In this lesson, you learn about Windows 2000 auditing, which is a tool for maintaining network security. Auditing allows you to track user activities and system-wide events. In addition, you learn about audit policies and what you need to consider before you set up a policy. You also learn how to set up auditing on resources and how to maintain security logs.
After this lesson, you will be able to
Estimated lesson time: 75 minutes
Auditing in Microsoft Windows 2000 is the process of tracking both user activities and Windows 2000 activities, called events, on a computer. Through auditing, you can specify that Windows 2000 writes a record of an event to the security log. The security log maintains a record of valid and invalid logon attempts and events related to creating, opening, or deleting files or other objects. An audit entry in the security log contains the following information:
An audit policy defines the types of security events that Windows 2000 records in the security log on each computer. The security log allows you to track the events that you specify.
Windows 2000 writes events to the security log on the computer on which the event occurs. For example, you can configure auditing so that any time someone tries to log on to the domain by using a domain user account and the logon attempt fails, Windows 2000 writes an event to the security log on the domain controller. The event is recorded on the domain controller rather than on the computer at which the logon attempt was made, because it is the domain controller that attempted to and could not authenticate the logon attempt.
You can set up an audit policy for a computer to do the following:
You can use Event Viewer to view events that Windows 2000 has recorded in the security log. You can also archive log files to track trends over time—for example, to determine the use of printers or files or to verify attempts at unauthorized use of resources.
When you plan an audit policy, you must determine the computers on which to set up auditing. Auditing is turned off by default. As you are determining which computers to audit, you must also plan what to audit on each computer. Windows 2000 records audited events on each computer separately.
The types of events that you can audit include the following:
After you have determined the types of events to audit, you must determine whether to audit the success and/or failure of events. Tracking successful events can tell you how often Windows 2000 users or services gain access to specific files, printers, or other objects. You can use this information for resource planning. Tracking failed events can alert you to possible security breaches. For example, if you notice a lot of failed logon attempts by a certain user account, especially if these attempts are occurring outside normal business hours, an unauthorized person might be attempting to break into your system.
Consider the following guidelines in determining your audit policy:
Auditing is a powerful tool for tracking events that occur on computers in your organization. To implement auditing, you must consider auditing requirements and set the audit policy. After you set an audit policy on a computer, you can implement auditing on files, folders, printers, and Active Directory objects.
You can implement an audit policy based on the role of the computer in the Windows 2000 network. Auditing is configured differently for the following types of computers running Windows 2000:
The types of events that you can audit on a domain controller are identical to those you can audit on a computer that is not a domain controller. The procedure is similar as well, but you use a group policy for the domain to control auditing for domain controllers.
The requirements to set up and administer auditing are as follows:
Setting Up Auditing
Setting up auditing is a two-part process:
The first step in implementing an audit policy is selecting the types of events that Windows 2000 audits. For each event that you can audit, the configuration settings indicate whether to track successful or failed attempts. You can set audit policies by using the Group Policy snap-in.
Table 27.3 describes the types of events that Windows 2000 can audit.
Table 27.3 Events that can be Audited by Windows 2000
|Account logon events||A domain controller received a request to validate a user account.|
|Account management||An administrator created, changed, or deleted a user account or group. A user account was renamed, disabled, or enabled, or a password was set or changed.|
|Directory service access||A user gained access to an Active Directory object. You must configure specific Active Directory objects for auditing to log this type of event.|
|Logon events||A user logged on or logged off, or a user made or canceled a network connection to the computer.|
|Object access||A user gained access to a file, folder, or printer. You must configure specific files, folders, or printers for auditing. Directory service access is auditing a user's access to specific Active Directory objects. Object access is auditing a user's access to files, folders, and printers.|
|Policy change||A change was made to the user security options, user rights, or audit policies.|
|Privilege use||A user exercised a right, such as changing the system time. (This does not include rights that are related to logging on and logging off.)|
|Process tracking||A program performed an action. This information is generally useful only for programmers who want to track details of program execution.|
|System||A user restarted or shut down the computer, or an event occurred that affects Windows 2000 security or the security log. (For example, the audit log is full and Windows 2000 discards entries.)|
To set an audit policy on a computer that is not a domain controller, create a custom MMC and add the Group Policy snap-in. In the console tree, select Audit Policy from the Computer Configuration node, as shown in Figure 27.18. The console displays the current audit policy settings in the details pane.
Figure 27.18 Group Policy snap-in with the Audit Policy folder selected
Changes that you make to your computer's audit policy take effect when one of the following events occurs:
If security breaches are an issue for your organization, you can set up auditing for files and folders on NTFS partitions. To audit user access to files and folders, you must first enable the Audit object access policy, which includes files and folders.
Once you have set your audit policy to audit object access, you enable auditing for specific files and folders and specify which types of access, by which users or groups, to audit. To enable auditing for a specific file or folder, open the Properties dialog box for that file or folder, select the Security tab, and then click Advanced. Select the Auditing tab and configure auditing for the selected file or folder.
To audit Active Directory object access, you must configure an audit policy and then set auditing for specific objects, such as users, computers, OUs, or groups by specifying which types of access and access by which users to audit.
To enable auditing of access to Active Directory objects, enable the Audit directory services access policy in the Group Policy snap-in.
To enable auditing for specific Active Directory objects, open the Active Directory Users And Computers snap-in and select Advanced Features from the View menu. Open the Properties dialog box for the object that you want to audit. On the Security tab, click Advanced. Select the Auditing tab and configure auditing for that object.
You can audit access to printers in order to track access to sensitive printers. To audit access to printers, enable the Audit Object Access policy, which includes printers. Then enable auditing for specific printers, and specify which types of access and access by which users to audit. After you select the printer, you use the same steps that you use to set up auditing on files and folders.
To set up auditing on a printer, open the Properties dialog box for the printer that you want to audit. On the Security tab, click Advanced. Select the Auditing tab and configure auditing for the printer.
You can use Event Viewer to perform a variety of tasks, including viewing the audit logs that are generated as a result of setting audit policies and auditing events. You can also use Event Viewer to view the contents of security log files and find specific events within log files.
You can use Event Viewer to view information contained in Windows 2000 logs. By default there are three logs available to view in Event Viewer. These logs are described in Table 27.4.
Table 27.4 Logs Viewable with Event Viewer
|Application log||Contains errors, warnings, or information generated by programs, such as a database program or an e-mail program. The program developer presets which events to record.|
|Security log||Contains information about the success or failure of audited events. The events that Windows 2000 records are a result of your audit policy.|
|System log||Contains errors, warnings, and information generated by Windows 2000. Windows 2000 presets which events to record.|
If additional services are installed, they might add their own event log. For example, the DNS service logs DNS events in the DNS Server log.
The Security log contains information about events that are monitored by an audit policy, such as failed and successful logon attempts. You can view the Security log in the Event Viewer snap-in, as shown in Figure 27-19.
Figure 27.19 Event Viewer snap-in with the Security Log selected
In the details pane, Event Viewer displays a list of log entries and summary information for each item.
Successful events appear with a key icon, and unsuccessful events appear with a lock icon. Other important information includes the date and time that the event occurred, the category of the event, and the user who generated the event. The category indicates the type of event, such as object access, account management, directory service access, or logon events.
Windows 2000 records events in the Security log on the computer at which the event occurred. You can view these events from any computer as long as you have administrative privileges for the computer where the events occurred. To view the Security log on a remote computer, point Event Viewer to a remote computer when you add this snap-in to a console.
When you first start Event Viewer, it automatically displays all events that are recorded in the selected log. To change what appears in the log, you can locate selected events by using the Filter command. You can also search for specific events by using the Find command. To filter or find events, start Event Viewer and then click Filter or click Find on the View menu.
You can track trends in Windows 2000 by archiving event logs and comparing logs from different periods. Viewing trends helps you determine resource use and plan for growth. If unauthorized use of resources is a concern, you can also use logs to determine patterns of usage. Windows 2000 allows you to control the size of the logs and to specify the action that Windows 2000 takes when a log becomes full.
You can configure the properties of each individual audit log. To configure the settings for logs, select the log in Event Viewer, and then display the Properties dialog box for the log.
Use the Properties dialog box for each type of audit log to control the size of each log, which can be from 64 KB to 4,194,240 KB (4 GB). The default size is 512 KB. You can also use the log properties to control the action that Windows 2000 takes when the log fills up.
Use the Security Configuration And Analysis snap-in to configure settings for Event Viewer.
Archiving security logs allows you to maintain a history of security-related events. Many companies have policies on keeping archive logs for a specified period to track security-related information over time. If you want to save the log file, clear all events, or open a log file, select the log from the Event Viewer console tree, and then select the appropriate option from the Action menu.
Auditing in Windows 2000 is the process of tracking both user activities and Windows 2000 activities, called events, on a computer. Through auditing, you can specify that Windows 2000 writes a record of an event to the Security log. An audit policy defines the types of security events that Windows 2000 records in the Security log on each computer. The Security log allows you to track the events that you specify. When you plan an audit policy you must determine on which computers to set up auditing. As you are determining which computers to audit, you must also plan what to audit on each computer. To implement auditing, you need to consider auditing requirements and set the audit policy. After you set an audit policy on a computer, you can implement auditing on files, folders, printers, and Active Directory objects. You can use Event Viewer to view the audit logs that are generated as a result of setting the audit policy and auditing events. You can also use Event Viewer to view the contents of Security log files and find specific events within log files.