Auditing

Both a proactive and reactive security tool, auditing informs administrators of events that could be potentially dangerous and leaves a trail of accountability if a security infraction does occur. Auditing failed logon attempts, for instance, can warn of rogue users attempting to gain unauthorized access to the system. In addition to auditing normal system events, you can audit policy modification to keep a trail of when a specific event audit was disabled and by whom.

By default, auditing of all security categories is turned off. The administrator establishes an audit policy by determining which types of security events to audit. Based on the security needs of the organization, the administrator can also choose to audit access to individual objects.

Establishing an Audit Policy

The first step in establishing an audit policy is to determine which event categories should be audited. The following event categories are available for audit:

• Account logon events
• Account management
• Directory service access
• Logon events
• Object access
• Policy change
• Privilege use
• Process tracking
• System events

To select the event categories to audit, you must first determine whether the computer is a domain controller. If it is not, launch Computer Management from the Administrative Tools folder. In the Computer Management console tree, expand System Tools, Group Policy, Computer Configuration, Windows Settings, Security Settings, and Local Policies to reach Audit Policy.

If the computer is a domain controller, open the Active Directory Users and Computers snap-in, expand the domain's entry, click Action, and then click Properties. In the Group Policy tab, select the policy and click Edit. Then expand Computer Configuration, Windows Settings, Security Settings, and Local Policies, and then select Audit Policy.

Using either technique, selecting Audit Policy displays the auditable event categories in the right pane. To modify the policy for an event category, right-click that event and choose Security. Select the check box for auditing successful events or auditing failed attempts.

Auditing Access to Objects

Once the Audit Object Access category is enabled in the Audit Policy item, members of the Administrators group can specify audit criteria for files, folders, network printers, and other objects. The audit criteria for an object include

• Who is audited for this object
• Whether accessing this object succeeded or failed
• What type of object access is audited

Auditing of local files and folders is limited to NTFS partitions.

Examples of access types include viewing a folder's permissions, executing a file, and deleting an object. Follow these steps to select an object for auditing:

1. Right-click the object in Windows Explorer and choose Properties from the shortcut menu.
2. In the Security tab, click Advanced.
3. In the Auditing tab, click Add.
4. In the Name box, enter the user or group to audit, or select one from the Name list.
5. Click OK to display the Auditing Entry dialog box. Use the Access list to select whether successful access, failed access, or both types of access are audited.
6. For folders, use the Apply Onto drop-down list to indicate where the auditing should take place.
7. Select or clear the Apply These Auditing Entries To Objects And/Or Containers Within This Container Only check box to invoke or prevent inheritance, respectively.

You'll find more detailed descriptions of auditing in Chapter 10.

Viewing the Security Log

The security log details audit information of events specified in your audit policy. Each time an auditable event occurs, it's added to the log file, where it can be filtered, sorted, searched for, or exported. The security log, along with the application and system logs, is located in Event Viewer and can be found in the Computer Management console tree by expanding System Tools, Event Viewer, and Security.

Each entry in the log contains critical information about the audited event, including whether the attempt failed or was successful, the date and time of the event, the event category and ID, and the audited user and computer. Additional information can be obtained for each entry by right-clicking the entry and choosing Properties.

Manipulating the Security Log

The security log can be sorted by any of the fields listed in the display, such as user or date of event. Simply clicking a field header at the top of the pane causes the log events to be arranged in ascending order by that field. Clicking the field header again sorts the events in descending order. For even more efficiency, you can filter the log to show only those events you're interested in—for example, failed audits only. On the View menu, click Filter. In the Filter tab of the Security Properties dialog box that appears, select the event criteria to view and click OK.

Choose Find from the View menu to search through the displayed lists for specific events, such as all events with a certain event ID.

Security Log Maintenance

The security log has a defined maximum size. To set the size, right-click Security in Event Viewer and choose Properties. Edit the Maximum Log Size field, specifying the size in kilobytes. The options beneath this field specify how events are overwritten:

• Overwrite as needed.
• Overwrite events older than X days.
• Do not overwrite events.

Presumably, all event categories specified in the event policy are relevant. Be careful that automatic event wrapping does not overwrite events more frequently than either log archival or manual log interrogation.

To archive the security log, right-click Security in Event Viewer and choose Save Log File As. Choose the path and filename for the file. If you save it as an event log file (with the extension .EVT), the file can be opened in Event Viewer at a later time.

More information on the settings for the security log as well as on other components in Event Viewer can be found in Chapter 10.