Monitoring Group Membership Changes in Active Directory

Webinar

In Active Directory, groups govern access to everything. And I mean everything in AD and beyond. Here's a short list of where AD groups are commonly referenced

File permissions
Delegated admin authority on organizational units
Edit and scoping permissions on group policy objects
System privileges in Windows
Logins in SQL Server
Document library and site collection permissions in SharePoint
Distribution lists in Exchange for confidential emails
Even access to stuff in the cloud – after all Office 365 leverages Azure AD which in turn is often synchronized from the on-premise Active Directory

So you need to know when groups are changed in Active Directory – especially when members are added. But also when they are deleted because removing a member from a group assigned explicit deny permissions results in restrictions being loosed and likely access granted.

In this Security Log Secrets webinar, I will show you how to

Correctly configure all domain controllers to audit security group membership changes
Determine if you should also audit distribution group changes
Find group membership additions and deletions in the security log. Some of the events we’ll talk about are 4728, 4729, 4732, 4733, 4756 and 4757
How to identify who made the change, which group was affected and who the member is

Then we’ll talk about what to do with these events once you find them. After all some groups are more important than others. Sure built-in privileged groups like Domain Admins but I’m also talking about groups used to grant users access to your most sensitive information. I'll explore ways you can zero in on the more privileged and sensitive groups. One of the things that makes this more challenging is how AD allows group nesting so we’ll discuss how that impacts things as well.

Remember each DC logs only the changes originating on it and security logs are not replicated between domain controllers. That's where your SIEM comes in of course. For this webinar I'll be using SolarWinds’ Log and Event Manager (LEM) since they are making this real training for free Security Log Secrets webinar possible. There will be no presentation by the sponsor. Just you, me, the Security Log and LEM. If you'd like to download LEM ahead of time, click here, and start collecting events from your domain controllers.

Don't miss this real training for free ™ event. Please register now.

Click here to watch the webinar now

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.