In this lesson you learn about Windows 2000 auditing, which is a tool for maintaining network security. Auditing allows you to track user activities and system-wide events. You learn about audit policies and what you need to consider before you set one up. You also learn how to set up auditing on resources.
After this lesson, you will be able to
Estimated lesson time: 60 minutes
Auditing in Microsoft Windows 2000 is the process of tracking both user activities and Windows 2000 activities, which are called events, on a computer. Through auditing, you can specify which events are written to the security log. For example, the security log can maintain a record of valid and invalid logon attempts and events relating to creating, opening, or deleting files or other objects. An audit entry in the security log contains the following information:
An audit policy defines the categories of events that Windows 2000 records in the security log on each computer. The security log allows you to track the events that you specify.
Windows 2000 writes events to the security log on the computer where the event occurs. For example, any time someone tries to log on to the domain using a domain user account and the logon attempt fails, Windows 2000 writes an event to the security log on the domain controller. The event is recorded on the domain controller rather than on the computer at which the logon attempt was made because it is the domain controller that attempted to and could not authenticate the logon attempt.
You can set up an audit policy for a computer to do the following:
You use Event Viewer to view events that Windows 2000 has recorded in the security log. You can also archive log files to track trends over time—for example, to determine the use of printers or files or to verify attempts at unauthorized use of resources.
When you plan an audit policy you must determine on which computers to set up auditing. Auditing is turned off by default. As you are determining which computers to audit, you must also plan the events to audit on each computer. Windows 2000 records audited events on each computer separately.
After you have determined the events to audit, you must determine whether to audit the success of events, failure of events, or both. Tracking successful events can tell you how often Windows 2000 or users gain access to specific files, printers, or other objects. You can use this information for resource planning. Tracking failed events can alert you to possible security breaches. For example, if you notice several failed logon attempts by a certain user account, especially if these attempts are occurring outside normal business hours, you can assume that an unauthorized person is attempting to break into your system.
Other guidelines in determining your audit policy include the following:
You implement an audit policy based on the role of the computer in the Windows 2000 network. Auditing is configured differently for the following types of computers running Windows 2000:
The event categories on a domain controller are identical to those on a computer that is not a domain controller.
The requirements to set up and administer auditing are as follows:
Setting up auditing is a two-part process:
The first step in implementing an audit GPO is selecting the categories of events that Windows 2000 audits. For each event category that you can audit, the configuration settings indicate whether to track successful or failed attempts. You set audit policies in the Group Policy snap-in. The security log is limited in size. Select the events to be audited carefully and consider the amount of disk space you are willing to devote to the security log. Table 21.1 describes the event categories that Windows 2000 can audit.
Table 21.1 Types of Events Audited by Windows 2000
Event Category | Description |
---|---|
Account logon | A domain controller received a request to validate a user account. |
Account management | An administrator created, changed, or deleted a user account or group. A user account was renamed, disabled, or enabled, or a password was set or changed. |
Directory service access | A user gained access to an Active Directory object. You must configure specific Active Directory objects for auditing to log this type of event. |
Logon events | A user logged on or logged off, or a user made or canceled a network connection to the computer. |
Object access | A user gained access to a file, folder, or printer. You must configure specific files, folders, or printers for auditing. Directory service access is auditing a user's access to specific Active Directory objects. Object access is auditing a user's access to files, folders, and printers. |
Policy change | A change was made to the user security options, user rights, or audit policies. |
Privilege use | A user exercised a right, such as changing the system time (this does not include rights that are related to logging on and logging off). |
Process tracking | A program performed an action. This information is generally useful only for programmers who want to track details of program execution. |
System events | A user restarted or shut down the computer, or an event occurred that affects Windows 2000 security or the security log (for example, the audit log is full and Windows 2000 discards entries). |
Follow these steps to set an audit policy for a domain controller:
The console displays the current audit policy settings in the details pane, as shown in Figure 21.2.
Figure 21.2 Custom console showing events that Windows 2000 can audit
Figure 21.3 The Template Security Policy Setting dialog box
Follow these steps to set an audit policy on a computer that does not participate in a domain:
The Effective Policy Setting box shows the security setting value currently enforced on the system. If an audit policy has already been set at the domain level or the OU level, it overrides the local audit policy.
Figure 21.4 The Local Security Policy Setting dialog box
Follow these steps to set an audit policy on a member server or workstation:
NOTE
Security auditing for workstations, member servers, and domain controllers can be enabled remotely only by domain and enterprise administrators.
If security breaches are an issue for your organization, you can set up auditing for files and folders on NTFS partitions. To audit user access to files and folders, you must first set the Audit Object Access event category, which includes files and folders, in the audit policy.
Once you have set Audit Object Access in your audit policy, you enable auditing for specific files and folders and specify which types of access to audit (by users or groups).
Follow these steps to set up auditing for specific files and folders:
Figure 21.5 The Auditing Entry For dialog box for the Command Prompt file
Table 21.2 describes the events that can be audited for files and folders and explains what action triggers the event to occur.
Table 21.2 User Events and What Triggers Them
Event | User Activity that Triggers the Event |
---|---|
Traverse Folder/Execute File | Moving through folders to reach other files or folders, even if the user has no permissions to for traversed folders (folders only) or running program files (files only) |
List Folder/Read Data | Viewing filenames and subfolder names within a folder (folders only) or viewing data in files (files only) |
Read Attributes and Read Extended Attributes | Displaying the attributes of a file or folder |
Create Files/Write Data | Creating files within a folder (folders only) or changing the contents of a file (files only) |
Create Folders/Append Data | Creating folders within a folder (folders only) or making changes to the end of the file but not changing, deleting, or overwriting existing data (files only) |
Write Attributes and Write Extended Attributes | Changing attributes of a file or folder |
Delete Subfolders And Files | Deleting a file or subfolder in a folder |
Delete | Deleting a file or folder |
Read Permissions | Viewing permissions or the file owner for a file or folder |
Change Permissions | Changing permissions for a file or folder |
Take Ownership | Taking ownership of a file or folder |
Table 21.3 Results When the Apply These Auditing Entries To Objects And/Or Containers Within This Container Only Check Box Is Cleared
Apply Onto | Audit Current Folder | Audits Subfolders in the Current Folder | Audits Files in the Current Folder | Audits All Subsequent Folders | Audits Files in all Subsequent Subfolders |
---|---|---|---|---|---|
This folder only | X | ||||
This folder, subfolders, and files | X | X | X | X | X |
This folder and subfolders | X | X | X | ||
This folder and files | X | X | X | ||
Subfolders and files only | X | X | X | X | |
Subfolders only | X | X | |||
Files only | X | X |
When the Apply These Auditing Entries To Objects And/Or Containers Within This Container Only check box is selected, auditing is applied to the selection in the Apply Onto box and all applicable child objects within the tree.
If the check boxes under Access are shaded in the Auditing Entry For dialog box for the file or folder, or if the Remove button is unavailable in the Access Control Settings For dialog box for the file or folder, auditing has been inherited from the parent folder.
As with auditing file and folder access, to audit Active Directory object access you must configure an audit policy and then set auditing for specific objects, such as users, computers, OUs, or groups, by specifying which types of access and access by which users to audit. You audit Active Directory objects to track access to Active Directory objects, such as changing the properties on a user account. To enable auditing of user access to Active Directory objects, set the Audit Directory Service Access event category in the audit policy.
Follow these steps to set up auditing for specific Active Directory objects:
Table 21.4 describes some of the audit events for Active Directory objects and explains what action triggers the event.
Table 21.4 Some Active Directory Object Events and What Trigger Them
Event | User Activity that Triggers the Event |
---|---|
Full Control | Performing any type of access to the audited object |
List Contents | Viewing the objects within the audited object |
Read All Properties | Viewing any attribute of the audited object |
Write All Properties | Changing any attribute of the audited object |
Create All Child Objects | Creating any object within the audited object |
Delete All Child Objects | Deleting any object within the audited object |
Read Permissions | Viewing the permissions for the audited object |
Modify Permissions | Changing the permissions for the audited object |
Modify Owner | Taking ownership of the audited object |
Figure 21.6 The Auditing Entry For dialog box for the Computers folder
If the check boxes under Access are shaded in the Auditing Entry For dialog box for the object, or if the Remove button is unavailable in the Access Control Settings For dialog box for the object, auditing has been inherited from the parent folder.
Audit access to printers to track access to sensitive printers. To audit access to printers, set the Audit Object Access event category in your audit policy, which includes printers. Then, enable auditing for specific printers and specify which types of access and access by which users to audit. After you select the printer, use the same steps that you use to set up auditing on files and folders.
Follow these steps to set up auditing on a printer:
Figure 21.7 The Auditing Entry For dialog box for a printer
Table 21.5 lists audit events for printers and explains what action triggers the event to occur.
Table 21.5 Printer Events and What Triggers Them
Event | User Activity that Triggers the Event |
---|---|
Printing a file | |
Manage Printers | Changing printer settings, pausing a printer, sharing a printer, or removing a printer |
Manage Documents | Changing job settings; pausing, restarting, moving, or deleting documents; sharing a printer; or changing printer properties |
Read Permissions | Viewing printer permissions |
Change Permissions | Changing printer permissions |
Take Ownership | Taking printer ownership |
Table 21.6 lists various events that you should audit as well as the specific security threat that the audit event monitors.
Table 21.6 Recommended Audit Events
Audit Event | Potential Threat |
---|---|
Failure audit for logon/logoff. | Random password hack |
Success audit for logon/logoff. | Stolen password break-in |
Success audit for user rights, user and group management, security change policies, restart, shutdown, and system events | Misuse of privileges. |
Success and failure audit for file-access and object-access events. File Manager success and failure audit of Read/Write access by suspect users or groups for the sensitive files. | Improper access to sensitive files |
Success and failure audit for file-access printers and object-access events. Print Manager success and failure audit of print access by suspect users or groups for the printers. | Improper access to printers |
Success and failure write access auditing for program files (.exe and .dll extensions). Success and failure auditing for process tracking. Run suspect programs; examine security log for unexpected attempts to modify program files or create unexpected processes. Run only when actively monitoring the system log. | Virus outbreak |
In this practice you plan a domain audit policy. You then set up an audit policy for a domain controller by enabling auditing of certain events. You set up auditing of a file, a printer, and an Active Directory object.
In this exercise you plan an audit policy for your server. You need to determine the following:
Use the following criteria to make your decisions:
Record your decisions to audit successful events, failed events, or both for the actions listed in Table 21.7.
Table 21.7 Audit Policy Plan for Exercise 1
Action to Audit | Successful | Failed |
---|---|---|
Account logon events | ||
Account management | ||
Directory service access | ||
Logon events | ||
Object access | ||
Policy change | ||
Privilege use | ||
Process tracking | ||
System events |
Answer
In this exercise you enable auditing for selected event categories.
To set up an audit policy
Table 21.8 Audit Policy Settings for Exercise 2
Event Category | Success | Failure |
---|---|---|
Account logon events | ||
Account management | X | |
Directory service access | X | |
Logon events | X | |
Object access | X | X |
Policy change | X | |
Privilege use | X | |
Process tracking | ||
System events | X | X |
The policy changes take effect in a few moments.
In this exercise you set up auditing for a file.
To set up auditing of files
Windows 2000 displays the Everyone group in the Access Control Settings For dialog box for the text file.
To change file permissions
The Security message box appears asking you to confirm that you want to clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box.
Any other permissions are removed.
In this exercise you set up auditing of a printer.
IMPORTANT
To complete this exercise, you need to have a local printer installed on your computer. However, you do not need a printing device connected to the computer. If you do not have a local printer installed, create one now. Remember that printing device refers to the physical machine that prints and that local printer refers to the software that Windows 2000 needs to send data to the printing device.
To set up auditing of a printer
Windows 2000 displays the Everyone group in the Access Control Settings For dialog box for the printer.
In this exercise you set up auditing of an Active Directory object.
To review auditing of an Active Directory object
The Auditing Entry For Users dialog box appears.
Review the default audit settings for object access by members of the Everyone group. How do the audited types of access differ from the types of access that are not audited?
Answer
On which computer or computers does Windows 2000 record log entries for Active Directory access? Will you be able to review them?
Answer
In this lesson you learned how to set up an audit policy. The first step in implementing an audit policy is selecting the event categories that Windows 2000 audits. For each event that you can audit, the configuration settings indicate whether to track successful or failed attempts.
For member or standalone servers, or computers running Windows 2000 Professional, an audit policy is set for each individual computer. To audit events that occur on a local computer, you configure a local group policy for that computer, which applies to that computer only.
For domain controllers, an audit policy is set for all domain controllers in the domain. To audit events that occur on domain controllers, you configure a nonlocal group policy for the domain, which applies to all domain controllers.
In the practice portion of this lesson you planned a domain audit policy; set up an audit policy for a domain controller; and set up auditing of a file, a printer, and an Active Directory object.