The complexities of managing a Microsoft Windows Server infrastructure are critically dependent on the numerous Group Policies, each of which is a collection of settings that IT administrators or users use to centrally enforce security settings and other functional settings to users or computers across the network. The downside of a just single setting error will cause inevitable chain of events involving accesses or permissions, which should not have been authorized in the first place, and ultimately compromise IT security and irreversibly damage the organization’s data and reputation.
The solution to monitoring the numerous GPO changes is through change auditing software. First, let ‘s take a look at the monumental challenges associated with GPO settings, which could either work wonders for an organization’s security or end up crippling its resources.
The Big Challenge: Keeping Track of GPO Changes
The figure below shows an event log. Imagine having to manually go through countless events log to know who did what, from where, and when!
A single GPO can contain over 6,000 settings, and you could have fewer GPOs with numerous settings or numerous GPOs with focused settings. The Group Policy best practice would be to have one GPO for a set of settings, for example, Audit Policy or Security Options.
A weak Password Policy setting can allow a malicious user to use brute-force, dictionary, denial of service (DoS), cryptanalysis, or other password guess attacks to gain network access. Next comes the Account Lockout Policy setting, which determines the number of failed logon attempts after which a user account will be locked out. These two settings go hand in hand to ward off password attacks.
Ideal Password Policy Setting
Enforce password history – 3
Maximum password age – 42
Minimum password age – 30
Minimum password length – 8
Password must meet complexity requirements – Enabled
Store passwords using reversible encryption – Not Defined
Ideal Account Lockout Policy Setting
Account lockout duration – 30
Account lockout threshold – 5 invalid logon attempts
Reset account lockout counter after – 30
There are numerous GPO settings that can be changed, even the seemingly tiniest setting should be set correctly. When incorrect, the damage to IT security can be permanent. Let’s now prepare to see the much awaited solution.
The Solution: Know the Before & After GPO Values
ManageEngine ADAudit Plus, web-based, Windows Server environment auditing software, provides the before and after GPO value of every policy setting change for every GPO. In case of a erroneous setting, this knowledge will help you immediately roll back to the previous, correct setting.
The GPO audit reports shown below let’s you monitor every Group Policy setting change within a Domain and OU. You can automate the process to have the reports sent to your inbox and set instant e-mail alerts for critical changes.
GPO Settings change monitoring with ADAudit Plus
- Get detailed reports on who made what change, when and from where.
- Recieve instant e-mail alerts, which are sent upon critical GPO changes.
- View the before and after values of GPO settings. In case of an incorrect setting, quickly find the error and roll back to the previous setting.
- Run ready-to-use audit reports for SOX, PCI, GLBA, FISMA, and HIPAA.
About ManageEngine ADAudit Plus
ManageEngine ADAudit Plus is a web based Windows Active Directory, Workstations & Servers auditing & reporting solution. Ensure critical resources in the network like the AD, Servers, system, configuration & file modifications are audited with the entire information on changes in 200+ detailed event specific GUI reports & email alerts. For forensic analysis & Compliance requirements export the results to xls, html, pdf and csv formats & print the listed data for a thorough view on the IT security.
The original article/video can be found at Auditing Changes to Group Policy Settings