Whos Using My Directory And For What?

Written By: Mike Danseglio

Next Direction Technologies

WHITE PAPER

Whos Using My Directory And For What?

Contents
Abstract ........................................................................................................................................................................2 Introduction ..................................................................................................................................................................3 The Role of Active Directory .......................................................................................................................................3 An Example ................................................................................................................................................................3 The Directory Is the Critical Monitoring Point .............................................................................................................3 Monitoring Approaches ...............................................................................................................................................5 Limitations of Traditional Approaches ........................................................................................................................5 LDAP Monitoring ........................................................................................................................................................5 Data from Monitoring the Directory .............................................................................................................................6 Best Practices for Directory Monitoring ....................................................................................................................8 Quest ChangeAuditor for LDAP ..............................................................................................................................9 Conclusion.................................................................................................................................................................. 10 About the Author........................................................................................................................................................ 11

WHITE PAPER

Whos Using My Directory And For What?

Abstract
Monitoring Active Directory isnt a new idea, but early techniques and tools were limited and often did not give complete data. This paper focuses on LDAP monitoring, a fundamentally different method. Tracking, analyzing, and reporting on LDAP queries enables richer reporting, captures more granular and powerful data, and monitors Active Directory at a deeper level. With the right tools, it is a simple and highly effective approach to seeing whats happening in your environment.

WHITE PAPER

Whos Using My Directory And For What?

Introduction
The Role of Active Directory
Active Directory is the linchpin of virtually every enterprise. Chances are if you use Microsoft software, including Windows client and server operating systems, Exchange for email, SQL Server for database, or Lync for unified communications, you also use Active Directory. Not only that, Active Directory is thoroughly integrated into virtually every Microsoft product and service, as well as many third-party applications that run on the Windows platform. Many applications even go beyond simply supporting Active Directory for authentication and specifically require it. The benefits that AD brings are countless. A powerful service, it provides authentication, authorization, auditing, permissions and configuration data to most IT services and applications. It can provide a single identity through one sign-on that is used throughout the infrastructure, and in that role it ties in nicely to activity auditing and role separation requirements. Because AD was designed to be fault-tolerant, it supports server redundancy through built-in replication and load balancing. This approach is great when you have a complete understanding of Active Directory. But because AD is complex and distributed, it can be challenging to form a complete end-to-end understanding and watch everything thats happening.

An Example
Suppose Chris is an administrator in your IT department. His job includes managing user accounts, changing computer configurations and acting as a first responder for security incidents. Chris works closely with the Human Resources, PC Configuration and Security groups for these tasks. A recent compliance audit report includes an analysis of your Active Directory configuration. The report reveals that a large number of user accounts are members of the Domain Administrators group, and that many of these user accounts do not correspond to actual personnel. When asked, Chris indicates that he is using a new Active Directory tool to manage account and group membership. As you gather more information, you also find that performance on a number of domain controllers is suddenly far below expectations. Fixing the situation is straightforward. But you need to know if this tool is causing the problem by running incorrect queries or causing errors that result in the impression that Chris is a trustworthy administrator. You need to find the truth. Did Chris create or use these accounts? Did the tool create the performance issues?

The Directory Is the Critical Monitoring Point

Active Directorys role as a focal point for a myriad of enterprise services makes it a great asset when you need to monitor whats happening in the IT environment. Having one focal point can simplify monitoring, and monitoring both activity and data enables almost limitless reporting and compliance checking options. To continue the earlier example, you want details on everything that Chris did. You need to know all the changes he made, when, from where, and how they impacted the system. You need undisputable data about what happened and the source of the queries in order to understand whether there are issues with the tool, with Chris or something else. And because all of those changes were made in Active Directory, thats the right place to look.

WHITE PAPER

Whos Using My Directory And For What?

But you also want the proper teams to be notified if similar actions happen in the future so you can prevent future incidents from occurring, regardless of the culprit. Your goal is to know both what happened in the past and events in the future with enough detail to support replacing the management tool, complaining to the tool vendor or taking disciplinary action against Chris.

WHITE PAPER

Whos Using My Directory And For What?

Monitoring Approaches
Limitations of Traditional Approaches
Some great tools are available to monitor Active Directory data and specific activities such as failed logon attempts and object changes. These tools often simply query Active Directory periodically or check log files for previously identified errors. Unfortunately this approach allows the tool to see only the data that the Active Directory programmers consider critical enough to process and store. If some specific data around the Active Directory activity, or even the query itself, is not stored in sufficient detail, the problem is that much more difficult to understand. Monitoring Active Directory is certainly critical, but getting the necessary monitoring data that enables root cause analysis, detailed tracking and future problem resolution is just as important. Theres often a need to examine whats happening at a deeper level, with more data, stronger correlation across AD data points and the flexibility to monitor activities and changes unique to your environment. In the past, this type of monitoring has been a challenge. Figure 1. Active Directory and Windows architecture, simplified to show communication between components and protocols.

LDAP Monitoring
Theres one element that is common across virtually all Active Directory activity: communication. Specifically, queries made to the Active Directory database. AD uses the Lightweight Directory Access Protocol (LDAP) communication protocol as the primary protocol that supports queries between clients and servers, amongst servers, to external services, etc. There are several protocols that interface with the various Active Directory databases, as shown in Figure 1. Virtually everything that Active Directory does is reflected in one or more LDAP queries and responses. This makes monitoring LDAP a highly effective part of comprehensive AD monitoring.

WHITE PAPER

Whos Using My Directory And For What?

Data from Monitoring the Directory

To explain the depth of available data when directly monitoring LDAP queries, lets return to the example of Chris. When he adds a fictitious user account to the Domain Administrators group, he could be using one of many administration tools. He could be on his work computer, another users computer or at home connected through a VPN. Therefore, simply monitoring tool or workstation activities is not enough. But collecting this data helps you make a decision about the activity; for instance, making the change during a midnight logon from a remote location or unauthorized computer is different than that same change within normal business hours and locations. Real-time LDAP monitoring captures this information and triggers notifications based on the activity. The kind of information you receive from monitoring LDAP queries answers these key questions: Figure 2. Monitoring Active Directory by examining LDAP queries enables access to data that may not normally be stored in log files and event databases.

What change was made? Seeing the detailed LDAP query enables detailed analysis of the change. Who made the change and from what system? Knowing the user and system that made the LDAP query helps
trace the source to a service, a user or any other entity.

What domain controller made the change? This data is critical to identifying performance bottlenecks caused by
hard-coded domain controller names, requiring contact with a FSMO role owner or an overloaded domain controller.

How long did the change take to process? Was the change successful?
This information is captured, logged, examined and evaluated by directly watching all LDAP traffic. Watching at this low level enables visibility into data not normally used or saved by higher-level administrative tools, including most of Microsofts built-in Active Directory administration tools. As an example, one common audit requirement is for IT to limit and record all changes to sensitive users and groups. There are lots of ways to do this, including restricting the Access Control List (ACL) for each object, using Group Policy to change the audit log configuration and configuring the administrative tools. However, each of these methods

WHITE PAPER

Whos Using My Directory And For What?

is independent of the others. And all of them are designed to prevent and record only changes that are made with expected tools and techniques. LDAP monitoring, on the other hand, picks up this kind of change before it is presented to the tools or gets evaluated by Active Directory. Key details can be preserved before theyre filtered out. And the strongest LDAP monitoring solutions extend the benefit further by enabling such changes to be blocked, passed through, logged or any desired combination. In our example, the changes were a result of two separate problems. First, Chris implemented an unauthorized application. This application had never been tested against the unique Active Directory configuration, and Chris assumed that any application would work the same. Because of strict security requirements, the application required higher privilege and simply added accounts to the Domain Administrators group autonomously. This troublesome application was also executing inefficient LDAP queries that bogged down many domain controllers. Chris intention was to make things more efficient, but without examining LDAP in greater depth he would have been viewed as the intentional instigator of all of these problems.

WHITE PAPER

Whos Using My Directory And For What?

Best Practices for Directory Monitoring

There are several best practices for any Active Directory implementation. These are complementary practices that you should consider when deciding what monitoring solution to implement in your environment.

Monitor Active Directory from the very beginning according to your established security and compliance
policies. Once you have your requirements documented, they must map directly to the data that you store. Active Directory provides most of, if not all, the services and data you require to meet most industry and government regulations. So monitoring it can serve as both proof of compliance and near-instant alert when compliance or security is at risk.

Implement an automated monitoring solution to capture, store and report on LDAP query data. There is no
realistic way to manually gather data from across any Active Directory implementation. It would introduce errors and involve constant staff effort, long lag times and a dozen other hurdles that are impossible to clear. An automated solution is necessary not just to monitor and gather AD data, but to make sense of it. Correlating the data across databases, determining whether an error is expected, determining what data is necessary for required reports, delivering those reports and storing the data in compliance with requirements are all nearly impossible tasks without a tool to automate them.

Ensure you use a flexible LDAP monitoring solution to prevent unauthorized changes. The best monitoring
solutions are not limited to passive monitoring. They examine events as they happen, at a deep level, and give you the flexibility to decide whether to allow or disallow the queries. Blocking unauthorized LDAP queries prevents them from getting close enough to do any harm to your Active Directory infrastructure. While you may not need to block all unauthorized queries in this manner, you want to have the capability, especially for queries that could result in compliance violations, legal liability or catastrophic infrastructure damage.

Select a monitoring solution that captures sufficiently detailed data. Some available data is filtered by Active
Directorys engines before it is stored. While this is truly necessary for Active Directory to function efficiently, the discarded data is critical for some monitoring and analysis functions. Using a monitoring solution that gives you control over what data is captured, analyzed and stored enables you to tune reports and databases so that they give you all the data you need.

WHITE PAPER

Whos Using My Directory And For What?

Quest ChangeAuditor for LDAP

Quest ChangeAuditor for LDAP delivers the monitoring you need. ChangeAuditor audits, alerts and reports on all changes made to Active Directory (ADAM/ADLDS), Exchange, EMC, NetApp, SQL Server, Windows file servers and LDAP queries against Active Directory all in real time and without enabling native auditing. ChangeAuditor for LDAP provides a simple method to discover whos using your Active Directory and how they are using it. The solution can be centrally managed and tuned to help you understand the LDAP queries while avoiding information overload providing you with the audited queries you need and filtering out extraneous events. All events contain key information like WHO, WHAT, WHERE (DC), WHEN and ORIGIN, so you can group and sort your LDAP events to quickly find (and graph) the information youre looking for. With ChangeAuditor for LDAP, theres no need to turn on native event log auditing. Simple, centralized configuration and collection of events makes the solution almost turnkey and allows you to change configuration (to gather more or fewer LDAP queries) on the fly. And with integrated reporting and alerting, youll always have the most up-to-date information and be able to provide detailed reports in a flash. Chris, the IT administrator mentioned above, has implemented ChangeAuditor for LDAP and with it, hes been able to identify queries that return a large number of records, take too long, are hard-coded to a specific DC name or are simply insecure (not using SSL/TLS). Because ChangeAuditor allows grouping and sorting, he can identify where these queries originate from and how often they are queried. This allows him to easily identify application and scripts that could potentially cause performance problems with his Active Directory. Figure 3. ChangeAuditor for LDAP captures events in real time and forwards them to a central, secure database for reporting, searching, filtering, and analysis.

WHITE PAPER

Whos Using My Directory And For What?

Conclusion
Active Directory is the linchpin of virtually every enterprise, providing authentication, authorization, auditing, permissions and configuration data to most IT services and applications. Monitoring access to Active Directory is the closest we can get to one-stop enterprise monitoring. Knowing who is using this information, what theyre accessing it, how, and from where is a critical component of auditing user and system activity. Not all Active Directory monitoring solutions are the same. You must select a monitoring solution that gathers, stores and reports on the information and events that are important to your organization and that enable you to meet security and compliance requirements. Selecting a monitoring solution that examines LDAP queries directly is the most effective way to meet those needs. LDAP monitoring is a fundamentally different method; tracking, analyzing, and reporting on LDAP queries enables richer reporting, captures more granular and powerful data and monitors Active Directory at a deeper level. And with the right tools, it is a simple and highly effective approach to seeing everything that happens in your IT environment.

10

WHITE PAPER

Whos Using My Directory And For What?

About the Author

Mike Danseglio is principal technologist at Next Direction Technologies. He has worked in the IT field for more than 20 years. Mike is an award-winning author, public speaker and instructor on a variety of technology topics, including security, virtualization, cloud computing, wireless and wired networking and IT lifecycle processes. Mike holds numerous certifications and credentials in technical instruction and security expertise, and across several IT specializations. You can see more of Mike's work at www.nextdirectiontech.com.

11

WHITE PAPER

Whos Using My Directory And For What?

2012 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose without the written permission of Quest Software, Inc. (Quest). The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information.

Trademarks Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop Authority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vControl, vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator, Vizioncore vReplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners. Updated February 2012

12

WHITE PAPER

Whos Using My Directory And For What?

About Quest Software, Inc. Quest Software (Nasdaq: QSFT) simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. For more information about Quest solutions for administration and automation, data protection, development and optimization, identity and access management, migration and consolidation, and performance monitoring, go to www.quest.com. Contacting Quest Software PHONE 800.306.9329 (United States and Canada)

If you are located outside North America, you can find your local office information on our Web site. EMAIL MAIL sales@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around-the-clock coverage with SupportLink, our Web self-service. Visit SupportLink at https://support.quest.com. SupportLink gives users of Quest Software products the ability to: Search Quests online Knowledgebase Download the latest releases, documentation and patches for Quest products Log support cases Manage existing support cases View the Global Support Guide for a detailed explanation of support programs, online services, contact information and policies and procedures. WPW-WhosUsingMyDirectory-US-SW-03082012

13