S 4.316 Monitoring the Active Directory infrastructure

Initiation responsibility: Head of IT

Implementation responsibility: Administrator

The security status of the Active Directory infrastructure is monitored and evaluated by logging the system's events. The level of detail recorded in the logs must be adapted to the corresponding requirements and should be monitored continuously.

The logged data should be evaluated regularly. The logged data should also be compared to reference log data, for example logged data obtained from previous logs, as an additional check.

Active Directory

Depending on the amount of logged data generated by the monitoring function, the logged data may either be evaluated manually or with the help of special monitoring software. In large Active Directory structures, it is normally impossible to evaluate all logged data manually.

The results of the security monitoring process should be summarised and evaluated in regular reports so that basic security problems can be detected and eliminated early on.

During logging, it is also possible for security warnings to be generated that need to be responded to immediately and in the manner specified in the business continuity plan (see also S 6.106 Creation of a business continuity plan for the failure of a directory service) of the company and/or government agency.

There are basically two possible methods for detecting changes to security-relevant configuration parameters of the domain controller and/or of the Active Directory. One method is to use event notification and the other method is to perform trend analyses.

With event notification, so-called threshold or limit values are defined for changes to configuration parameters in the Active Directory or on the domain controller itself. When a configuration parameter is changed and exceeds a predefined limit value, this event is logged by the operating system.

Within the framework of trend analysis, predefined parameters are recorded at regular intervals over a longer period of time. If extreme changes are noticed while evaluating this data, this could be an indication of security-relevant incidents. For example, if the amount of free hard disk space is recorded at regular intervals (e.g. every 5 minutes) and a dramatic increase in the consumption of hard disk space is detected, this could be indicative of a denial-of-service attack (DoS attack) against the domain controller.

Changes in the status of domain controllers

Changes on the domain controllers may have an impact on the security of the Active Directory. For this reason, the availability and system resources of the domain controller should be monitored at a minimum:

The availability of domain controllers can be monitored in a variety of ways. Special monitoring software could be used for this purpose, for example. However, it is also possible to send LDAP requests regularly to the domain controller as an alternative. Using this method, it is not only possible to determine whether the corresponding domain controller is active (the test client receives a response), but additionally to draw conclusions about the system load of the domain controller from the response time.

It must also be ensured that restarts of the domain controllers are detected, because the unauthorised restart of a domain controller could be indicative of an attack. Correspondingly, the system event logs of all domain controllers in an organisation should be examined for unauthorised system restarts.

In addition, the system resources of the domain controller should also be monitored in addition to monitoring the direct availability of the domain controllers. A change in the system resources does not necessarily indicate an attack. The changes may also be of a technical nature such as misconfigurations or the use of outdated hardware in a growing Active Directory structure.

The following system resources should be monitored on all domain controllers in an organisation and suitable countermeasures should be taken in case irregularities are detected:

• processor utilisation in percent (upper limit value: 80%)
• free storage space on the data media with the Active Directory database in percent (lower limit value: 25%)
• available internal memory in percent (lower limit value: 10%)
• connection duration for LDAP connections (an unusually large increase in the duration of the connection could be suspicious)
• number of successful LDAP connections per second (an unusually large increase in the number of LDAP connections could be suspicious. The particular limit value in this case depends on the volume of data transmitted by the LDAP connections in the organisation).

Changes in the Active Directory

If changes are executed at the domain level, the changes will usually affect all other domain controllers, member servers, users, and workstations. The following changes are possible in this context:

• Changes to the domain-wide operations master role
  
  Changes to the domain-wide operations master roles have an impact on the entire domain. The domain-wide operations master roles include, amongst other things, the emulation master of the primary domain controller (PDC). A faulty configuration in this case could have adverse effects on the overall design of the domain and may lead to wide-ranging disruptions in the network. It is therefore essential to carefully plan all intended changes to the operations master roles in advance.
• Changes to the trust relationships
  
  Trust relationships can be set up between the various domains in an organisation or government agency. It is absolutely necessary to monitor changes to trust relationships so that it is possible to detect the creation of new trust relationships in particular and therefore to detect potential extensions to the rights of the domain user as quickly as possible.
• Changes to the AdminSDHolder
  
  The AdminSDHolder object is used by the primary domain controller (PDC) to protect the users in the service administrator groups and the group of services administrators itself against unauthorised changes to the authorisations. The PDC should be monitored on an hourly basis to determine if the discretionary access control lists (DACLs) of the previously mentioned user accounts match the DACL of the AdminSDHolder object. If the DACLs differ from each other, the DACLs of the user accounts must be changed to match the settings of the AdminSDHolder object.
• Changes to the group policy objects and their assignments
  
  Changes to the group policies, for example to the password policies for domain users, have an effect on the domain and therefore on all domain controllers in the affected domain as well, and need to be monitored for this reason. Furthermore, the assignments of group policy objects to domain containers, as well as of group policy objects to the "Domain Controller" organisational unit must also be monitored.
• Changes to the membership in the predefined service administrator groups
  
  The unauthorised addition or deletion of users in predefined service administrator groups such as the group of administrators or security operators may be an indication of an attack. For this reason, membership changes to the service administrator groups must be monitored.
• Changes to the monitoring policies of a domain
  
  An unauthorised change to the monitoring policies may disrupt monitoring or even completely disable monitoring. In order to be able to detect the deactivation of the monitoring function, it is also necessary to monitor the monitoring policies themselves.

If changes that performed which affect the entire Active Directory structure of the organisation or government agency, for example all domains defined, these changes are referred to as changes to the overall structure. Changes to the overall structure include the following events:

• Changes to the class of a domain controller
  
  When a domain controller is promoted or demoted, the change is referred to as a domain controller class change.
• Changes to the Active Directory scheme
  
  When the structure of the directory service database is changed by changing object classes or attributes in the Active Directory, for example, the Active Directory scheme is also changed.
• Changes to the LDAP policies
  
  LDAP requests and therefore also access to the Active Directory data via LDAP may be restricted with the help of LDAP policies.
• Changes to the replication topology between domain controllers
  
  Changes to the replication topology are understood to be the creation, deletion, and modification of Active Directory sites, site links, and subnetworks.
• Changes to the dSHeuristic attribute
  
  The dSHeuristic attribute controls the behaviour of the Active Directory and can be used to enable or disable the listing of objects.
• Changes to the operations master roles valid in the overall structure
  
  The operations master roles valid in the overall structure are also called flexible single master operations (FSMO). The scheme master and domain master roles belong to the FSMO.

All of the change events listed above should be monitored and evaluated on all domain controllers of an organisation, both at the level of individual domains and in terms of the overall structure. If an unauthorised change is discovered while evaluating the security monitoring logs of a domain controller, the corresponding business continuity safeguards must be initiated (see also S 6.106 Creation of a business continuity plan for the failure of a directory service).

For some events, it is not clear from the log files which objects or attributes were changed. For this reason, the scheme of the Active Directory must be documented so that changes can be identified and undone through manual comparison with the reference later, if required.

If it cannot be ensured that the unauthorised changes to the Active Directory have been fully eliminated, consideration should be given to recovering the overall structure.

The creation, deletion, and modification of user accounts in the service administrator group of the Service Admins must be monitored. Furthermore, the addition or deletion of administrator workstations in the Service Admins organisational unit also must be monitored.

When there is no more storage space on the domain controller for the Active Directory database, it is impossible to create new objects in the Active Directory. For this reason, the storage space used by the Active Directory objects should be monitored continuously.

Monitoring the storage space not only allows you to determine when storage space for the Active Directory database is running low, but also to detect object flood attacks in which the storage space in use increases dramatically in a relatively short time.

A reserve file of any size can be created on the domain controllers to enable a quick response to an object flood attack. In the event of a storage attack, the reserve file on the affected domain controllers can be deleted in order to temporarily free some storage space and to ensure normal operations.

After the attack, it is necessary to find the undesired objects in the Active Directory that were used in the attack and remove them.

Changes to critical files

The monitoring set up on the domain controllers themselves and on the administrative workstations should allow the detection of changes to critical files. The files belonging to the operating system configuration and the files used by the applications installed should be monitored for changes at a minimum. Furthermore, important executable files, for example the files of administration tools on the administrator workstations, should also be monitored for changes.

The first step is to select suitable software for monitoring the system configuration. After that, a trusted base configuration should be specified for the operating systems to be monitored.

A reference image of this base configuration is then created using the monitoring software, with this reference image then being used as the basis for future examinations. It must be examined at regular intervals if the current configuration of the domain controllers or administrator workstations has changed in comparison to the reference configuration. If changes are detected, the system should be returned to its original state as quickly as possible.

Review questions:

• Is the Active Directory infrastructure monitored and logged based on the system-internal events?
• Are the security monitoring results regarding the Active Directory evaluated regularly?
• Are the availability and the system resources of the domain controllers monitored?
• Are changes at the domain level and to the overall structure of the Active Directory monitored, logged, and evaluated?