Identity management plays a critical role in every IT security strategy. Microsoft’s identity and access management tools dominate the enterprise market, with more than a 50% market share between Active Directory (AD) for Windows and Azure servers. And that makes Active Directory a frequent target for hackers.
Despite the wide adoption, AD’s native interface can be clumsy and difficult to use at scale. PowerShell scripts can be written to interface and automate many AD functions, but not everyone can create, debug, maintain, or secure these scripts. PowerShell is by some measures the tool most often misused by hackers in “living off the land” attacks, where hackers use native system tools to attack an organization. Penetration testers use similar approaches when probing a network for weaknesses.
As organizations become larger and more complex, it becomes increasingly important to efficiently check and secure AD across the enterprise. To aid IT and security administrators, many third-party tools have been created to make it easier and faster to audit, manage, monitor, secure, and report on AD.
For this article, we will explore 10 solutions with Active Directory as the primary focus, within three categories:
- Active Directory Auditing
- Active Directory Monitoring and Management
- Active Directory Protection
Jump ahead to:
Active Directory Auditing
IT managers and security teams need knowledge to act intelligently and appropriately. AD auditing tools check the health of AD users, groups, units, activity, and settings.
Using reports generated by these tools, IT and security teams can make informed decisions and take action without PowerShell coding or many hours of manual work. The time saved will vary from organization to organization depending upon the number of users and the complexity of the IT environment.
These tools tend to be adopted by smaller and more budget-constrained organizations to generate reports quickly; however, addressing issues generally remains a manual process.
Lepide’s Data Security Platform (DSP) focuses on user rights and permission audits, real-time monitoring, alerts, and reports. This tool supports a huge variety of identity management databases that might be found in larger organizations, including Active Directory, Office 365, SharePoint, SQL servers, NetApp, G Suite and Amazon S3.
Lepide DSP offers more than 100 reports that can be customized, so IT and security managers can inspect the changes that matter most to their organization, including:
- Logon/Logoff activity, failed logins, and users logged into more than one computer
- Active Directory changes (and perform reversal if needed)
- AD security settings and state by object and ownership
- Privileged user activities, group membership changes
- Password changes, login times, and account deletions
Lepide offers a free demo but does not list pricing for its product. The DPS license can be purchased per individual, per platform, or on a per-user basis.
Netwrix Auditor for Active Directory
Netwrix Auditor for AD helps AD managers check on current configurations and monitor logon attempts, group policies, and AD changes. Managers can use Auditor for AD to produce security alerts or to generate compliance reports.
Auditor for AD can be used free for two weeks on a trial basis, and the full-priced version starts at $12 per AD user. For managers on a budget, Newrix offers freeware tools for specific functions such as Account Lockout Examiner and Inactive User Tracker.
Ossisto Active Directory Health Profiler
Ossisto’s Active Directory Health Profiler performs scheduled and on-demand assessments of AD. These assessments can also generate remediation recommendations based upon best practices defined by Microsoft. Reports can be generated quickly and can be delivered automatically via email.
Ossisto does not publicize their pricing, but they do note that the license is priced on a per AD Forest basis. AD Forests contain multiple trees, composed of multiple domains, which in turn are composed of multiple organizational units of users, groups, and devices.
Also read: Best Incident Response Tools and Software
Active Directory Monitoring & Management
Knowledge is important, but IT and security managers also need to act. Robust AD monitoring and management tools allow managers to understand the AD environment, take actions effectively, and make required compliance reports.
These tools will often be selected by IT managers who prioritize efficient IT management over IT security functionality or by security teams that already secure AD through other means. These tools will generally cost more than AD auditing solutions but will deliver value for larger organizations.
The Adaxes tool helps managers to monitor, manage, and report on Active Directory. Adaxes stands out with a simple web interface that allows for remote management and integration with AD, Microsoft Exchange, and Microsoft 365.
Role-based permissions allow for managers to delegate portions of AD management to the help desk or HR department without reducing oversight or security. Automated provisioning through customizable business rules allow for a new AD account to automatically generate other needed services for a new account, such as: Exchange mailbox creation, assigning Office 365 licenses, creating home folders, and sending welcome emails.
Customers can try Adaxes for free or purchase Adaxes as a perpetual license starting at $1,600 for 100 user accounts with a $480 annual maintenance contract. Pricing tiers exist for up to 2,000 user accounts with an unlimited license, and bulk-pricing packages are available for medium and large businesses.
ManageEngine AD Manager Plus
ManageEngine AD Manager Plus helps managers efficiently audit Windows login activity, investigate account lockout, and monitor important activity such as server changes, employee work hours, privileged users, and file changes. Sudden spikes in file access, triggered by malware such as ransomware, can generate alerts to help managers take prompt action.
ManageEngine works across a broad range of data sources, including standard Windows AD, Azure AD, EMC file servers, Synology file servers, Hitachi NAS devices, NetApp filer, and Huawei OceanStor. It also generates standardized compliance reports designed for several different standards, including SOX, HIPAA, GDPR, PCI DSS, and more.
ManageEngine offers three versions of AD Manager Plus:
- Free for 100 domain objects
- Standard, offered at $595 per year
- Professional, offered at $795 per year
They also offer an ADAudit Plus product for $595 per year as well as a suite of free, limited capability Active Directory Tools.
Quest Active Administrator
Quest’s Active Administrator solution provides a single solution for IT and security managers to monitor, manage, and report on the health of Active Directory. Active Administrator simplifies group policy management, monitors the health of domain controllers, and enables automated backup and recovery of AD.
Active Administrator further offers options to extend management to Domain Name Servers (DNS) and to administer a digital security certificate lifecycle—all from a single console. Quest offers a free trial license or customers can purchase perpetual licenses with one year of support starting at $19.33 for 50 users.
SolarWinds Access Rights Manager
The Access Rights Manager by SolarWinds provides an intuitive graphic interface to manage and monitor Active Directory access groups, users, group policies, directory permissions, and provisioning resources to Azure, SharePoint, and OneDrive.
The powerful reporting feature of the tool provides easy access to useful summaries for:
- Security Risk Reports: Never-expiring passwords, non-compliant user accounts, etc.
- AD Change Reports: Password resets, group policy changes, moved resources, etc.
- Compliance Reports: Access right reports, everyone permission resource reports, etc.
SolarWinds makes it quick and easy to provision or deprovision users, check status of specific resources, and monitor changes. The access management system uses automation and manual tools to track and control users’ specific access to specific resources to protect against accidental data loss, hackers and insider threats.
The license for the audit tool costs $1,838, and the full manager is $3,444; however, SolarWinds does offer a free trial. For the budget constrained, SolarWinds offers free tools that deliver portions of the Access Rights Manager tool functionality, such as Permissions Analyzer and the Admin Bundle for AD.
Also read: How Hackers Evade Detection
Active Directory Protection
Many breaches involve insecure AD deployment that attackers exploit to elevate privileges for lateral movement and access to key assets. Security-focused tools focus on locking down active directory and on features to enable security teams to perform incident response and investigation.
These tools will be the choice for IT security managers in organizations that split security functions from management or for organizations content with their legacy AD management tools.
Semperis Directory Services Protector
Directory Services Protector (DSP) by Semperis secures Windows Active Directory and Azure Active Directory services. The key features block access to AD, catch AD changes that bypass security logs, and provide the ability to automatically remediate malicious changes.
Similar to auditing and management tools, DSP can assess vulnerabilities, help produce reports, and aid in locating and modifying AD attributes. However, the strongest features focus on helping security teams to:
- Perform forensic analysis
- Receive real-time notifications
- Visualize combined Azure and Windows AD settings
- Backup, recover, and perform granular rollback of AD settings
DSP is offered in three different packages (Essential, Advanced, Intelligence) with different specific features. Pricing is not disclosed publicly.
Tenable.ad improves visibility into the security health of an organization’s Active Directory to predict vulnerabilities and provide remediation guidance to fix them. The tool identifies dangerous trust relationships, changes to AD, and provides auditing and reporting functions.
The security features of Tenable.ad detect, analyze the kill chain, and respond to AD attacks such as brute force, DCShadow, DCSync, password spraying, and more.
Moreover, Tenable.ad defends Windows AD, Azure AD, AWS AD, and Google cloud managed service for AD and integrates with SIEM (security information and event management), SOCs (security operations centers), and SOAR (security orchestration, automation, and response).
Tenable.ad offers a free evaluation and is licensed per active user. Prices specifically for Tenable.ad are not disclosed, but customers note that it is best to review licensing options for Tenable products with a reseller.
Varonis for Active Directory
Varonis’ security solution for AD will detect and fix misconfigurations and monitor for changes on Microsoft AD and Azure AD. Changes and user activity will be analyzed to generate alerts on behavior anomalies and malicious activities, such as abnormal group policy changes, abnormal service account data access, credential stuffing, privilege escalation, stale account access, and ticket harvesting.
Varonis for AD will also detect admin accounts with Service Principal Names (SPN), computer accounts doubling as admin accounts, accounts vulnerable to pass-the-ticket attacks, non-expiring password accounts, and other high-risk AD accounts easily exploitable by attackers. And Varonis makes their in-house security analysts available to customers and trial users for incident investigation.
Varonis offers auditing, reporting, and integrations with SIEM tools. And while Varonis does not publicly disclose their pricing, it does offer a free trial license.
Protecting Active Directory
Different organizations will have different needs when it comes to securing their Active Directory. Some will want to focus on auditing and reporting, others will want tools that incorporate management features, and others will want to focus on security features.
Regardless of a specific team’s emphasis, AD remains a critical component of IT infrastructure in need of security, and any one of the tools in this article will save enormous time compared to handling these tasks manually. Organizations need to carefully consider their risks, their budgets, and their pain points to determine which tool may be the best solution for them.
Read next: Top Vulnerability Management Tools