Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

Can SAM or another SW module monitor changes to local admin groups?

I had the security team ask me this one.

They say that sometimes people have local admin access and then they give their buddies local admin to a different machine and that bypasses security.

I was thinking conceptually that there is probably a way to monitor a local admin group on a machine with something like "alert me if local admin doesn't match these three entries" but I'm not sure how I could do something like that. Likely powershell. It doesn't seem like SAM would be the right tool for this but I'm checking to see if anyone has any ideas or recommendations for other software that is used for this type of thing. We have NCM, NPM, IPAM, and SAM.


0 Kudos
6 Replies

Also worth pointing out that SW recently acquired the ARM product, not a part of Orion (yet?) But it is a dedicated tool for monitoring user permissions and it is ultimately MUCH more powerful and efficient for this kind of thing than rigging up Sam monitors and powershell.

- Marc Netterfield, Github

Thanks for the info!

0 Kudos

I haven't had a chance to get hands on with ARM yet but I was under the impression it monitored AD via the DC's, does it also monitor the local groups on the individual nodes too?

0 Kudos

You could do this either with a powershell script in SAM (or SCM if you can fork out for another product).

In SAM a really really basic solution could be something along the lines of:

    $adminmembers = (Get-LocalGroupmember -Group administrators  | Where-Object {$_.objectclass -eq 'user'}).count

    write-host "message.AdminMembers: Members of the local admin group"

    write-host "statistic.AdminMembers: $adminmembers"

    exit 0

which will give you a count of the members of the local admins group, you could either set the critical value to anything above zero or create a components alert specifically looking at the result.

In SCM just use 'Get-LocalGroupmember -Group 'administrators' | Where-Object {$_.objectclass -eq 'user'}' and baseline all devices.

LEM does this but I see rushcoil doesn't have it. I like the SAM powershell solution.

I monitor root access on Linux boxes and remote admin access on MS servers. Put in a couple rules in LEM and it does it thing. The ISSE likes the email event which ids the folks logging in and the monitor/alert part. I have two for remote MS access ones for straight  up remote logins, in case our SAs decide to be bad and one for users outside our admin team.

0 Kudos

Thank you. I will give this a shot. I think they just want to be altered if someone alters the baseline. They can run Veronis for comprehensive reports.