Auditing and Analyzing Access Control

Previous page
Table of content
Next page

On many computers, the state of the operating system changes frequently. If you, other administrators, or users periodically make changes to computer configurations, auditing and regular analysis will enable you to validate the security configuration on each computer and to verify that security has not been breached. For example, you might want to track who or what is attempting to perform certain tasks, or you might want to obtain information about why certain events are taking place or not taking place.

Windows XP Professional provides a number of auditing and analysis features including audit policies, Event Viewer, and the Security Configuration and Analysis snap-in that can aid you in effectively validating the security configurations on the computers in your organization.

Enabling Auditing Policies

You can monitor many different types of events on a Windows XP Professional based system, including user actions such as logging on and logging off, and the success and failure of key application events. Administrators need to monitor these events to track security, system performance, and application errors.

You can set up audit policies to track authorized and unauthorized access to resources. By default, auditing is not enabled. Before you enable auditing, it will be important for you to define exactly what needs to be audited and why you want it to be audited. Auditing can slow down system performance, and it will also require effort on your part to evaluate audit logs; therefore, advanced planning is recommended to ensure that you track appropriate system events without creating excess administrative overhead.

For example, if you decide to audit account logon sessions, you need to consider what the information will be used for. Your security administrators group might be interested in logging failed logon events because this can indicate that someone is trying to log on with an account for which he or she does not have the correct password. Alternatively, you might want to log successful logon attempts to determine whether users are accessing workstations in areas of the network that they are not permitted to use.

To enable auditing, use the Microsoft Management Console with the Group Policy snap-in focused on the local computer. To see the different types of objects for which auditing can be configured, navigate to the following folder: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

There you will find a number of configuration audit policies, which can be used to audit events that fall into the following categories:

  • Account logon events. Logs an event each time a user attempts to log on. For example, specific events logged include: logon failures for unknown user accounts; time restriction violations; user account has expired; user does not have the right to log on locally; account password has expired; account is locked out. Successful logons also can be tracked through events.

  • Account management. Logs an event each time an account is managed. This is a useful function if you are concerned about changes being made to user accounts in your environment.

  • Logon events. Logs an event for logon events that are occurring over the network or generated by service startup (such as an interactive logon events or service starting events).

  • Object access. Logs an event each time a user attempts to access a resource such as a printer or shared folder.

  • Policy changes. Logs an event each time a policy is successfully or unsuccessfully changed in your environment.

  • Use of privileges. Logs an event each time a user attempts, successfully or unsuccessfully, to use special privileges, such as changing system time.

  • Process tracking. Logs an event for each program or process that a user launches while accessing a system. Administrators can use this information to track the details of a user s activities while he or she is accessing a system.

  • System events. Logs designated system events, such as when a user restarts or shuts down a computer.

For each of these categories, determine whether you want to log Success, Failure, or both Success and Failure for the events they represent. Then configure the object that you want to monitor so that the policy and the object are linked.

For example, to audit file and folder access, first mark the activities (Success, Failure, or both) that you want to track under Object Access. Then, for each of the files and folders that you want audited, configure the SACLs that enable auditing.

To enable auditing

  1. Right-click the file or folder, and then click Properties.

  2. On the Security tab, click the Advanced button.

  3. On the Advanced Security Settings for Shared Documents page, click the Auditing tab.

    The Auditing tab is shown in Figure 16-9.

    click to expand
    Figure 16-9: Auditing tab

  4. Click the Add button, and then select the users, or groups whose activity you want to monitor.

  5. For each entry, determine whether you want to track successes or failures or both.

  6. Determine whether auditing must be configured on this object only or other child objects. For example, if the object is a folder and you want to audit activity on files and subfolders, select Apply these auditing entries to objects and/or containers within this container only.

  7. Configure settings for the Users, Computers, and Groups whose activities you want to track, complete the process by clicking OK.

  8. In the Group Policy snap-in, navigate to:

    Local Computer Policy\Computer Configuration\Windows Settings \Security Settings\Local Policies\Audit Policy

  9. Double-click Audit object access.

  10. Select the appropriate check boxes for logging Success, Failure, or both.

  11. Click OK.

The list of configurable entries is almost identical to the list of Access Control Entries for files and folders. For more information about ACEs for files and folders, see Access Control Entries earlier in this chapter.

Auditing the Use of Privileges

Windows XP Professional provides the option to audit the use of privileges. Although this setting can be either enabled or disabled, it cannot be applied selectively to individual rights.

Warning 

Auditing the use of user privileges generates a very large number of audits, and in most cases the value of the information this provides does not outweigh the associated management costs. Therefore, do not audit the use of user privileges unless it is strictly necessary for your environment. If you must audit the use of user privileges, it might be worthwhile to obtain or write an event-analysis tool that can gather information about only the user rights that are of interest to you.

Enabling the Use of Privileges category in the system s Audit policy does not enable the audit of all user rights. The following user rights are never audited:

  • Bypass Traverse Checking (SeChangeNotifyPrivilege)

  • Generate Security Audits (SeAuditPrivilege)

  • Create A Token Object (SeCreateTokenPrivilege)

  • Debug Programs (SeDebugPrivilege)

  • Replace A Process Level Token (SeAssignPrimaryTokenPrivilege)

The following user rights are audited only if a specific registry entry is present:

  • Backup Files and Directories (SeBackupPrivilege)

  • Restore Files and Directories (SeRestorePrivilege)

You can enable auditing of these privileges by using the security policy user interface in Windows XP Professional.

Auditing Account Management

Account Management audit policy is very detailed in Windows 2000 and Windows XP Professional and in later service packs of Windows NT 4.0. Enabling auditing for this event category allows you to record the success or failure of the domain and local events that are listed with their event numbers in the Appendix Security Event Messages in this book.

Using the Event Viewer

The Event Viewer is an MMC snap-in that enables you to view three different logs that are stored by Windows XP Professional:

When you select the log type in the left pane of the Event Viewer, the corresponding log data displays in the right pane.

The data in the right pane can be filtered and resorted. In addition, you can select which columns of data to display by selecting Choose Columns from the View menu.

The Event Viewer tracks five types of events:

In addition, the Event Viewer records the following:

Using the Security Configuration and Analysis Snap-in

You can use the Security Configuration and Analysis snap-in at any time to analyze current system settings against a baseline template. Performing this analysis allows you to do the following:

For example, if you have created a custom security template, the Security Configuration and Analysis tools will allow you to compare your system s current settings against the settings that are defined by the security template that you created. If the custom security template defines a more secure configuration than the current settings provide, the analysis will identify the security holes that exist in the current system configuration, as well as the changes that will take place if the custom template is used to configure the system.

To load the Security Configuration and Analysis MMC snap-in

  1. In the Run dialog box, type:

    mmc /s

  2. On the File menu, click Add\Remove Snap-in, and then click Add.

  3. In Available Standalone Snap-ins, select Security Configuration and Analysis.

  4. Click Add, click Close, and then click OK.

Creating and Analyzing a Security Configuration Database

All configurations and analyses are database-driven. The security configuration and analysis database, which is also referred to as the local computer policy database, is a computer-specific data store that is generated when one or more configurations are imported to a particular computer. A security configuration and analysis database is the starting point for all configurations and analyses done on a system.

An initial database is created during a clean installation of Windows 2000 or Windows XP Professional. Initially, it contains the default security configurations that are provided with the system. You can export and save this database to a security configuration file immediately after the installation for use in the event that you want to restore the initial security configuration at some point.

This database defines the security policy that is in force for that system. The system runs with the configuration defined in security policy. However, security policy might not define the entire configuration. For example, security might not be defined for every file or folder path. This means that security configuration attributes that are not enforced by policy can take any value for file and folder security either a default value or a value defined by another mechanism. Attributes that are not enforced by policy might also be configured manually using personal databases. However, any custom configurations that conflict with the policy are overridden by the definitions in the policy. Personal database configurations are useful in areas such as the registry and the file system, where multiple users on the system can secure their own registry portions and home directory subtrees.

You can use the Security Configuration and Analysis snap-in to compare the current system configuration against the stored configuration in the database. Performing this analysis provides you with information about where a particular system deviates from the stored configuration. This information is useful for troubleshooting problems, tuning the security policy, and, most importantly, detecting any security flaws that might open up in the system over time.

The database is initially created from the computer-independent configuration file described above. New configurations can be added to the database incrementally without overwriting the entire configuration.

To generate a security configuration database

  1. In the left pane, right-click Security Configuration and Analysis.

  2. Click Open Database (see Figure 16-10).

    click to expand
    Figure 16-10: Opening a Security Configuration and Analysis database

  3. In the Name dialog box, type a name for your new database.

  4. Click Open.

  5. Select an existing security template to import into the database.

  6. Click Open.

    The name of the database appears in the result pane. Several more options are available when you right-click Security Configuration and Analysis.

To analyze the security configuration database

  1. Right-click Security Configuration and Analysis, and then click Analyze Computer Now.

  2. In the Error log file path dialog box, specify a log file for the analysis results, such as the following:

    %windir%\security\logs\Mysecurews.log

  3. Click Open, and then click OK. A progress indicator displays as the analysis proceeds (see Figure 16-11).

    click to expand
    Figure 16-11: Progress dialog for Security Configuration and Analysis

Reviewing the Results of a Database Analysis

After a database analysis is complete, you can view the security information under the Security Configuration and Analysis node.

To view the results of a database analysis

  1. In Security Configuration and Analysis, click View, and then click Customize.

  2. Select the Description Bar to expose the database you are currently working with.

  3. In the left pane, click Security Configuration and Analysis.

You can double-click any setting in the result pane to investigate discrepancies and modify database settings if desired.

Configuration results are displayed for the following areas:

Note 

For each object tree, defined configuration files allow you to configure (and analyze) settings for security descriptors, including object ownership, the access control list (ACL), and auditing information.

In the right pane, both database and actual system settings are displayed for each object. Discrepancies are highlighted with a red flag. Consistencies are highlighted with a green check mark. If neither a flag nor a check mark appears, the security setting is not specified in the database (that is, the security setting was not configured in the template that was imported).

Modifying Baseline Analysis Settings

After you review the results of the analysis, you might change your mind about the relevance of the security specification that was originally defined for an object. If so, you can update the baseline database used to perform the analysis.

If you consider an object to be relevant to security, check the Define this policy in the database check box when viewing the detailed analysis results. If this box is clear, the object is removed from the configuration and receives its inheritance from its parent object.

If you want to base future configurations or analyses on a different security specification, you can click the Edit Security Settings control to modify the security definition currently stored in the database.

Configuring and Analyzing Operations by Using Secedit.exe

The configuration and analysis operations available from the Security Configuration and Analysis snap-in can also be performed by using the Secedit.exe command-line tool. Using the command-line tool allows you to perform security configuration and analysis in conjunction with using other administrative tools, such as Microsoft Systems Management Server or the Task Scheduler built into Windows XP Professional. Secedit.exe also provides some capabilities that are not available in the graphical user interface, such as performing a batch analysis.

The Secedit.exe command-line tool allows the following high-level operations:

Note 

For information about command-line syntax for Secedit.exe, see Security Configuration Manager tools in Windows XP Professional Help and Support Center.

All Secedit.exe configurations and analyses are database-driven. Therefore, Secedit.exe supports switches for specifying a database (/db) as well as a configuration file (/cfg) to be imported into the database before performing the configuration.

By default, the configuration file is appended to the database. To overwrite existing configuration information in the database, use the /overwrite switch. As with the Security Configuration and Analysis snap-in, you can specify a log file (/log).

Note 

While the Security Configuration and Analysis snap-in always configures all security areas, Secedit.exe allows you to specify areas (/areas) to be configured. Security areas not specified with the /areas switch are ignored even if the database contains security settings for those areas.



Previous page
Table of content
Next page
Microsoft Windows XP Professional Resource Kit 2003
Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 338
BUY ON AMAZON
MySQL Stored Procedure Programming
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Snort Cookbook
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Managing Enterprise Systems with the Windows Script Host
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy