T 2.126 Inadequate logging of changes to an Active Directory

The Active Directory in an organisation is usually a central part of authentication and authorisation of the access to network resources. For this reason, changes to the Active Directory structure or even to individual domain controllers can have an impact on a large part of an organisation's IT. This applies to authorised as well as to unauthorised changes.

If security-related changes to the configuration of the Active Directory or a domain controller, for example when promoting a server to a domain controller, are not documented or logged, then there will be a possibility that such changes will not be detected or only detected much later.

However, it is not enough just to log the incidents and changes that are critical to security. In order to be able to detect problems that are critical to security, it is also necessary to evaluate the logs regularly (see T 2.22 Lack of or insufficient evaluation of auditing data).

Examples:

• If a trust relationship to an external domain set up accidentally or deliberately is not detected due to inadequate logging, then the users of the external domain may be able under certain circumstances to access the systems of the affected organisation without being noticed.
• If the log data of a domain controller is not evaluated regularly, then it might not be noticed under some circumstances that all of the users in this domain were added to the group of "Domain Admins". Not detecting such a faulty configuration could enable domain members to gain full access to the systems and install malware (e.g. backdoors or Trojan horses) on the computers in the domain, for example. A backdoor could be created through a script containing errors used when performing the administrative tasks.