Monitoring User Logon Actions
Users logging on into their domain computers is a day-to-day activity that occurs in any enterprise. At the outset this might look a simple Active Directory event but administrators assigned with varying roles could use this valuable data for diverse audit, compliance and operational needs. Organizations require audit details on User Logons for one or more of the below operational needs.
- Verify the absenteeism / attendance of employees in a given audit interval / every month.
- Ascertain the total count of users who have access to the Active Directory network at a given instant.
- Spot users who access Workstations or Domain controllers through a remote network computer.
- Determine peak login times for all users in the domain.
- See who has last logged on into a critical Domain computer.
- Identify if any user(miscreant) is attempting a logon into machines that he / she does not have privileges. (For instance: Domain Controller logins / Member Server logins in Active Directory will require elavated privileges).
- View the complete history of logon of any user in the domain i.e.) Be equipped with evidence when you question a suspect employee, Active Directory domain objects like computers, groups and other user accounts that the employee has administered, accessed or modified during his association.
In addition to the listed few, there are many more practical demands in an Active Directory network that require audit information on domain account logons. ADAudit Plus account logon reports can be advantageously used to overcome account logon audit challenges. It provides a host of pre-configured reports to provide answers to logon audit questions in the format desired and enhances Active Directory auditing experience. Custom reporting facility makes the software even more sought after, for instance, any logon action can be defined and be viewed as a report.
Why Native Active Directory is considered insufficient for User Logon Auditing?
Every logon detail is continuously logged in the security logs of the Active Directory Domain Controllers(DCs). This data logged in the native Active Directory Domain Controllers
- Requires expertise to understand as it involves - understanding specific event numbers and their correlation to a logon action.
- Is huge in volume - every logon activity on / by any Active Directory object is continuously logged in the Domain Controller and this eventlog data piles up to a huge volume of data.
- Has restricted access - The Domain Controller is a critical component of the Active Directory infrastructure and access is limited to selected administrative users.
Other limitations of the native Active Directory include the inability for non-admin users like auditors, managers and human resource staff to track any desired logon action. Some critical logon events like logging into a Domain Controller or Member Server require immediate alerts or continuous monitoring. This critical information though logged-in do not have a differentiation or grouping from a normal eventlog and has a greater possibility of being neglected.
Need for an Active Directory Logon Audit Solution like ADAudit Plus :
Tracking account logon activity, one system at a time for an entire Active Directory network is next to impossible. User Logon Audit Reports from ADAudit Plus lists all User Logon Actions in a single report. This can be viewed from a central web console at the fraction of time. Logon information is very important to understand / identify the authenticity of logon of user objects in the domain.
ADAudit Plus provides User Logon Reports on Logon Failures, Domain Controller Logon Activity, Member Server Logon Activity, Workstation Logon Activity, User Logon Activity, Recent User Logon Activity, and Last Logon on WorkStations. Further, the logon audit solution acts as an indispensable tool to facilitate audit of specific logon events, current and past logon activity and lists all logon related changes. This it does through an easily understandable web interface and displays statistical information through charts, graphs and a list view of canned and customized reports.
Audit Reports from ADAudit Plus on User Logon :
Logon Failure Report :
Logon Failure Report provides information on the login failures and the reason for logon failure over a selected period of time. Multiple logon failure attempts on User accounts in the selected period of time is reported. This equips administrators with information on possible attacks on "intruder attack susceptible" accounts. Information on logon failure alike when a logon failure occured, logon failed account, and possible failure reasons is reported.
Logon Failure Reasons could be critical like a Bad User Name, Bad password which are susceptible to attacks. Reasons which require Administrator attention are "Password has expired", "Account disabled/expired/ locked-out" or "Administrator should reset the password on the account". Other reasons like "Workstation/Logon time restriction", "New computer account has not replicated yet" or "computer is pre-w2k" and "Time in workstation is not in sync with the time in Domain Controllers" are also reported.
A Graphical representation on the number of logon failures against the reason of the failure assists Administrators to take quick decisions and administer effectively.
Logon Activity on Domain Controllers:
Domain Controllers are the central critical components in the Active Directory from where AD changes are effected. Domain Controller logon is restricted to privileged or Admin users and complete information on logon attempts done by other users equips administrators to take informed corrective measures. ADAudit Plus helps provide information on all users who have logged on on any selected Domain Controller. Details like the time of logon, from where a user logged on(Machine Name), the success or failure of the logon attempt and the reason for failure if any is reported.
Logon Activity on Member Servers and Workstations:
Logon Activity on Member Servers and WorkStations provide information on user logon into selected Member Servers or Workstations respectively. Both the reports function similar to the "Logon activity report on Domain Controllers" making the handling and understanding of the software a breeze.
User Logon Activity:
User logon report provides audit information on the complete
logon history on the "Servers" or "Workstations" accessed by a selected Domain User. User object Logon history is very important to understand the logon pattern for a selected user and in other instances to provided a recorded proof to auditors / managers on any User.
Recent User Logon Activity:
System administrator are either doubtful / concerned about the irregularities in the usage of the network by users. Failed logon attempts is an indicator or a measure to spot an irregularity. The "Recent user logon activity" report from ADAudit Plus lists all the successful and failed logon activities by users over any selected time period. Further the reason for a failed logon is also provided as a remark for taking corrective measures.
List of users successfully logging into the network on a given day, any selected date or over a selected period can be viewed from this report.
Last Logon on WorkStation:
This report lists information on the time of last logon on to a Workstation or Computer, by all users who have successfully logged on a day. This report could be used determine absenteeism or current availability status of users in the organization.
Monitor RADIUS Logon on Computers:
Audit the Remote Authentication Dial-In User Service (RADIUS) network access by user logged on remote computer. With reports on remote logged users like RADIUS Logon Failures (NPS) and RADIUS Logon History (NPS), monitor all RADIUS authentication in Active Directory. Please note that currently RADIUS logon activities via Network Policy Server (Windows Server 2008) is only supported.