Using Active Directory to meet Regulatory Compliances
When it comes to meeting compliance, many Administrators settle for simply auditing event logs. By default, Event Viewer records all events that are generated on a Windows Server. However, is simply storing logs an efficient way to meet compliance?
Most compliance mandates require a particular report to satisfy a particular section. These reports are easy to generate in Active Directory if you already have a pre-defined PowerShell Script or a free tool on Microsoft TechNet. However, relying on these free scripts or tools will not always give you the desired results. In this article, we will highlight some better methods for meeting some regulatory compliances.
There should be a proper methodology to record and authenticate each logon request in the network. Even if some computers in the network run on non-Windows Operating Systems (such as Macintosh, Linux or Ubuntu), the administrator should have a proper mechanism to authenticate the logon requests coming from such computers. Third party tools can be installed on computers running non-Windows Operating Systems to implement Active Directory-based authentication.
Grouping the Computers
There are certain computers in the organization that deal with payments or may store related information. You have to make sure that such computers are a member of a single group. Such a group will be useful when a policy has to be created. Please note that accesses to these computers should be limited to the authorized user accounts only.
Computer Access Restrictions
An important part of meeting compliance is to restrict user access to sensitive information or devices that store critical data. If an organization stores client information in particular computers, access to such computers needs to be limited. “Active Directory Users and Computers” can be used to specify which users have access to which computers.
Dividing Users into Organizational Units
Users should be divided into different organizational units as per their departments. Suppose there are health, finance, sales, support, operations and IT helpdesk departments in an organization. The user accounts of each department can be divided into a separate, dedicated Organizational Unit. The Group Policy Management Console can then be used to specify the particular group policies on these Organizational Units. Not only does this improve account management and security, it also enables you to meet compliance mandates that specify a different set of access and security policies for different types of users.
User Account Age
We recommend that you specify the account age of users who are joining your organization either on contract or a short-term basis. Utilize the user account properties to specify that a particular account will expire after three months or six months. Doing this when creating the account will save you from the extra burden to close the account of a user who is going to leave after three months.
Do Not Prescribe Passwords
By default, a user account is created in “Active Directory Users and Computers” when you set a password. However, such passwords are not secure, as you must communicate them to the new user through any medium. Therefore, it is recommended that you select the “User must change the password at next logon” option.
If your organization permits employees to have direct interaction with customers for a specific duration, it is useful to specify the logon duration of those user accounts. Once you have defined the logon hours, the account will be logged out and access to computers will be denied after the configured time.
The administrator can use PowerShell scripts to generate daily reports for user logon and logoff events. Such reports should highlight the logon time, session duration, logoff time, authentication type and any other useful information. These reports should be generated at least daily to keep track of which users are accessing certain computers.
Other Audit Reports
You can use pre-defined PowerShell Scripts available online to generate the following audit reports. We suggest you to use trustworthy sources to download any script such as TechNet:
- Group Membership Modified – It should show all changes made in the membership of all groups.
- User Created – It should show the list of all new user accounts created.
- User Deleted – It should show the list of all user accounts that are deleted by the Administrator.
- User Expiry Modified – It should show all changes made in expiry dates of user accounts.
- Users’ Logon Hours Attribute Modified – It should show all changes made in the user logon hour attribute.
- User Status Changed – It should show all changes made to the status of user accounts.
- Computer Created – It should show all computers created in Active Directory.
Active Directory, Group Policy Objects, Exchange Servers, SharePoint Servers, SQL Servers and File Servers should all be audited if you are to meet the requirements of IT regulatory compliances. Administrators have to be well versed with the native auditing methodologies of these server components. Native auditing, though, has its limitations; specifically due to the drawbacks of Event Viewer.
In such a situation, LepideAuditor for Active Directory is useful to audit the changes made to Active Directory Objects. This solution also audits Group Policy Objects, Exchange Server, SharePoint, SQL Server, and File Server.