I ran across an interesting scenario the other day at work. I was going through the AD event log for some details on a change that I made to the security settings for a group hoping to find the value before I made the change. I thought the improved AD Domain Services logging would help me by showing the before and after values, but what I did not count on was seeing a blob of unintelligible ACL data. As it turned out this I would run into another limitation shortly after that one. (See my work blog entry on this)
As the name implies Active Directory Domain Services logging is pretty specific in its scope and so this time my surprise was tempered a little bit when I began looking at changes made to Exchange attributes. (It seems that some of the Microsoft Exchange attributes are not covered well.) In particular I found I was not able to see before and after or (even the current value for that matter) for changes made to the homeMDB attribute.
This is certainly a case where a third party auditing solution is extremely helpful. (Full disclosure, I work for NetWrix Corporation who is building an SIEM 2.0 platform) Interestingly enough existing SIEM solutions rely on the event logs themselves so most won’t help solve this issue. What SIEM needs is the ability that correlate change information from multiple souces that go beyond simple event data to provide a clear picture of what hs