Auditing Users and Groups with the Windows Security Log

by Randall F. Smith Sept. 1, 2017 via TechGenix

New user accounts are important to audit to verify that they correspond to a legitimate employee, contractor or application. Outside intruders often create new user accounts to facilitate continued access to the penetrated system. Certain changes to user accounts are important to audit since they can be a tip-off to compromised accounts. For instance, both insider and outsider computer criminals often gain access to a system by socially engineering the help desk to a user’s password. Or a previously disabled account being re-enabled may be suspicious depending on the history and type of the account. Group changes, especially changes to the group’s membership, are very useful to track since groups are used to control access to resources, link security policies and control wireless and remote access all over a Windows network. Changes to an organizational unit‘s Security tab usually corresponds to delegation of administrative authority over that OU but also occurs when you change normal user access to directory objects. Examples include delegating password reset or user account creation authority over the NYC OU. Any change to a group policy object or changes to the Group Policy tab of an OU, can result in wide reaching changes to the security policies applied to the computers in that OU or changes to desktop restrictions for the user accounts in that OU. In this article I’ll focus on auditing changes to users and groups.