Lesson 2: Auditing

Previous page
Table of content
Next page

In this lesson you learn about Windows 2000 auditing, which is a tool for maintaining network security. Auditing allows you to track user activities and system-wide events. You learn about audit policies and what you need to consider before you set one up. You also learn how to set up auditing on resources.

After this lesson, you will be able to

  • Describe the purpose of auditing
  • Plan an audit strategy and determine which events to audit
  • Set up an audit policy
  • Set up auditing on files and folders
  • Set up auditing on Active Directory objects
  • Set up auditing on printers

Estimated lesson time: 60 minutes

Understanding Auditing

Auditing in Microsoft Windows 2000 is the process of tracking both user activities and Windows 2000 activities, which are called events, on a computer. Through auditing, you can specify which events are written to the security log. For example, the security log can maintain a record of valid and invalid logon attempts and events relating to creating, opening, or deleting files or other objects. An audit entry in the security log contains the following information:

  • The action that was performed
  • The user who performed the action
  • The success or failure of the event and when the event occurred

Using an Audit Policy

An audit policy defines the categories of events that Windows 2000 records in the security log on each computer. The security log allows you to track the events that you specify.

Windows 2000 writes events to the security log on the computer where the event occurs. For example, any time someone tries to log on to the domain using a domain user account and the logon attempt fails, Windows 2000 writes an event to the security log on the domain controller. The event is recorded on the domain controller rather than on the computer at which the logon attempt was made because it is the domain controller that attempted to and could not authenticate the logon attempt.

You can set up an audit policy for a computer to do the following:

  • Track the success and failure of events, such as logon attempts by users, an attempt by a particular user to read a specific file, changes to a user account or to group memberships, and changes to your security settings
  • Eliminate or minimize the risk of unauthorized use of resources

You use Event Viewer to view events that Windows 2000 has recorded in the security log. You can also archive log files to track trends over time—for example, to determine the use of printers or files or to verify attempts at unauthorized use of resources.

Audit Policy Guidelines

When you plan an audit policy you must determine on which computers to set up auditing. Auditing is turned off by default. As you are determining which computers to audit, you must also plan the events to audit on each computer. Windows 2000 records audited events on each computer separately.

After you have determined the events to audit, you must determine whether to audit the success of events, failure of events, or both. Tracking successful events can tell you how often Windows 2000 or users gain access to specific files, printers, or other objects. You can use this information for resource planning. Tracking failed events can alert you to possible security breaches. For example, if you notice several failed logon attempts by a certain user account, especially if these attempts are occurring outside normal business hours, you can assume that an unauthorized person is attempting to break into your system.

Other guidelines in determining your audit policy include the following:

  • Determine if you need to track trends of system usage. If so, plan to archive event logs. Archiving these logs allows you to view how usage changes over time and to plan to increase system resources before they become a problem.
  • Review security logs frequently. You should set a schedule and regularly review security logs because configuring auditing alone does not alert you to security breaches.
  • Define an audit policy that is useful and manageable. Always audit sensitive and confidential data. Audit only those events that provide you with meaningful information about your network environment. This minimizes use of server resources and makes essential information easier to locate. Auditing too many types of events can create excess overhead for Windows 2000.
  • Audit resource access by the Everyone group instead of the Users group. This ensures that you audit anyone who can connect to the network, not just the users for whom you create user accounts in the domain. You should also audit resource access failures by the Everyone group.
  • Audit all administrative tasks by the administrative groups. This ensures that you audit any additions or changes made by administrators.

Configuring Auditing

You implement an audit policy based on the role of the computer in the Windows 2000 network. Auditing is configured differently for the following types of computers running Windows 2000:

  • For member or standalone servers, or computers running Windows 2000 Professional, an audit policy is set for each individual computer. To audit events that occur on a local computer, you configure a local group policy for that computer, which applies to that computer only.
  • For domain controllers, an audit policy is set for all domain controllers in the domain. To audit events that occur on domain controllers, you configure the audit policy in a nonlocal GPO for the domain, which applies to all domain controllers and is accessible through the Domain Controllers OU.

The event categories on a domain controller are identical to those on a computer that is not a domain controller.

Auditing Requirements

The requirements to set up and administer auditing are as follows:

  • You must have the Manage Auditing And Security Log user right for the computer where you want to configure an audit policy or review an audit log. By default, Windows 2000 grants these rights to the Administrators group.
  • The files and folders to be audited must be on NT file system (NTFS) volumes.

Setting Up Auditing

Setting up auditing is a two-part process:

  1. Set the audit policy. The audit policy enables auditing of objects but does not activate auditing of specific objects.
  2. Enable auditing of specific resources. You specify the specific events to audit for files, folders, printers, and Active Directory objects. Windows 2000 then tracks and logs the specified events.

Setting Up an Audit Policy

The first step in implementing an audit GPO is selecting the categories of events that Windows 2000 audits. For each event category that you can audit, the configuration settings indicate whether to track successful or failed attempts. You set audit policies in the Group Policy snap-in. The security log is limited in size. Select the events to be audited carefully and consider the amount of disk space you are willing to devote to the security log. Table 21.1 describes the event categories that Windows 2000 can audit.

Table 21.1 Types of Events Audited by Windows 2000

Event Category Description
Account logon A domain controller received a request to validate a user account.
Account management An administrator created, changed, or deleted a user account or group. A user account was renamed, disabled, or enabled, or a password was set or changed.
Directory service access A user gained access to an Active Directory object. You must configure specific Active Directory objects for auditing to log this type of event.
Logon events A user logged on or logged off, or a user made or canceled a network connection to the computer.
Object access A user gained access to a file, folder, or printer. You must configure specific files, folders, or printers for auditing. Directory service access is auditing a user's access to specific Active Directory objects. Object access is auditing a user's access to files, folders, and printers.
Policy change A change was made to the user security options, user rights, or audit policies.
Privilege use A user exercised a right, such as changing the system time (this does not include rights that are related to logging on and logging off).
Process tracking A program performed an action. This information is generally useful only for programmers who want to track details of program execution.
System events A user restarted or shut down the computer, or an event occurred that affects Windows 2000 security or the security log (for example, the audit log is full and Windows 2000 discards entries).

Follow these steps to set an audit policy for a domain controller:

  1. Open Active Directory Users and Computers.
  2. In the console tree, right-click Domain Controllers, and then click Properties.
  3. In the Group Policy tab, click the policy in which you want set the audit policy, and then click Edit.
  4. In the Group Policy snap-in, in the console tree, click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.

    The console displays the current audit policy settings in the details pane, as shown in Figure 21.2.

    Figure 21.2 Custom console showing events that Windows 2000 can audit

  5. In the details pane, right-click the event category you want to audit, and then click Security.
  6. In the Template Security Policy Setting dialog box (see Figure 21.3), click Define These Policy Settings In The Template, and then click one or both:
    • Success, to audit successful attempts for the event category
    • Failure, to audit failed attempts for the event category
  7. Click OK.
  8. Because the changes that you make to your computer's audit policy take effect only when the policy is propagated (applied) to your computer, do one of the following to initiate policy propagation:
    • Type secedit /refreshpolicy machine_policy at the command prompt, and then press Enter.
    • Restart your computer.
    • Wait for automatic policy propagation, which occurs at regular, con-figurable intervals. By default, policy propagation occurs every 8 hours.

    Figure 21.3 The Template Security Policy Setting dialog box

Follow these steps to set an audit policy on a computer that does not participate in a domain:

  1. Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
  2. In Local Security Settings, in the console tree, double-click Local Policies, and then double-click Audit Policy.
  3. In the details pane, right-click the event category you want to audit, and then click Security.
  4. In the Local Security Policy Setting dialog box (see Figure 21.4), click one or both of the following check boxes:
    • Success. This audits successful attempts for the event category
    • Failure. This audits failed attempts for the event category

    The Effective Policy Setting box shows the security setting value currently enforced on the system. If an audit policy has already been set at the domain level or the OU level, it overrides the local audit policy.

  5. Click OK.
  6. Because the changes that you make to your computer's audit policy take effect only when the policy is propagated (applied) to your computer, do one of the following to initiate policy propagation:
    • Type secedit /refreshpolicy machine_policy at the command prompt, and then press Enter.
    • Restart your computer.
    • Wait for automatic policy propagation, which occurs at regular, con-figurable intervals. By default, policy propagation occurs every 8 hours.

    Figure 21.4 The Local Security Policy Setting dialog box

Follow these steps to set an audit policy on a member server or workstation:

  1. Create an OU for the remote computer(s) and add the desired machine account(s) to the OU.
  2. Using Active Directory Users and Computers, as in described in the steps outlined earlier to set an audit policy for a domain controller, create an audit policy to enable security auditing.

NOTE

Security auditing for workstations, member servers, and domain controllers can be enabled remotely only by domain and enterprise administrators.

Auditing Access to Files and Folders

If security breaches are an issue for your organization, you can set up auditing for files and folders on NTFS partitions. To audit user access to files and folders, you must first set the Audit Object Access event category, which includes files and folders, in the audit policy.

Once you have set Audit Object Access in your audit policy, you enable auditing for specific files and folders and specify which types of access to audit (by users or groups).

Follow these steps to set up auditing for specific files and folders:

  1. In Windows Explorer, right-click the file or folder you want to audit, and then click Properties.
  2. In the Security tab in the Properties dialog box for a file or folder, click Advanced.
  3. In the Access Control Settings For dialog box for the file or folder, in the Auditing tab, click Add, select the users and groups for whom you want to audit file and folder access, and then click OK.
  4. In the Auditing Entry For dialog box for the file or folder (see Figure 21.5), select the Successful check box, the Failed check box, or both check boxes for the events that you want to audit.

    Figure 21.5 The Auditing Entry For dialog box for the Command Prompt file

    Table 21.2 describes the events that can be audited for files and folders and explains what action triggers the event to occur.

    Table 21.2 User Events and What Triggers Them

    Event User Activity that Triggers the Event
    Traverse Folder/Execute File Moving through folders to reach other files or folders, even if the user has no permissions to for traversed folders (folders only) or running program files (files only)
    List Folder/Read Data Viewing filenames and subfolder names within a folder (folders only) or viewing data in files (files only)
    Read Attributes and Read Extended Attributes Displaying the attributes of a file or folder
    Create Files/Write Data Creating files within a folder (folders only) or changing the contents of a file (files only)
    Create Folders/Append Data Creating folders within a folder (folders only) or making changes to the end of the file but not changing, deleting, or overwriting existing data (files only)
    Write Attributes and Write Extended Attributes Changing attributes of a file or folder
    Delete Subfolders And Files Deleting a file or subfolder in a folder
    Delete Deleting a file or folder
    Read Permissions Viewing permissions or the file owner for a file or folder
    Change Permissions Changing permissions for a file or folder
    Take Ownership Taking ownership of a file or folder
  5. In the Apply Onto list (available only for folders), specify where objects are audited. By default, this box is set to This Folder, Subfolders and Files, so any auditing changes that you make to a parent folder also apply to all child folders and all files in the parent and child folders. Where objects are audited depends on the selection in the Apply Onto list and whether the Apply These Auditing Entries To Objects And/Or Containers Within This Container Only check box is selected, as shown in Table 21.3.

    Table 21.3 Results When the Apply These Auditing Entries To Objects And/Or Containers Within This Container Only Check Box Is Cleared

    Apply Onto Audit Current Folder Audits Subfolders in the Current Folder Audits Files in the Current Folder Audits All Subsequent Folders Audits Files in all Subsequent Subfolders
    This folder only X
    This folder, subfolders, and files X X X X X
    This folder and subfolders X X X
    This folder and files X X X
    Subfolders and files only X X X X
    Subfolders only X X
    Files only X X

    When the Apply These Auditing Entries To Objects And/Or Containers Within This Container Only check box is selected, auditing is applied to the selection in the Apply Onto box and all applicable child objects within the tree.

  6. Click OK to return to the Access Control Settings For dialog box for the file or folder.
  7. To prevent changes that are made to a parent folder from applying to the currently selected file or folder, clear the Allow Inheritable Auditing Entries From Parent To Propagate To This Object check box.

    If the check boxes under Access are shaded in the Auditing Entry For dialog box for the file or folder, or if the Remove button is unavailable in the Access Control Settings For dialog box for the file or folder, auditing has been inherited from the parent folder.

  8. Click OK.

Auditing Access to Active Directory Objects

As with auditing file and folder access, to audit Active Directory object access you must configure an audit policy and then set auditing for specific objects, such as users, computers, OUs, or groups, by specifying which types of access and access by which users to audit. You audit Active Directory objects to track access to Active Directory objects, such as changing the properties on a user account. To enable auditing of user access to Active Directory objects, set the Audit Directory Service Access event category in the audit policy.

Follow these steps to set up auditing for specific Active Directory objects:

  1. In Active Directory Users and Computers, click View, and then click Advanced Features.
  2. Select the object that you want to audit, click Properties on the Action menu, click the Security tab, and then click the Advanced button.
  3. In the Access Control Settings For dialog box for the object, in the Auditing tab, click Add, select the users or groups for whom you want to audit file and folder access, and then click OK.
  4. In the Auditing Entry For dialog box for the object (see Figure 21.6), select the Successful check box, the Failed check box, or both check boxes for the events that you want to audit.

    Table 21.4 describes some of the audit events for Active Directory objects and explains what action triggers the event.

    Table 21.4 Some Active Directory Object Events and What Trigger Them

    Event User Activity that Triggers the Event
    Full Control Performing any type of access to the audited object
    List Contents Viewing the objects within the audited object
    Read All Properties Viewing any attribute of the audited object
    Write All Properties Changing any attribute of the audited object
    Create All Child Objects Creating any object within the audited object
    Delete All Child Objects Deleting any object within the audited object
    Read Permissions Viewing the permissions for the audited object
    Modify Permissions Changing the permissions for the audited object
    Modify Owner Taking ownership of the audited object

    Figure 21.6 The Auditing Entry For dialog box for the Computers folder

  5. In the Apply Onto list, specify where objects are audited. By default, this box is set to This Object And All Child Objects, so any auditing changes that you make to a parent object also apply to all child objects. Where objects are audited depends on the selection in the Apply Onto list and whether the Apply These Auditing Entries To Objects And/Or Containers Within This Container Only check box is selected. These two features are only enabled for objects that act as containers.
  6. Click OK to return to the Access Control Settings For dialog box for the object.
  7. To prevent changes that are made to a parent folder from applying to the currently selected file or folder, clear the Allow Inheritable Auditing Entries From Parent To Propagate To This Object check box.

    If the check boxes under Access are shaded in the Auditing Entry For dialog box for the object, or if the Remove button is unavailable in the Access Control Settings For dialog box for the object, auditing has been inherited from the parent folder.

  8. Click OK.

Auditing Access to Printers

Audit access to printers to track access to sensitive printers. To audit access to printers, set the Audit Object Access event category in your audit policy, which includes printers. Then, enable auditing for specific printers and specify which types of access and access by which users to audit. After you select the printer, use the same steps that you use to set up auditing on files and folders.

Follow these steps to set up auditing on a printer:

  1. Click Start, point to Settings, and then click Printers.
  2. In the Printers system folder, right-click the printer you want to audit, and then click Properties.
  3. In the Properties dialog box for the printer, click the Security tab, and then click Advanced.
  4. In the Access Control Settings For dialog box for the printer, in the Auditing tab, click Add, select the appropriate users or groups for whom you want to audit printer access, click Add, and then click OK.
  5. In the Auditing Entry For dialog box for the printer (see Figure 21.7), select the Successful check box, the Failed check box, or both check boxes for the events that you want to audit.

    Figure 21.7 The Auditing Entry For dialog box for a printer

    Table 21.5 lists audit events for printers and explains what action triggers the event to occur.

    Table 21.5 Printer Events and What Triggers Them

    Event User Activity that Triggers the Event
    Print Printing a file
    Manage Printers Changing printer settings, pausing a printer, sharing a printer, or removing a printer
    Manage Documents Changing job settings; pausing, restarting, moving, or deleting documents; sharing a printer; or changing printer properties
    Read Permissions Viewing printer permissions
    Change Permissions Changing printer permissions
    Take Ownership Taking printer ownership
  6. In the Apply Onto list, select where the auditing setting applies.
  7. Click OK in the appropriate dialog boxes to exit.

Auditing Practices

Table 21.6 lists various events that you should audit as well as the specific security threat that the audit event monitors.

Table 21.6 Recommended Audit Events

Audit Event Potential Threat
Failure audit for logon/logoff. Random password hack
Success audit for logon/logoff. Stolen password break-in
Success audit for user rights, user and group management, security change policies, restart, shutdown, and system events Misuse of privileges.
Success and failure audit for file-access and object-access events. File Manager success and failure audit of Read/Write access by suspect users or groups for the sensitive files. Improper access to sensitive files
Success and failure audit for file-access printers and object-access events. Print Manager success and failure audit of print access by suspect users or groups for the printers. Improper access to printers
Success and failure write access auditing for program files (.exe and .dll extensions). Success and failure auditing for process tracking. Run suspect programs; examine security log for unexpected attempts to modify program files or create unexpected processes. Run only when actively monitoring the system log. Virus outbreak

Practice: Auditing Resources and Events

In this practice you plan a domain audit policy. You then set up an audit policy for a domain controller by enabling auditing of certain events. You set up auditing of a file, a printer, and an Active Directory object.

Exercise 1: Planning a Domain Audit Policy

In this exercise you plan an audit policy for your server. You need to determine the following:

  • Which types of events to audit
  • Whether to audit the success or failure of an event, or both

Use the following criteria to make your decisions:

  • Record unsuccessful attempts to gain access to the network.
  • Record unauthorized access to the files that make up the Customer database.
  • For billing purposes, track color printer usage.
  • Track whenever someone tries to tamper with the server hardware.
  • Keep a record of actions that an administrator performs to track unauthorized changes.
  • Track backup procedures to prevent data theft.
  • Track unauthorized access to sensitive Active Directory objects.

Record your decisions to audit successful events, failed events, or both for the actions listed in Table 21.7.

Table 21.7 Audit Policy Plan for Exercise 1

Action to Audit Successful Failed
Account logon events
Account management
Directory service access
Logon events
Object access
Policy change
Privilege use
Process tracking
System events

Answer

Exercise 2: Setting Up an Audit Policy

In this exercise you enable auditing for selected event categories.

To set up an audit policy

  1. Open Active Directory Users and Computers.
  2. In the console tree, right-click Domain Controllers, and then click Properties.
  3. In the Properties dialog box, in the Group Policy tab, select the Default Domain Controllers Policy group policy, and then click Edit.
  4. In the Group Policy snap-in, in the console tree, click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.
  5. To set the audit policy, in the details pane, double-click each event category, and then select either Success or Failure as listed in Table 21.8.

    Table 21.8 Audit Policy Settings for Exercise 2

    Event Category Success Failure
    Account logon events
    Account management X
    Directory service access X
    Logon events X
    Object access X X
    Policy change X
    Privilege use X
    Process tracking
    System events X X
  6. Close the Group Policy snap-in.
  7. Close the Domain Controllers Properties dialog box.
  8. Start a command prompt.
  9. At the command prompt, type secedit /refreshpolicy machine_policy, then press Enter.

    The policy changes take effect in a few moments.

  10. Close the command prompt.

Exercise 3: Setting Up Auditing of Files

In this exercise you set up auditing for a file.

To set up auditing of files

  1. In Windows Explorer, locate a file such as a simple text file.
  2. Right-click the filename, and then click Properties.
  3. In the Properties dialog box, click the Security tab, and then click Advanced.
  4. In the Access Control Settings For dialog box for the text file, click the Auditing tab.
  5. Click Add.
  6. In the Select User, Computer, Or Group dialog box, double-click Everyone in the list of user accounts and groups.
  7. In the Auditing Entry For dialog box for the text file, select the Successful check box and the Failed check box for each of the following events:
    • Create Files/Write Data
    • Delete
    • Change Permissions
    • Take Ownership
  8. Click OK.

    Windows 2000 displays the Everyone group in the Access Control Settings For dialog box for the text file.

  9. Click OK to apply your changes.

To change file permissions

  1. In the Properties dialog box, on the Security tab, add the Everyone group.
  2. Change the NTFS permissions for the Everyone group to only the Read permission for the file, and clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box.

    The Security message box appears asking you to confirm that you want to clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box.

  3. On the Security message box, click Remove, and then click OK.

    Any other permissions are removed.

  4. Click OK to close the Properties dialog box, and then close Windows Explorer.

Exercise 4: Setting Up Auditing of a Printer

In this exercise you set up auditing of a printer.

IMPORTANT

To complete this exercise, you need to have a local printer installed on your computer. However, you do not need a printing device connected to the computer. If you do not have a local printer installed, create one now. Remember that printing device refers to the physical machine that prints and that local printer refers to the software that Windows 2000 needs to send data to the printing device.

To set up auditing of a printer

  1. Click Start, point to Settings, and then click Printers.
  2. In the Printers system folder, right-click a printer associated with your computer, and then click Properties.
  3. Click the Security tab, and then click Advanced.
  4. In the Access Control Settings For dialog box for the printer, click the Auditing tab, and then click Add.
  5. In the Select User, Computer, Or Group dialog box, double-click Everyone in the list box.
  6. In the Auditing Entry For dialog box for the printer, select the Successful check box for all types of access.
  7. Click OK.

    Windows 2000 displays the Everyone group in the Access Control Settings For dialog box for the printer.

  8. In the Access Control Settings For dialog box for the printer, click OK to apply your changes.
  9. Click OK to close the printer Properties dialog box.
  10. Close the Printers system folder.

Exercise 5: Setting Up Auditing of an Active Directory Object

In this exercise you set up auditing of an Active Directory object.

To review auditing of an Active Directory object

  1. Start Active Directory Users and Computers.
  2. On the View menu, click Advanced Features.
  3. In the console tree, click your domain.
  4. In the details pane, click Users, and then on the Action menu, click Properties.
  5. In the Users Properties dialog box, click the Security tab, and then click Advanced.
  6. In the Access Control Settings For Users dialog box, click the Auditing tab, and then double-click Everyone.

    The Auditing Entry For Users dialog box appears.

    Review the default audit settings for object access by members of the Everyone group. How do the audited types of access differ from the types of access that are not audited?

    Answer

  7. Click OK three times to close the Auditing Entry For Users, the Access Control Settings For Users, and the Users Properties dialog boxes.

    On which computer or computers does Windows 2000 record log entries for Active Directory access? Will you be able to review them?

    Answer

  8. Close Active Directory Users and Computers.

Lesson Summary

In this lesson you learned how to set up an audit policy. The first step in implementing an audit policy is selecting the event categories that Windows 2000 audits. For each event that you can audit, the configuration settings indicate whether to track successful or failed attempts.

For member or standalone servers, or computers running Windows 2000 Professional, an audit policy is set for each individual computer. To audit events that occur on a local computer, you configure a local group policy for that computer, which applies to that computer only.

For domain controllers, an audit policy is set for all domain controllers in the domain. To audit events that occur on domain controllers, you configure a nonlocal group policy for the domain, which applies to all domain controllers.

In the practice portion of this lesson you planned a domain audit policy; set up an audit policy for a domain controller; and set up auditing of a file, a printer, and an Active Directory object.


Previous page
Table of content
Next page
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 244
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Inside Network Security Assessment: Guarding Your IT Infrastructure
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
MySQL Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy