Imperva Blog|Login|中文Deutsch日本語
Directory Services Monitoring

Security and Compliance for Microsoft Active Directory

SecureSphere Directory Services Monitoring (DSM) helps achieve security and compliance goals for Microsoft Active Directory. It ensures separation of duty, privileged user monitoring, escalation of privileges, and high impact changes are addressed and controlled. SecureSphere provides continuous visibility into directory services activity that enables organizations to audit, alert, analyze, report, and respond to changes in real-time.

Directory services such as Active Directory are the critical system of record for the user accounts and group memberships used for authentication and access control. Active Directory plays a central role in defining data access rights for enterprise data assets such as Microsoft SharePoint, file servers and NAS devices. Increasingly, organizations are using Active Directory to provision database access rights as well. Changes within Active Directory therefore can have broad security and compliance impacts for sensitive business data. The centralized, highly leveraged nature of directory services requires that organizations have real-time visibility and control over changes made within Active Directory.

Key Capabilities
Secure Active Directory and meet compliance requirements for monitoring all changes
Discover and respond immediately to critical activity
Automate the auditing process and demonstrate compliance with flexible, customizable reports

To learn more, click on the Capabilities tab.

Audit for Security and Compliance

Comprehensive change auditing is necessary to secure Active Directory and demonstrate compliance with regulatory requirements. Active Directory plays a core role in controlling user and group access to enterprise IT resources such as critical applications and files servers, thus all Active Directory administration and changes demand governance. Organizations must also maintain a high-integrity audit trail of change activity to meet compliance mandates and monitor privileged users.

Natively, Active Directory offers basic auditing capabilities that do not provide a centralized audit trail across domain controllers or provide enough detail to explain precisely what changes were made. SecureSphere provides continuous monitoring and detailed auditing of changes made within Active Directory so that enterprises have a complete audit trail showing the “Who, What, When, Where and How” of each activity. This enables security and compliance teams to understand exactly who accessed, moved, changed or deleted objects in Active Directory.

Discover and Respond to Critical Activity in Real-Time

Material changes, such as a modification to configuration settings, can have significant security impacts on an organization. Therefore, enterprises need to have the ability to monitor for, and respond immediately to, high-impact changes in Active Directory.

  • Monitor Privileged Users: The users and groups in Active Directory are used across the enterprise to provision access to critical applications and sensitive data. The simple act of adding a user to a group effectively grants that user access to all of the resources the group has access to. Active Directory administrators therefore are privileged users that have significant power and control over user rights. The compliance implication is that Active Directory changes must be monitored to be in line with separation of duties requirements of virtually all regulations.
  • Reinforce Internal Controls: Businesses need to quickly assess and respond when Active Directory changes deviate from corporate policy or security best practices. Enterprise best practices demand real-time alerting, notification and external actions to drive remediation efforts.
  • Protect Against Malware and Targeted Attacks: From a security standpoint, the centralized role that directory services play in access control makes them an attractive target for hackers. Advanced threats like malware and targeted attacks seek to compromise IT resources, such as Active Directory, that give attackers access to sensitive business data. Monitoring for unwanted Active Directory changes can help provide early signs of an attack.

Analyze and Report on Active Directory Activity

Despite being one of the most important assets for the IT organization, Active Directory changes are challenging to analyze. Active Directory’s out-of-the-box auditing generates large quantities of raw activity data, which requires dedicated storage in addition to analysis and reporting applications to extract value.

SecureSphere provides greater visibility into Active Directory change activity by aggregating and consolidating audit data into a secured, actionable repository. Interactive audit analytics allow administrators to slice and dice the audit trail for forensic investigations and identify data relevant for compliance reporting. SecureSphere’s flexible reporting framework allows organizations to easily understand security status, automate the auditing process and demonstrate compliance.

Deploy with Confidence

DSM agents sit on Microsoft Active Directory domain controllers to monitor change activity and SecureSphere offers simple, drop-in deployment through virtual or physical appliances. Centrally managed, SecureSphere meets the needs of any environment – from small organizations with a single domain controller to large enterprises with geographically distributed data centers.

Directory Services Monitoring Specifications

Specification Description
Directory Services Supported
  • Microsoft Active Directory 2003, 2008, 2008R2, 2012
Directory Service Activity Audit
  • User name
  • Domain
  • Object name
  • Object type
  • Operation
  • Attribute
  • Before and after value
  • Source and Destination IP
Tamper-Proof Audit Trail
  • Audit trail stored in a tamper-proof repository
  • Optional encryption or digitally signing of audit data
  • Role based access controls to view audit data (read-only)
  • Real-time visibility of audit data
Deployment Modes
  • Domain Controller: lightweight agents
  • Web User Interface (HTTP/HTTPS)
  • Command Line Interface (SSH/Console)
  • MX Server for centralized management
  • Integrated management option
Events and Reporting
  • SNMP
  • Syslog
  • Email
  • Incident management ticketing integration
  • Custom followed action
  • SecureSphere task workflow
  • Integrated graphical reporting
  • Real-time dashboard