Lesson 5: Microsoft Windows 2000 Auditing

Previous page
Table of content
Next page

In this lesson, you learn about Windows 2000 auditing, which is a tool for maintaining network security. Auditing allows you to track user activities and system-wide events. In addition, you learn about audit policies and what you need to consider before you set up a policy. You also learn how to set up auditing on resources and how to maintain security logs.

After this lesson, you will be able to

  • Plan an audit strategy and determine which events to audit
  • Set up auditing on Active Directory service objects and on files, folders, and printers
  • Use Event Viewer to view a log and locate events

Estimated lesson time: 75 minutes

Overview of Windows 2000 Auditing

Auditing in Microsoft Windows 2000 is the process of tracking both user activities and Windows 2000 activities, called events, on a computer. Through auditing, you can specify that Windows 2000 writes a record of an event to the security log. The security log maintains a record of valid and invalid logon attempts and events related to creating, opening, or deleting files or other objects. An audit entry in the security log contains the following information:

  • The action that was performed
  • The user who performed the action
  • The success or failure of the event and then the event occurred

Using an Audit Policy

An audit policy defines the types of security events that Windows 2000 records in the security log on each computer. The security log allows you to track the events that you specify.

Windows 2000 writes events to the security log on the computer on which the event occurs. For example, you can configure auditing so that any time someone tries to log on to the domain by using a domain user account and the logon attempt fails, Windows 2000 writes an event to the security log on the domain controller. The event is recorded on the domain controller rather than on the computer at which the logon attempt was made, because it is the domain controller that attempted to and could not authenticate the logon attempt.

You can set up an audit policy for a computer to do the following:

  • Track the success and failure of events, such as logon attempts by users, an attempt by a particular user to read a specific file, changes to a user account or to group memberships, and changes to your security settings
  • Eliminate or minimize the risk of unauthorized use of resources

You can use Event Viewer to view events that Windows 2000 has recorded in the security log. You can also archive log files to track trends over time—for example, to determine the use of printers or files or to verify attempts at unauthorized use of resources.

Planning an Audit Policy

When you plan an audit policy, you must determine the computers on which to set up auditing. Auditing is turned off by default. As you are determining which computers to audit, you must also plan what to audit on each computer. Windows 2000 records audited events on each computer separately.

The types of events that you can audit include the following:

  • Access to files and folders
  • Users logging on and off
  • Shutting down and restarting a computer running Windows 2000 Server
  • Changes to user accounts and groups
  • Attempts to make changes to Active Directory objects

After you have determined the types of events to audit, you must determine whether to audit the success and/or failure of events. Tracking successful events can tell you how often Windows 2000 users or services gain access to specific files, printers, or other objects. You can use this information for resource planning. Tracking failed events can alert you to possible security breaches. For example, if you notice a lot of failed logon attempts by a certain user account, especially if these attempts are occurring outside normal business hours, an unauthorized person might be attempting to break into your system.

Consider the following guidelines in determining your audit policy:

  • Determine if you need to track trends of system usage. If so, plan to archive event logs. Archiving these logs allows you to view how usage changes over time and allows you to plan to increase system resources before they become a problem.
  • Review security logs frequently. You should set a schedule and regularly review security logs because configuring auditing alone does not alert you to security breaches.
  • Define an audit policy that is useful and manageable. Always audit sensitive and confidential data. Audit only those events that provide you with meaningful information about your network environment. This minimizes usage of server resources and makes essential information easier to locate. Auditing too many types of events can create excess overhead for Windows 2000.
  • Audit resource access by the Everyone group instead of the Users group. This ensures that you audit anyone who can connect to the network, not just the users for whom you create user accounts in the domain.

Implementing an Audit Policy

Auditing is a powerful tool for tracking events that occur on computers in your organization. To implement auditing, you must consider auditing requirements and set the audit policy. After you set an audit policy on a computer, you can implement auditing on files, folders, printers, and Active Directory objects.

Configuring Auditing

You can implement an audit policy based on the role of the computer in the Windows 2000 network. Auditing is configured differently for the following types of computers running Windows 2000:

  • For member or standalone servers or computers running Windows 2000 Professional, an audit policy is set for each individual computer. For example, to audit user access to a file on a member server, you set the audit policy on that computer.
  • For domain controllers, an audit policy is set for all domain controllers in the domain. To audit events that occur on domain controllers, such as changes to Active Directory objects, you configure a group policy for the domain, which applies to all domain controllers.

NOTE

The types of events that you can audit on a domain controller are identical to those you can audit on a computer that is not a domain controller. The procedure is similar as well, but you use a group policy for the domain to control auditing for domain controllers.

Auditing Requirements

The requirements to set up and administer auditing are as follows:

  • You must have the Manage Auditing And Security Log permission for the computer where you want to configure an audit policy or review an audit log. Windows 2000 grants these rights to the Administrators group by default.
  • The files and folders to be audited must be on NTFS volumes.

Setting Up Auditing

Setting up auditing is a two-part process:

  1. Setting the audit policy. The audit policy enables auditing of objects but does not activate auditing of specific objects.
  2. Enabling auditing of specific resources. You identify the specific events to audit for files, folders, printers, and Active Directory objects. Windows 2000 then tracks and logs the specified events.

Setting an Audit Policy

The first step in implementing an audit policy is selecting the types of events that Windows 2000 audits. For each event that you can audit, the configuration settings indicate whether to track successful or failed attempts. You can set audit policies by using the Group Policy snap-in.

Table 27.3 describes the types of events that Windows 2000 can audit.

Table 27.3 Events that can be Audited by Windows 2000

Event Description
Account logon events A domain controller received a request to validate a user account.
Account management An administrator created, changed, or deleted a user account or group. A user account was renamed, disabled, or enabled, or a password was set or changed.
Directory service access A user gained access to an Active Directory object. You must configure specific Active Directory objects for auditing to log this type of event.
Logon events A user logged on or logged off, or a user made or canceled a network connection to the computer.
Object access A user gained access to a file, folder, or printer. You must configure specific files, folders, or printers for auditing. Directory service access is auditing a user's access to specific Active Directory objects. Object access is auditing a user's access to files, folders, and printers.
Policy change A change was made to the user security options, user rights, or audit policies.
Privilege use A user exercised a right, such as changing the system time. (This does not include rights that are related to logging on and logging off.)
Process tracking A program performed an action. This information is generally useful only for programmers who want to track details of program execution.
System A user restarted or shut down the computer, or an event occurred that affects Windows 2000 security or the security log. (For example, the audit log is full and Windows 2000 discards entries.)

To set an audit policy on a computer that is not a domain controller, create a custom MMC and add the Group Policy snap-in. In the console tree, select Audit Policy from the Computer Configuration node, as shown in Figure 27.18. The console displays the current audit policy settings in the details pane.

Figure 27.18 Group Policy snap-in with the Audit Policy folder selected

Changes that you make to your computer's audit policy take effect when one of the following events occurs:

  • Policy propagation is initiated by typing secedit /RefreshPolicy machine-policy at the command prompt and then pressing Enter.
  • Your computer is restarted. Windows 2000 applies changes that you made to your audit policy the next time your computer is restarted.
  • Policy propagation occurs. Policy propagation is a process that applies policy settings, including audit policy settings, to your computer. Automatic policy propagation occurs at regular, configurable intervals. By default, policy propagation occurs every 8 hours.

Auditing Access to Files and Folders

If security breaches are an issue for your organization, you can set up auditing for files and folders on NTFS partitions. To audit user access to files and folders, you must first enable the Audit object access policy, which includes files and folders.

Once you have set your audit policy to audit object access, you enable auditing for specific files and folders and specify which types of access, by which users or groups, to audit. To enable auditing for a specific file or folder, open the Properties dialog box for that file or folder, select the Security tab, and then click Advanced. Select the Auditing tab and configure auditing for the selected file or folder.

Auditing Access to Active Directory Objects

To audit Active Directory object access, you must configure an audit policy and then set auditing for specific objects, such as users, computers, OUs, or groups by specifying which types of access and access by which users to audit.

To enable auditing of access to Active Directory objects, enable the Audit directory services access policy in the Group Policy snap-in.

To enable auditing for specific Active Directory objects, open the Active Directory Users And Computers snap-in and select Advanced Features from the View menu. Open the Properties dialog box for the object that you want to audit. On the Security tab, click Advanced. Select the Auditing tab and configure auditing for that object.

Auditing Access to Printers

You can audit access to printers in order to track access to sensitive printers. To audit access to printers, enable the Audit Object Access policy, which includes printers. Then enable auditing for specific printers, and specify which types of access and access by which users to audit. After you select the printer, you use the same steps that you use to set up auditing on files and folders.

To set up auditing on a printer, open the Properties dialog box for the printer that you want to audit. On the Security tab, click Advanced. Select the Auditing tab and configure auditing for the printer.

Using Event Viewer

You can use Event Viewer to perform a variety of tasks, including viewing the audit logs that are generated as a result of setting audit policies and auditing events. You can also use Event Viewer to view the contents of security log files and find specific events within log files.

Windows 2000 Logs

You can use Event Viewer to view information contained in Windows 2000 logs. By default there are three logs available to view in Event Viewer. These logs are described in Table 27.4.

Table 27.4 Logs Viewable with Event Viewer

Log Description
Application log Contains errors, warnings, or information generated by programs, such as a database program or an e-mail program. The program developer presets which events to record.
Security log Contains information about the success or failure of audited events. The events that Windows 2000 records are a result of your audit policy.
System log Contains errors, warnings, and information generated by Windows 2000. Windows 2000 presets which events to record.

NOTE

If additional services are installed, they might add their own event log. For example, the DNS service logs DNS events in the DNS Server log.

Viewing the Security Log

The Security log contains information about events that are monitored by an audit policy, such as failed and successful logon attempts. You can view the Security log in the Event Viewer snap-in, as shown in Figure 27-19.

Figure 27.19 Event Viewer snap-in with the Security Log selected

In the details pane, Event Viewer displays a list of log entries and summary information for each item.

Successful events appear with a key icon, and unsuccessful events appear with a lock icon. Other important information includes the date and time that the event occurred, the category of the event, and the user who generated the event. The category indicates the type of event, such as object access, account management, directory service access, or logon events.

Windows 2000 records events in the Security log on the computer at which the event occurred. You can view these events from any computer as long as you have administrative privileges for the computer where the events occurred. To view the Security log on a remote computer, point Event Viewer to a remote computer when you add this snap-in to a console.

Locating Events

When you first start Event Viewer, it automatically displays all events that are recorded in the selected log. To change what appears in the log, you can locate selected events by using the Filter command. You can also search for specific events by using the Find command. To filter or find events, start Event Viewer and then click Filter or click Find on the View menu.

Managing Audit Logs

You can track trends in Windows 2000 by archiving event logs and comparing logs from different periods. Viewing trends helps you determine resource use and plan for growth. If unauthorized use of resources is a concern, you can also use logs to determine patterns of usage. Windows 2000 allows you to control the size of the logs and to specify the action that Windows 2000 takes when a log becomes full.

You can configure the properties of each individual audit log. To configure the settings for logs, select the log in Event Viewer, and then display the Properties dialog box for the log.

Use the Properties dialog box for each type of audit log to control the size of each log, which can be from 64 KB to 4,194,240 KB (4 GB). The default size is 512 KB. You can also use the log properties to control the action that Windows 2000 takes when the log fills up.

TIP

Use the Security Configuration And Analysis snap-in to configure settings for Event Viewer.

Archiving Logs

Archiving security logs allows you to maintain a history of security-related events. Many companies have policies on keeping archive logs for a specified period to track security-related information over time. If you want to save the log file, clear all events, or open a log file, select the log from the Event Viewer console tree, and then select the appropriate option from the Action menu.

Lesson Summary

Auditing in Windows 2000 is the process of tracking both user activities and Windows 2000 activities, called events, on a computer. Through auditing, you can specify that Windows 2000 writes a record of an event to the Security log. An audit policy defines the types of security events that Windows 2000 records in the Security log on each computer. The Security log allows you to track the events that you specify. When you plan an audit policy you must determine on which computers to set up auditing. As you are determining which computers to audit, you must also plan what to audit on each computer. To implement auditing, you need to consider auditing requirements and set the audit policy. After you set an audit policy on a computer, you can implement auditing on files, folders, printers, and Active Directory objects. You can use Event Viewer to view the audit logs that are generated as a result of setting the audit policy and auditing events. You can also use Event Viewer to view the contents of Security log files and find specific events within log files.


Previous page
Table of content
Next page
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 244
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
Metrics and Models in Software Quality Engineering (2nd Edition)
Microsoft VBScript Professional Projects
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy