Are there any specific metrics or events you would use in traditional on-prem AD to alert that an account may have been compromised? What kind of red flags would you look for, or what specific patterns do monitoring tools look for in terms of account takeover? Many organisations are removing maximum password age settings from domain policies, and account owners are encouraged to only manual initiate a password change if they or the organisation they work for suspect the account and password has been compromised, my query is:
1.How would the users themselves identify situations where their on-prem AD account may of been compromised?
2.What are the classic signs of compromised accounts that the IT/cyber department could alert on themselves to flag possible compromised AD accounts across all user accounts?
3.Are there any other events internal/external that may warrant manual password change for individual users or a section of users?
What type of access do your user accounts have?Well the accounts are synchronised accounts, so they govern access to things such as on-prem shared network drives on file servers, some of these directories will definitely store personal and sensitive documents. And obviously other cloud based 365 file stores such as the users mailbox, any shared mailboxes they have been granted access too, SharePoint online team sites, some of the line of business applications are integrated with AD users and groups for permissions – so just your usual office type setup in any business whereby employees access company information which always has some form of sensitivity. Other applications are ‘protected’ by additional authentication processes and different explicit credentials.
Nature of concern?
As was pointed,restrictions, enabling auditing, logon/logoff script to keep track when and where a user logged in.
Logon to as logon times as McKnife ..
If it is industry specific, looking at failed access attempts..