What are secure admin workstations (SAW)?

With evolution of technology, there is also evolution in the types of threats. One of the most frequent types of threat to organizations is the breach of sensitive data like a patient's medical history, or cardholder information can sell for thousands of dollars in the black market. Critical data breaches can cost organizations their reputation and customers, and can even lead to the shutting down of the business.

Who should handle data security, and how is it possible to achieve maximum protection? The onus is certainly on the IT team of organizations. They must ensure that there are policies in place to spot, and stop data breaches. One crucial step to protect your data is having Secure admin workstations (SAWs) in your organization. SAWs are limited-use client machines whose purpose is to bring down the risk of compromise from malware, typosquatting attacks, pass-the-hash attacks, phishing attacks, and so on.

How are SAWs different from normal client machines?

High-risk applications like Microsoft Exchange are not to be installed in a SAW. If needed, high-risk applications and productivity suites can be installed on a separate virtual machine, hosted on a SAW. This configuration is suitable since the user can access the utility tools and software required, and at the same time, ensure that the secure admin environment remains unharmed.

Essentially, for day-to-day work, employees must use their standard machine, and for privileged tasks, use the SAW.

It is important to monitor SAWs to ensure that it's not being used by unauthorized users, and for unauthorized tasks. Continuous monitoring of SAWs will make your organization much more secure.

Audit logon activity on your Secure Admin Workstation using ADAudit Plus

Here's how you can monitor logon activity, and analyze history in SAWs with ADAudit Plus:

Step 1: Enable Audit Policy in Active Directory

Open Server Manager on Windows server.
Under the Manage tab, open the Group Policy Management console.
Go to Forest -> Domain -> Your Domain -> Domain Controllers.
You can either edit an existing group policy object or create a new one.
In the Group Policy Editor, navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
In Audit Policy, select 'Audit logon events' and enable 'Success' and 'Failure' auditing.

Step 2: Enable logon-logoff in Active Directory

Go back to Computer Configuration. Navigate to Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policy -> Logon/Logoff.
Under that, enable Success and Failure auditing for Audit Logon, Audit Logoff, and Audit Special Logon.
Open the Group Policy Management console and select the GPO that you have edited or created. Under Security Filtering, add the users whose logons need to be tracked. You can also choose to audit every domain user's logon by selecting All users. To audit a group of domain users, the specific group(s) can be added.

Step 3: Get Logon Activity report from ADAudit Plus

Login to ADAudit Plus web console as an administrator.
Click on the Reports tab. From the Local logon-logoff section in the left pane, select the Logon Activity report.

The Logon Activity report in ADAudit Plus shows the logon attempts, along with the username, logon time, name of the workstation, type of logon among other examples.

With ADAudit Plus, it is easy to obtain a report of logon activity in Active Directory in just a few clicks, and it is displayed in a simple and intuitively designed UI.

More related links

✕
Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.
Try ADAudit Plus for free