Today, modern operating systems require mechanisms for managing the identities and relationships of the distributed resources that make up network environments. A directory service provides a place to store information about network-based entities, such as applications, files, printers, and people. It provides a consistent way to name, describe, locate, access, manage, and secure information about these individual resources. A directory service acts as the main switchboard of the network operating system. It is the central authority that manages the identities and brokers the relationships between these distributed resources, enabling them to work together. Because a directory service supplies these fundamental network operating system functions, it must be tightly coupled with the management and security mechanisms of the operating system to ensure the integrity and privacy of the network. It also plays a critical role in an organization's ability to define and maintain the network infrastructure, perform system administration, and control the overall user experience of a company's information systems.
Today, directory services enable tracking the computer session activities of specific users. Commonly, “auditing” capabilities in directory services can provide user session recording and tracking. Some of those users may be users of special interest or “sensitive users”. Sensitive users can be defined in many ways. Examples of sensitive users can be users new to an organization and/or users that have special system resource permissions, such as administrative users with broad capabilities and resource accesses.
Windows security administrators commonly want to track the activities of sensitive user accounts. These accounts are often logically organized into Windows software “groups”. The Windows software auditing feature does not have a facility for tracking user accounts by group membership; it only tracks user accounts individually. In an environment with a large number of user accounts, such as is found in most large networks, it is difficult to locate only the events involving these sensitive accounts. This is true because an auditor policy can generate an extremely large amount of audit events, such as user session activities, and sifting through the audit records can be difficult and time consuming. Thus, a technique to identify audit records of some sensitive users is desirable.
One existing technique to track the activities of a specific group of users is to enumerate group membership of sensitive groups at some point in time, and identify events for the accounts which were members of the group at the time of enumeration. This method has an inherent flaw; group membership changes over time. One possible threat to network security is a rogue user that has broad levels of access to computer resources and attacks one or more of the resources but remains anonymous. For example, a clever attacker can modify group membership, log onto a network, perform mischief, and modify membership back before the next enumeration and thus avoid detection. One method of detection in this instance could be modification of the existing group detection method to search for events indicating group membership changes. Those changes could be taken into account in searching for malicious activity. But, this modification would be extremely complex and fragile in a distributed environment. In addition, clairvoyant knowledge of the malicious user in geographic and temporal terms may be necessary for a successful query of the log of all user activity to determine the identify of the malicious user. Therefore, a more secure option is desirable.