Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Live Chat

Get Quote

ADAudit Plus » Get Quote
 
  

Authentication policy comprises of user logon rights, Domain policy, Kerberos policy, forest and domains trusts, and so on. Audit Authentication Policy Change is an advanced audit policy setting, which if enabled, will generateevents when the authentication policy on the network is modified.

Why should you enable Audit Authentication Policy Change?

If a malicious agent attempts to tamper with authentication policies, it could put the entire network in danger. For example, if the domain policy is changed by an unauthorized person, it could be an insider trying to lower the security coverage of the network. This can be done in various ways such as diluting the password complexity requirements, altering group permissions, and so on. Therefore it becomes essential for you to enable auditing for these policies.

How to enable Audit Authentication Policy Change?

  • Open Server Manager on your Windows server.
  • Under the Manage tab, select Group Policy Management to view the Group Policy Management Console.
  • Navigate to Forest > Domain > Your Domain > Domain Controllers.
  • Either create a new group policy object or you can edit an existing GPO.
  • In the group policy editor, navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration.
  • Expand the node and select Policy Change. Click on Audit Authentication Policy Change and enable it for 'Success' and 'Failure'.
Once this policy is enabled, these are some of the events that will be recorded:
  • 4670: Permissions on an object was changed.
  • 4706: A new trust was created to a domain.
  • 4716: Trusted domain policy was modified.
  • 4707: A trust to a domain was removed.
  • 4713: Kerberos policy was changed.
  • 4717: System security access was granted to an account.
  • 4718:System security access was removed from an account.
  • 4739: Domain policy was changed.
  • 4864: A namespace collision was detected.
  • 4865: A trusted forest information entry was added.
  • 4866: A trusted forest information entry was removed.
  • 4867: A trusted forest information entry was modified.

Audit Authentication Policy Changes with ADAudit Plus

ADAudit Plus is an Active Directory auditing tool that can audit and generate reports in real-time on all the changes happening on the network. It provides an intuitive, user-friendly interface with over 200 neatly categorized reports that can be generated instantly. This tool provides several audit reports on authentication policy changes such as modifications to group policies, domain policies, user logon rights, and so on. Here is a sample report from ADAudit Plus on Domain Policy Changes:

This report gives information on the user who made the policy change, the timestamp, the domain controller, and details about the exact change that was made.

This is enough information for an administrator to know whether or not it is an authorized change. If the change is not authorized, this information will be helpful to catch the intruder or insider red-handed.

This report can be generated in ADAudit Plus by navigating to Reports > Domain Object Changes > Domain Policy Changes.

About ADAudit Plus

ADAudit Plus is a real-time, web-based Windows Active Directory change reporting software that audits, tracks, reports and alerts on Windows (Active Directory, workstations logon/logoff, file servers and servers), NetApp filers and EMC servers to help meet the demands of the much-needed security, audit and compliance, including FISMA compliance. With ADAudit Plus, track authorized/unauthorized AD management changes, access of users, GPO setting changes, groups, computer, OU. Track every file, folder modifications, access and permissions changes with 200+ detailed event-specific reports and get instant emails alerts. You can also export the results to XLS, HTML, PDF and CSV formats to assist in interpretation and computer forensics. For more information on ADAudit Plus, visit https://www.manageengine.com/active-directory-audit/.

More related links

     

Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.

Try ADAudit Plus for free

 

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote