What you need to audit in your Active Directory to meet PCI Compliance
By Amritesh Singh, Marketing Manager for IT auditing, security and compliance vendor, Lepide Software
PCI compliance governs all technical and functional aspects of systems that process cardholder data. If your enterprise falls into this category, it must comply with PCI regulations. PCI benefits businesses in numerous ways; including bolstering reputation, customer trust and business continuity. In this article, I will go over some of the important things you will need to audit in order for you to meet PCI compliance. You can either use pre-defined PowerShell Scripts, available online from trusted sources, or use a third-party solution to generate the required reports.
1. Track audit policy and group policy modifications
Admins should ensure that only authorized persons have access to cardholder data. They can ensure this by configuring proper audit policies and group policies. Admins must also make sure to track every change made to these audit policies and group policies. The PCI auditors want to see clearly in reports when an audit policy is changed, by whom and from which system.
2. User expiry notifications
Let’s say a privileged user has been created to do a specific task with PCI data for a limited period. Admins must monitor the actions of such users and track when these accounts are going to expire. The reports should provide information on user expiry so that admins are aware if any privileged user has unofficially extended their stint at the organization.
3. Workstation restrictions modification
Not everybody in the company can have the same levels of access. Workstation restriction ensures that only members of a privileged group have access to systems that store PCI data. An administrator can generate a Workstation Restriction Modification report, which will help raise awareness of any users in privileged groups who have access to sensitive data they shouldn’t have.
4. Audit Group membership modifications
Administrators should track all privileged accesses to files and databases. They can ensure this by tracking group membership changes, user creations, new privilege grants and restricting usage of shared privileged accounts. The system should also inform security professionals in real-time through alerts based on log events.
5. Audit computer creation, deletion and modification
Track all events related to computer creation, deletion and modification. Audit information on all recently created, deleted and modified computers should be available with all relevant details.
6. Audit policy changes
Tracking audit policy changes enables you to record every incidence of a change to user rights assignment policies, audit policies or trust policies. If you define this policy, the Administrator can decide whether to audit successes, failures or not to audit the event type at all. Use the Event Viewer to monitor all events of this category in the systems that store PCI data. If IT managers find any unwanted changes, they can investigate further to find the cause.
7. Audit trust policy modification
Essentially, auditors want you to be able to demonstrate that you have the capability to track changes in domain trusts, so that you can block unrestricted access to a domain from other domains.
8. Track user status changes
Whenever a user with access to PCI data is enabled, disabled, locked or unlocked, it must be logged and alerted on in real-time. Relevant reports can also be generated and sent to the required administrators the instant any of these changes occur.
After you have enabled auditing for the above objects, you must test the efficacy of the measures to ensure that they are fully effective. You should run the tests under different conditions, and if any unwanted event occurs, the admin should immediately know about the events through real-time alerts. As mentioned earlier in the article, you can simplify PCI auditing through third-party solutions. If you want more information about the benefits of such solutions, feel free to ask me in the comment section.