Group Policy is a native Microsoft technology. It allows organizations running Active Directory to centrally control and configure both user and computer settings to domain-joined machines. Group Policy allows administrators to make sweeping changes to all aspects of connected operating systems, including the Registry, for example. When implemented properly, this technology simplifies overall operating system configuration, patching, software deployment, and security. When implemented improperly, Group Policy is a nightmare for administrators and the security practitioners charged with measuring its effectiveness.
What is the danger of group policy when natively administered?
With all this power comes great responsibility, and here in lies the problem with native Group Policy administration. Anyone with proper permissions can change one setting and potentially impact hundreds or thousands of servers and workstations. Changes are not always malicious though. Sometimes an Admin might edit the wrong GPO or inadvertently change a setting in the wrong place. Group Policy also has a complicated hierarchy of link ordering. This includes enforcement, which essentially dictates which policy takes precedence over another. Many chaotic events have been caused by simply changing the inheritance of a policy or changing its precedence.
How does StealthINTERCEPT for Active Directory with GPO Change Auditing/Blocking work?
By now you are starting to see just how powerful Group Policy can be to an organization and are starting to think, “we need a way to monitor changes or maybe even block specific changes in the first place.” STEALTHbits had your same thought in mind when we set out to build StealthINTERCEPT for Active Directory with Group Policy Object (GPO) Change Auditing/Blocking, years ago.
Native Active Directory logging is void of critical details and context when it comes to Group Policy Object changes, making it impossible to determine who changed what and from where, as well as what the value was prior to the change. However, StealthINTERCEPT enables your organization to monitor and alert on Group Policy change events without any reliance on native logging in order to obtain all the details, such as who made the change, what the change was (including before and after values), when the change occurred, and where a change originated from.
Change Blocking or Lockdown
What if you decide that monitoring the change isn’t enough and now you want to prevent the activity altogether? Native Microsoft security controls are kludge and difficult to implement and maintain. StealthINTERCEPT allows you to implement simple, yet powerful policies. These prevent changes to Group Policy Objects based on a variety of parameters, including:
- Policy – Specify the list of AD Group Policy Objects to be protected
- Policy Settings – Specify the GPO and the particular settings you’d like to monitor and protect.
- User – Specify who specifically can or cannot make changes and to what, including additional contextual filters like AD User Attributes.
Because of the far reaching effects Group Policy has on security, compliance, and the operational integrity of systems and applications across your network, it’s essential to have deep visibility into who is doing what, in addition to control over who can do what within this critical Active Directory componentry. Don’t take our word for it though. Take a test drive and download a free trial of StealthINTERCEPT. See for yourself how easy it is to get the visibility and control you need.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Brad Bussie is an award winning fifteen year veteran of the information security industry. He holds an undergraduate degree in information systems security and an MBA in technology management. Brad possesses premier certifications from multiple vendors, including the CISSP from ISC2. He has a deep background architecting solutions for identity management, governance, recovery, migration, audit, and compliance. Brad has spoken at industry events around the globe and has helped commercial, federal, intelligence, and DoD customers solve complex security issues.