Usage of administrative accounts must be monitored for suspicious and anomalous activity.

From Active Directory Domain Security Technical Implementation Guide (STIG)

Part of AD.AU.0001

Associated with: CCI-000366

SV-56533r4_rule Usage of administrative accounts must be monitored for suspicious and anomalous activity.

Vulnerability discussion

Monitoring the usage of administrative accounts can alert on suspicious behavior and anomalous account usage that would be indicative of potential malicious credential reuse.

Check content

Verify account usage events for administrative accounts are being monitored. This includes events related to approved administrative accounts as well as accounts being added to privileged groups such as Administrators, Domain and Enterprise Admins and other organization defined administrative groups. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools. Monitor for the events listed below, at minimum. If these events are not monitored, this is a finding. Account Lockouts (Subcategory: User Account Management) 4740 - A user account is locked out. User Added to Privileged Group (Subcategory: Security Group Management) 4728 - A member was added to a security-enabled global group. 4732 - A member was added to a security-enabled local group. 4756 - A member was added to a security-enabled universal group. Successful User Account Login (Subcategory: Logon) 4624 - An account was successfully logged on. Failed User Account Login (Subcategory: Logon) 4625 - An account failed to log on. Account Login with Explicit Credentials (Subcategory: Logon) 4648 - A logon was attempted using explicit credentials.

Fix text

Monitor account usage events for administrative accounts. This includes events related to approved administrative accounts as well as accounts being added to privileged groups such as Administrators, Domain and Enterprise Admins and other organization defined administrative groups. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools. Monitor for the events listed below, at minimum. Account Lockouts (Subcategory: User Account Management) 4740 - A user account is locked out. User Added to Privileged Group (Subcategory: Security Group Management) 4728 - A member was added to a security-enabled global group. 4732 - A member was added to a security-enabled local group. 4756 - A member was added to a security-enabled universal group. Successful User Account Login (Subcategory: Logon) 4624 - An account was successfully logged on. Failed User Account Login (Subcategory: Logon) 4625 - An account failed to log on. Account Login with Explicit Credentials (Subcategory: Logon) 4648 - A logon was attempted using explicit credentials. The "Account Usage" section of NSA's "Spotting the Adversary with Windows Event Log Monitoring" provides additional information. https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer