Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Live Chat

Get Quote

ADAudit Plus » Get Quote
 
  

An audit to check your system integrity should be a staple of your organization's security plans. Audit System Integrity is an important policy to configure for monitoring any attempt to make changes to your system. Events that affect the integrity of the system could include unauthorized remote procedure calls (RPC), invalid local procedure calls, or a loss in audited events. When a system's integrity is tampered with, the odds that a security breach has occurred is very high.

How to enable auditing to check system integrity?

To monitor events related to system integrity you first need to enable auditing for it.
  • In the Group Policy Management Console, right-click the desired group policy, and choose 'Edit' from the menu to open up the Group Policy Management Editor.
  • Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit System Integrity". Enable 'Success' and 'Failure' in the properties dialog box.

What events to monitor to audit your system's integrity?

Here's a list of events that you should monitor to check the integrity of your system.
  • 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
  • 4615(S): Invalid use of LPC port.
  • 4618(S): A monitored security event pattern has occurred.
  • 4816(S): RPC detected an integrity violation while decrypting an incoming message.
  • 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
  • 5056(S): A cryptographic self-test was performed.
  • 5062(S): A kernel-mode cryptographic self-test was performed.
  • 5057(F): A cryptographic primitive operation failed.
  • 5060(F): Verification operation failed.
  • 5061(S, F): Cryptographic operation.
  • 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
  • 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process.

How ADAudit Plus can help you track events related to system integrity?

Event Viewer is the default native AD tool to view all your events. Although Event Viewer captures all events, it is hard to look through all the messages and events, and find a particular suspicious incident. We suggest opting for a comprehensive solution like ADAudit Plus.

ADAudit Plus is a comprehensive solution that simplifies AD auditing and reporting. It is a one-stop platform that brings together an intuitive user interface, pre-configured reports, and advanced filter options that make it easy for you to track changes to your network, and detect threats immediately. You get a fully equipped dashboard that gives you a holistic view of the various systems in your network. This way you can correlate events across the network and spot suspicious behavior.

Note: When it comes to system integrity auditing, ADAudit Plus provides reports on Event 4618- which is described as "A monitored security event pattern has occurred". While ADAudit Plus does not monitor all the events within the spectrum of system integrity auditing, this particular event is crucial to identifying suspicious activity in your network. It does however rely on what preset rules you have created to identify a threat pattern.

Accordingly you can look up the related pre-configured or customized reports for forensic investigation.

Below are a few reports found in the 'Server Audit' tab of the dashboard.

Image: ADAudit Plus report showing system events that have occurred. This report can be found under the 'Server Audit' tab.

Image: ADAudit Plus report on SACL changes

Image: ADAudit Plus report on policy changes

ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, reports and alerts on Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security, and compliance requirements. You can track AD management changes, processes, folder modifications, permissions changes, and more with 200+ reports and real-time alerts. You can also get out-of-the-box reports for compliance mandates such as the HIPAA. To learn more, visit https://www.manageengine.com/active-directory-audit/.

More related links

     

Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.

Try ADAudit Plus for free

 

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote