Keeping your Active Directory under close scrutiny is not difficult thanks to the auditing features of Windows Server and the arrival of professional AD auditing solutions. However, auditors sometimes do not pay much attention to privileged user accounts as they are presumed be trustworthy. But such accounts, because of their higher privileges, are attractive targets to hackers. If some security lapses are there with them, they can be dangerous to the entire AD environment. So organizations cannot be negligent about them.

Administrative privileges given to some accounts helps in managing the Active Directory more effectively and in providing easy access to various AD resources. Misuses of such privileges can be limited by following a two-fold approach. First of all, organizations should follow a Least-Privileged Administrative Model for Active Directory to limit the number of privileged accounts, to limit the duration of privileges, and to limit the level privileges Secondly, there should be regular auditing in the AD environment. It is suggested that you use a professional auditing solution to audit Active Directory and Group Policy.

What is the Least-Privileged Administrative Model?
The Least-Privileged Administrative Model focuses on providing the users and computers with the least permissions that are required to perform a particular task. It is aimed at enhancing security and minimizing security risks in the network. Here are some suggestions for implementing this:

  • Limit the number of privileged accounts

Limit the number of accounts in Enterprise Admins (EA) group, Domain Admins (DA) group, and built-in domain local Administrators (BA) group.

  • Limit the level of privileges

Follow the Microsoft’s recommendations and best practices to limit the level of privileges provided to various administrative accounts; implement role-based access control (RBAC) according the business rules of the company.

  • Limit the duration of elevated privileges

When elevated privileges are required for an account, temporarily place it in a group having those rights (instead of giving individual rights) and remove it from the group immediately after the task is done.

  • Follow some special measures

Implement certificate based authentication mechanism, and configure smart card based interactive logon plus auditing for administrative accounts.

Privileged use auditing in Windows Server 2008 R2
Privilege use auditing allows to track the usage of privileges given to users and computers. Windows 2008 R2 provides two options for auditing privilege uses.

While ‘Audit privilege use’ policy setting is configured, the following events are generated :


‘Audit privilege use’ policy setting in Windows Server 2008 R2 tracks:


The table below gives the list of events. Users are recommended to refer Microsoft sites for detailed information on them.


Note:
Many experts suggest that auditing privilege uses may lead to enormous number of audit events, especially when Success and Failure events are audited. So it is suggested to use this option with utmost caution.

Professional Active Directory Auditing Solutions
Professional auditing solutions are recommended even if you follow a Least-Privileged Administrative Model and keep the VIP accounts under auditing radar. A complete AD auditing help in securing the entire AD environment and also in meeting regulatory compliances. LepideAuditor Suite helps in auditing Active Directory and Group Policy.

Blog Summary
Privileged accounts have very crucial role in the Active Directory. However, for the security of the entire AD environment, it is essential to follow a Least-Privileged Administrative Model in the organization. Also, it is necessary to audit privilege use events of the AD. And for auditing the entire Active Directory, one can use professional AD auditing solutions like Lepide Auditor Suite.