Azure ATP : Domain Auditing

Directory Service Advanced Auditing Issue

If you have ATP (Advanced Threat Protection) enabled in your Azure subscriptions and you have the sensors installed on your domain controllers, if you do not setup Advanced Group Policy you will get this warning:

This means you need to setup the policy as per the recommendations, for more specially for your companies requirements so to do that, so lets get started....

This can all controlled with GPO, the current policy controlling this is called "Advanced Group Policy" and its only applied to the DC's so update these values and then you have a consistent amount that people cannot override to "save space" on the C: at the cost of your security logging.

Back to the directory services not being audited, this is what can be audited as you can see below:

 Each of these entries have the option to audit success of failure.......

Now for each option you have upsides and downsides of auditing everything, when it comes to DS access that is any operation that uses ADDS, this means if you audit success you will get lots of events for things that "successfully" occurred which is a lot of data, a whole load of data, but if its "malicious" it could probably be success not a failure. 

However, if you only audit failure then you will only get alerts on actions that failed, so all the successful ones will not be audited, there is no best practice for this as its down to company requirements, however on the Azure DC's with their security audit as it is, if you turned on Success and Failure for all those action you would end up having a couple of hours of data from the security log.

Configuration Container Issue

You will then notice you get this error or misconfiguration warning:

This required a different fix, to fix this issue

  1. Open ADSI Edit. To do this, select Start, select Run, type ADSIEdit.msc, and then select OK.
  2. On the Action menu, select Connect to.
  3. In the Connection Settings dialog box under Select a well known Naming Context, select Configuration, and then select OK.
  4. Expand the Configuration container. Under the Configuration container, you'll see the Configuration node. It will begin with “CN=Configuration,DC=..."
  5. Right-click the Configuration node and select Properties, this will get you to here:

  6. Go to the Security tab, and select Advanced.
  7. In Advanced Security Settings, choose the Auditing tab. Select Add.
  8. Choose Select a principal.
  9. Under Enter the object name to select, type Everyone. Then select Check Names, and select OK.
  10. You'll then return to Auditing Entry. Make the following selections:

    For Type select All.
    For Applies to select This object and all descendant objects.
    Under Permissions, scroll down and select Clear all. Scroll up and select Write all properties.

  11. Select OK
Once that replicates to all the domain controllers this will then clear that alert and your monitoring is now active and online πŸ˜—
Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„