Why audit security state changes?

  

Cyber forensics relies on accurate system settings and security states so that a proper investigation of a security incident can be conducted. An unauthorized change of the security state can lead to challenges in resolving service disruptions, and detecting attacks. For example, a change in system time could lead to an incorrect logging of events that could disrupt sequencing patterns. This prevents you from properly correlating multiple events so you can get the accurate picture of a security incident. It is important for administrators to keep a track of various security state changes.

In this post, you'll learn how to audit security state changes and what events to look for related to changes. If you're setting this up for the first time, be sure to check out this post on "How to check if the system time has been changed". The post in the link is an elementary post that guides you using a step-by-step approach to audit all system settings and check if the system time has been changed.

This post will also show you the benefits of using ADAudit Plus to view reports on activity in your network.

How to enable auditing for security state changes

What events you should monitor for security state changes:

Note: CrashOnAuditFail is a critical flag that halts system activity and alerts you when new events on the network cannot be recorded in the security logs. This flag is especially necessary when a malicious entity attempts to cover their tracks by disabling your audit policies. According to the Microsoft documentation, the values of this flag are displayed below.

Event 4621 is recorded when the administrator reboots the system after the system crashed. The system crashes when the CrashOnAuditFail value is set to 2.

How ADAudit Plus can help you track events

Event Viewer is the default native AD tool to view all your events. Although Event Viewer is a great tool, it is hard to look through all the messages and events, and find a particular suspicious incident. We suggest opting for an effective solution like ADAudit Plus.

ADAudit Plus is a comprehensive solution that simplifies AD auditing and reporting. It is a one-stop platform that brings together an intuitive user interface, pre-configured reports, and advanced filter options that make it easy for you to track changes to your network, and detect threats immediately. You get a fully equipped dashboard that gives you a holistic view of the various systems in your network. This way you can correlate events across the network and spot suspicious behavior.

Below are a few reports from ADAudit Plus. These can be found under the 'Server Audit' tab in the console.

Image: ADAudit Plus reports on system events that have occurred on the network.

Image: ADAudit Plus report on system time changes.

Image: ADAudit Plus report on audit policy changes.

ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, reports and alerts on Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security, and compliance requirements. You can track AD management changes, processes, folder modifications, permissions changes, and more with 200+ reports and real-time alerts. You can also get out-of-the-box reports for compliance mandates such as the HIPAA. To learn more, visit https://www.manageengine.com/active-directory-audit/.