Since the Audit directory service access policy makes to log the events for every object change we must enable auditing on object level. You can enable auditing on single object, or OU level, or Domain level. Follow the below steps to enable Domain level auditing. 1. Start Administrative Tools Active Directory Users and Computers. 2. Right-click the root domain object, and go to its properties 3. Select Security tab. Note: If the Security tab is not available, ensure the option Advanced Features is checked under the View menu. 4. Click Advanced, and select Auditing tab 5. In Exchange Server 2010: Click Add and type Everyone, Click on CheckNames, then click OK. (OR) In Exchange Server 2013/2016: Click Add Select a principle linktype EveryoneClick on CheckNamesClick OK 6. Check the Successful auditing for Write all properties, Delete, Delete Subtree, Modify Permissions, Modify Owner, Create all child objects, Delete all child objects. Don t select for the following: Full Control, List Contents, Read Permissions, Read All Properties. DO NOT click the checkbox named Apply these auditing entries to objects and/or containers within this container only. (In Exchange Server 2010) DO NOT click the checkbox named Only apply these auditing settings to objects and/or containers within this container. (In Exchange Server 2013/2016) Refer the below image. Copyright 2017 CionSystems Inc., All Rights Reserved Page 18
In Exchange Server 2010 In Exchange Server 2013/2016 Copyright 2017 CionSystems Inc., All Rights Reserved Page 19
7. Click the button OK, and click Apply. 8. Run the below command in command prompt(run as Administrator) gpupdate /force It will refreshes local and Active Directory-based Group Policy settings, including security settings. Copyright 2017 CionSystems Inc., All Rights Reserved Page 20
Now we have successfully configured the change auditing for complete Active Directory domain. You can see the Security event logs for whatever the changes happened in every AD objects. Open the Security log to view logged events. If you get errors about Group Policy Management Console (GPMC) not installed when it is actually installed, try to repair the GPMC installation by running the following: regsvr32.exe C:\Program Files\GPMC\gpmgmt.dll If you get incorrect values in the Who changed fields: Please remember that the size of Security Event Logs on your Domain Controllers must be large enough to hold events. Also ensure that Overwrite events as needed option is selected Start Administrative Tools Event ViewerExpand Windows Logsright click on Securityproperties Copyright 2017 CionSystems Inc., All Rights Reserved Page 21
Report types and descriptions Once you start the Active Directory Change Notifier, the application will e-mail you anytime a change occurs to any objects within your Directory Services. Additionally, it logs the changes to: %program files%\ CionSystems Inc\AD Change Notifier\AuditLog The 3 different types of reports are ADD, MODIFY and DELETE: Copyright 2017 CionSystems Inc., All Rights Reserved Page 22
Contact Notes: For technical support or feature requests, please contact us at Support@CionSystems.com or 425.605.5325 For sales or other business inquiries, we can be reached at Sales@CionSystems.com or 425.605.5325 If you d like to view a complete list of our Active Directory Management solutions, please visit us online at www.cionsystems.com Disclaimer The information in this document is provided in connection with CionSystems products. No license, express or implied, to any intellectual property right is granted by this document or in connection with the sale of CionSystems products. EXCEPT AS SET FORTH IN CIONSYSTEMS LICENSE AGREEMENT FOR THIS PRODUCT, CIONSYSTEMS INC. ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL CIONSYSTEMS INC. BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF CIONSYSTEMS INC. HAS BEEN ADVISED IN WRITING OF THE POSSIBILITY OF SUCH DAMAGES. CionSystems may update this document or the software application without notice. CionSystems Inc 6640 185 th Ave NE, Redmond, WA-98052, USA www.cionsystems.com Ph: +1.425.605.5325 This guide is provided for informational purposes only, and the contents may not be reproduced or transmitted in any form or by any means without our written permission. Copyright 2017 CionSystems Inc., All Rights Reserved Page 23