[MUSIC PLAYING] Welcome. This is Quest Unscripted.
A vlog series on trending topics.
And Quest solutions related to Active Directory.
Oh, and don't forget Azure AD.
You are here because you have questions.
We're here because we have answers.
We will address questions we've received from customers.
Who experienced the same challenges as you.
All with the goal of helping you confidently move.
Your Microsoft environment.
We call the show Quest Unscripted because--
Except for this intro.
Nothing we say is scripted or rehearsed.
And we're pretty sure you'll notice that right away.
Hi, guys. Welcome to another episode of Unscripted, and today we're going to talk about what's new in Change Auditor 7.2. Before I hand it off to you, Bryan, we have a new face, Ian. I think you've done recordings with us before, but a new face as in you switched roles. Right?
You're a solution architect now, with a focus on Change Auditor.
That is correct.
So glad to have you on the team.
So, Bryan, what's new in 7.2 in Change Auditor?
One of the most key features I like to point out is the ability to prevent new tier-zero GPOs being linked to the environment. That means we can do the GP link actually at the domain container to ensure that somebody can't link a GPO there that could cause havoc to an entire organization.
There's a few other different features that we have out there that are security-related-- for example, the DC shadow detection. There's an event to more easily see that. There is also around SID history injection, where we can start detecting those different attacks as well.
And these are also extended to on-demand audit. So on-demand audit obviously absorbs the Change Auditor events. So you'll be able to see them with less noise than you actually would in Change Auditor under the anomaly detection capability of on-demand audit.
Yeah, and there's two other ones--
Yeah, go ahead.
There's two other ones as well, admin count and service principal name, that we've added auditing and queries for as well. So there's a bunch of--
The service principal name's pretty critical in the event that if any account has a new service principle named added to it, I personally have to set up an email alert so I know about it, so I can verify that account has been configured as a GMSA, for example. I can't use a GMSA.
At the very least, put some kind of Password Safe-type technology because those accounts will be more subject to Kerberoasting attacks.
So back to the GPO linkage. Like, what is it that we're helping customers with? What attack path are we helping customers with? And maybe you want to talk a little bit about how the Bloodhound Enterprise kind of merges into this and helps with that as well.
Well, there's plenty of different threat actors that are leveraging GPOs because GPOs are very powerful in deploying software. So I can get to a GPO that gets applied to all the computers. I can use that to deploy my different payload.
So by blocking the new tier-zero GPOs from getting linked, an attacker that has rights can't just link it at the domain container to deploy the different payload. I would urge our customers to get their GPO hygiene [? duct ?] and prevent the number of GPOs at the domain container to begin with. I personally feel that if any GPO or there is any person that has the ability to do it without another approval set, that's problematic.
I like having version control so not just Bryan can make a change. Maybe Ian has to approve before I make a change, therefore you have the four I's approach. Therefore, one person can have sole authority to make a different change. So that's where we have GPO admin that's complimentary to Change Auditor.
And then we have Bloodhound Enterprise that's complementary to everything. So it helps you identify what your GPO states currently look like to begin with as far as who has permissions to make changes to them.
Ian, what else is new in Change Auditor 7.2?
Probably the biggest thing is for customers who like to stay on the bleeding edge. We now support Windows Server 2022 for the back end. So the coordinator can run on that, and the agents can run on that. And we're now supporting also Windows 11 that you could install the client on and run the client from a Windows 11 box now.
Yeah. Cool. I mean, keep in mind once you upgrade to 7.2, when you launch the client, first thing on the Start menu is you see a list of everything that's new in that release. So make sure you read that as well, but I appreciate it, guys. Thank you so much.