The Eure-et-Loir Departmental Council reduces the risks from attacks with solutions from Quest.
Native logs are so large and cryptic that it's easy to get lost trying to understand them. Change Auditor makes events easy to read and provides details immediately, allowing me to know the activity on my servers in real time.
The Department of Eure-et-Loir is a territorial authority in northern France. The Departmental Council is responsible for matters such as social services, roads and colleges.
The Eure-et-Loir Departmental Council recognizes the importance of the IT ecosystem to fulfill its mission, with Active Directory at its center providing vital authentication and authorization services. Indeed, when an attack brought down their AD, they were able to restore everything, thanks to the measures that had been put in place by the IT team.
However, the incident raised a key question: "We asked ourselves, why didn't we receive an alert before everything was blocked?” recalls Diaga Gueye, Infrastructure Manager at the Eure-et-Loir Departmental Council.
To address this major concern, the Departmental Council of Eure-et-Loir turned to its trusted partner, Quest Software. “Most of our critical applications are on Oracle, and we have managed them effectively for years with Toad® for Oracle,” notes Mr. Gueye. “Our pre-sales engineer at Quest introduced us to Change Auditor. After his excellent presentation and product demo, I immediately said to myself, ‘This is exactly what we need.’”
After careful evaluation of other solutions available on the market, the council deployed Change Auditor. The results confirmed their initial assessment. “Change Auditor provides real-time monitoring and centralized logging of all security changes across our AD and Entra ID environment,” explains Mr. Gueye. “If an administrator modifies a sensitive group, changes a GPO or adds a DNS entry, Change Auditor alerts us so we can investigate immediately. As a result, we have reduced our threat detection and response time significantly.”
Plus, Change Auditor provides more information than Microsoft event logs capture — and makes that information much easier to understand. “Native logs are so large and cryptic that it's easy to get lost trying to understand them,” says Mr. Gueye. “Change Auditor makes events easy to read and provides details immediately, allowing me to know the activity on my servers in real time. It's so simple and intuitive.”
In addition to detecting risky actions in real time, Change Auditor for Active Directory can also block risky actions: Regardless of what privileges a user has, the solution can prevent them from modifying critical security groups and Group Policy settings or exfiltrating the AD database to steal credentials.
“The icing on the cake is Change Auditor’s ability to block certain events,” says Mr. Gueye. "For example, we locked down the Domain Admin group so that hackers can't elevate their privileges by adding an account they've hacked to that powerful group."
Mr. Gueye offers several examples of how Change Auditor enabled his team to detect security issues they were not able to see before:
While effective change management is essential to cyber resilience, the Eure-et-Loir Departmental Council also wanted to proactively identify and mitigate weaknesses in its Active Directory before adversaries could abuse them. By performing penetration testing using the free version of BloodHound, the IT team had discovered some of the attack avenues in their AD that could allow an attacker with a compromised user account to obtain administrator rights.
However, analyzing the attack paths with the open-source tool was very difficult and time consuming. So the IT team was happy to learn that Quest offers a much more robust version, SpecterOps BloodHound Enterprise. This powerful solution identifies an organization's Tier 0 assets and provides a clear map of the attack paths putting them at risk.
“BloodHound Enterprise provides a graphical representation of attack paths so we can see exactly how an attacker could start from a standard account and escalate their privileges to reach a critical part of the AD,” explains Mr. Gueye. “For example, we immediately uncovered some service accounts that had too many rights.”
Moreover, BloodHound Enterprise provides actionable information on how to mitigate the attack paths it identifies. Organizations often have tens of thousands of attack paths, so the solution identifies the key actions administrators can take to choke off hundreds or even thousands of attack paths at once.
“Thanks to BloodHound Enterprise, we have a clear map of the attack paths in our AD — and we know how to remediate them,” Mr. Gueye notes. “For example, BloodHound found a service account that had too many privileged permissions. By installing a newer version of the associated product that did not require all of those rights, we were able to quickly fix the security gap.”
The Departmental Council of Eure-et-Loir highly appreciates its continued partnership with Quest. “All the Quest solutions we have are extremely intuitive and easy to use,” reports Mr. Gueye. “Additionally, Quest has always provided excellent support throughout the entire process, from pre-sales to sales to technical support.” In fact, the IT team is already planning to explore other Quest solutions, including Change Auditor for Windows File Servers, Change Auditor for NetApp and Change Auditor for EMC.