Page Nav

HIDE

Grid

GRID_STYLE

How to track critical policy changes in the AD environment

October 23, 2015

Introduction A security policy is the bridle with which the Active Directory administrator controls and secures the organizational ...

Introduction

A security policy is the bridle with which the Active Directory administrator controls and secures the organizational resources spread over many network computers. If somebody tires to manipulate those carefully crafted security policies, he is actually trying take control of the bridle with the aim of taking over the organizational resources completely or partially. Consequences of such manipulations are dangerous for the organization. That is why AD administrators are watchful of the changes in security policies, especially authentication and authorization policy changes.
With the Advanced Policy Configuration Settings of Windows Server 2008 R2, it is easy for administrators to have all the policy changes recorded in the Windows security logs. Changes in Audit Policy, Authorization Policy, Authentication Policy, Audit Platform Filtering Policy, MPSSVC Rule-Level Policy Change, and some Other Policy Change Events can be audited in this way.
This is accomplished in the following steps :
1). Configure Advanced Audit Policy Configuration Settings (using GPMC)
2). Access Policy Change events from Windows Security Logs

Steps (7 total)

1

Open Group Policy Management Console (GPMC) on the domain. Right-click on the Default Domain Policy; click Edit

Expand
2

Expand to Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\ Audit Policies and click Policy Change

Expand
3

Right-click on a subcategory and select Properties

4

Check Configure the following audit events; check Success. Click Apply

Expand
5

Configure audit settings for all the subcategories in the same way

6

Now, open Windows Event viewer and go to Windows Logs > Security. Use the Filter Current Log option to find the required events

Expand
7

Refer the table for the policy change event IDs in brief. For detailed information, please check Microsoft documents

Expand

Conclusion

Tracking policy changes is essential in ensuring the security of the Active Directory assets and regulatory compliances. Administrators can configure Advanced Policy Configuration Settings in Windows Server 2008 R2 using GPMC and then track those events in Windows Event Viewer.

References

Related Posts

No comments

Post a Comment

Subscribe to: Post Comments (Atom)