On many computers, the state of the operating system changes frequently. If you, other administrators, or users periodically make changes to computer configurations, auditing and regular analysis will enable you to validate the security configuration on each computer and to verify that security has not been breached. For example, you might want to track who or what is attempting to perform certain tasks, or you might want to obtain information about why certain events are taking place or not taking place.
Windows XP Professional provides a number of auditing and analysis features including audit policies, Event Viewer, and the Security Configuration and Analysis snap-in that can aid you in effectively validating the security configurations on the computers in your organization.
You can monitor many different types of events on a Windows XP Professional based system, including user actions such as logging on and logging off, and the success and failure of key application events. Administrators need to monitor these events to track security, system performance, and application errors.
You can set up audit policies to track authorized and unauthorized access to resources. By default, auditing is not enabled. Before you enable auditing, it will be important for you to define exactly what needs to be audited and why you want it to be audited. Auditing can slow down system performance, and it will also require effort on your part to evaluate audit logs; therefore, advanced planning is recommended to ensure that you track appropriate system events without creating excess administrative overhead.
For example, if you decide to audit account logon sessions, you need to consider what the information will be used for. Your security administrators group might be interested in logging failed logon events because this can indicate that someone is trying to log on with an account for which he or she does not have the correct password. Alternatively, you might want to log successful logon attempts to determine whether users are accessing workstations in areas of the network that they are not permitted to use.
To enable auditing, use the Microsoft Management Console with the Group Policy snap-in focused on the local computer. To see the different types of objects for which auditing can be configured, navigate to the following folder: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.
There you will find a number of configuration audit policies, which can be used to audit events that fall into the following categories:
Account logon events. Logs an event each time a user attempts to log on. For example, specific events logged include: logon failures for unknown user accounts; time restriction violations; user account has expired; user does not have the right to log on locally; account password has expired; account is locked out. Successful logons also can be tracked through events.
Account management. Logs an event each time an account is managed. This is a useful function if you are concerned about changes being made to user accounts in your environment.
Logon events. Logs an event for logon events that are occurring over the network or generated by service startup (such as an interactive logon events or service starting events).
Object access. Logs an event each time a user attempts to access a resource such as a printer or shared folder.
Policy changes. Logs an event each time a policy is successfully or unsuccessfully changed in your environment.
Use of privileges. Logs an event each time a user attempts, successfully or unsuccessfully, to use special privileges, such as changing system time.
Process tracking. Logs an event for each program or process that a user launches while accessing a system. Administrators can use this information to track the details of a user s activities while he or she is accessing a system.
System events. Logs designated system events, such as when a user restarts or shuts down a computer.
For each of these categories, determine whether you want to log Success, Failure, or both Success and Failure for the events they represent. Then configure the object that you want to monitor so that the policy and the object are linked.
For example, to audit file and folder access, first mark the activities (Success, Failure, or both) that you want to track under Object Access. Then, for each of the files and folders that you want audited, configure the SACLs that enable auditing.
To enable auditing
Right-click the file or folder, and then click Properties.
On the Security tab, click the Advanced button.
On the Advanced Security Settings for Shared Documents page, click the Auditing tab.
The Auditing tab is shown in Figure 16-9.
Figure 16-9: Auditing tab
Click the Add button, and then select the users, or groups whose activity you want to monitor.
For each entry, determine whether you want to track successes or failures or both.
Determine whether auditing must be configured on this object only or other child objects. For example, if the object is a folder and you want to audit activity on files and subfolders, select Apply these auditing entries to objects and/or containers within this container only.
Configure settings for the Users, Computers, and Groups whose activities you want to track, complete the process by clicking OK.
In the Group Policy snap-in, navigate to:
Local Computer Policy\Computer Configuration\Windows Settings \Security Settings\Local Policies\Audit Policy
Double-click Audit object access.
Select the appropriate check boxes for logging Success, Failure, or both.
Click OK.
The list of configurable entries is almost identical to the list of Access Control Entries for files and folders. For more information about ACEs for files and folders, see Access Control Entries earlier in this chapter.
Windows XP Professional provides the option to audit the use of privileges. Although this setting can be either enabled or disabled, it cannot be applied selectively to individual rights.
Warning | Auditing the use of user privileges generates a very large number of audits, and in most cases the value of the information this provides does not outweigh the associated management costs. Therefore, do not audit the use of user privileges unless it is strictly necessary for your environment. If you must audit the use of user privileges, it might be worthwhile to obtain or write an event-analysis tool that can gather information about only the user rights that are of interest to you. |
Enabling the Use of Privileges category in the system s Audit policy does not enable the audit of all user rights. The following user rights are never audited:
Bypass Traverse Checking (SeChangeNotifyPrivilege)
Generate Security Audits (SeAuditPrivilege)
Create A Token Object (SeCreateTokenPrivilege)
Debug Programs (SeDebugPrivilege)
Replace A Process Level Token (SeAssignPrimaryTokenPrivilege)
The following user rights are audited only if a specific registry entry is present:
Backup Files and Directories (SeBackupPrivilege)
Restore Files and Directories (SeRestorePrivilege)
You can enable auditing of these privileges by using the security policy user interface in Windows XP Professional.
Account Management audit policy is very detailed in Windows 2000 and Windows XP Professional and in later service packs of Windows NT 4.0. Enabling auditing for this event category allows you to record the success or failure of the domain and local events that are listed with their event numbers in the Appendix Security Event Messages in this book.
The Event Viewer is an MMC snap-in that enables you to view three different logs that are stored by Windows XP Professional:
System log. The System log contains events logged by the Windows XP Professional system components, such as drivers or other system components that failed to load during startup. Windows XP Professional predetermines the event types logged by the system components.
Application log. The Application log contains events logged by applications or programs. For example, a database program might record a file error in the application log. The program developer decides which events to record. Many Windows XP Professional services (such as DHCP, DNS, and File Replication Services) use the application log.
Security log. The Security log, if configured to do so, records security events, such as valid and invalid logon attempts. Events that are related to resource use, such as creating, opening, or deleting files, can also be logged. An administrator can specify the events that are recorded in the security log policy.
When you select the log type in the left pane of the Event Viewer, the corresponding log data displays in the right pane.
The data in the right pane can be filtered and resorted. In addition, you can select which columns of data to display by selecting Choose Columns from the View menu.
The Event Viewer tracks five types of events:
Error. A significant problem, such as loss of data or loss of functionality.
Warning. An event that is not necessarily significant but might indicate a possible future problem.
Information. An event that describes the successful operation of an application, driver, or service.
Success Audit. An audited security event in which a user s attempt to access a resource succeeds.
Failed Audit. An audited security event in which a user s attempt to access a resource fails.
In addition, the Event Viewer records the following:
The date of the event.
The time at which the event occurred.
The source (such as a service or process) that reported the event to the Event Viewer.
The category of the event. In many cases, the category relates to the subsystem that reported the event.
The user account associated with the event.
The computer on which the event occurred.
The Event ID, which is a numeric code that can be used to obtain additional information regarding the event being logged.
A description of the event.
You can use the Security Configuration and Analysis snap-in at any time to analyze current system settings against a baseline template. Performing this analysis allows you to do the following:
Identify security holes that might exist in the current configuration.
Identify the changes that a potential security policy will transmit to a system before actually deploying the security policy.
Identify deviations from a policy that is currently imposed on a system.
For example, if you have created a custom security template, the Security Configuration and Analysis tools will allow you to compare your system s current settings against the settings that are defined by the security template that you created. If the custom security template defines a more secure configuration than the current settings provide, the analysis will identify the security holes that exist in the current system configuration, as well as the changes that will take place if the custom template is used to configure the system.
To load the Security Configuration and Analysis MMC snap-in
In the Run dialog box, type:
mmc /s
On the File menu, click Add\Remove Snap-in, and then click Add.
In Available Standalone Snap-ins, select Security Configuration and Analysis.
Click Add, click Close, and then click OK.
All configurations and analyses are database-driven. The security configuration and analysis database, which is also referred to as the local computer policy database, is a computer-specific data store that is generated when one or more configurations are imported to a particular computer. A security configuration and analysis database is the starting point for all configurations and analyses done on a system.
An initial database is created during a clean installation of Windows 2000 or Windows XP Professional. Initially, it contains the default security configurations that are provided with the system. You can export and save this database to a security configuration file immediately after the installation for use in the event that you want to restore the initial security configuration at some point.
This database defines the security policy that is in force for that system. The system runs with the configuration defined in security policy. However, security policy might not define the entire configuration. For example, security might not be defined for every file or folder path. This means that security configuration attributes that are not enforced by policy can take any value for file and folder security either a default value or a value defined by another mechanism. Attributes that are not enforced by policy might also be configured manually using personal databases. However, any custom configurations that conflict with the policy are overridden by the definitions in the policy. Personal database configurations are useful in areas such as the registry and the file system, where multiple users on the system can secure their own registry portions and home directory subtrees.
You can use the Security Configuration and Analysis snap-in to compare the current system configuration against the stored configuration in the database. Performing this analysis provides you with information about where a particular system deviates from the stored configuration. This information is useful for troubleshooting problems, tuning the security policy, and, most importantly, detecting any security flaws that might open up in the system over time.
The database is initially created from the computer-independent configuration file described above. New configurations can be added to the database incrementally without overwriting the entire configuration.
To generate a security configuration database
In the left pane, right-click Security Configuration and Analysis.
Click Open Database (see Figure 16-10).
Figure 16-10: Opening a Security Configuration and Analysis database
In the Name dialog box, type a name for your new database.
Click Open.
Select an existing security template to import into the database.
Click Open.
The name of the database appears in the result pane. Several more options are available when you right-click Security Configuration and Analysis.
To analyze the security configuration database
Right-click Security Configuration and Analysis, and then click Analyze Computer Now.
In the Error log file path dialog box, specify a log file for the analysis results, such as the following:
%windir%\security\logs\Mysecurews.log
Click Open, and then click OK. A progress indicator displays as the analysis proceeds (see Figure 16-11).
Figure 16-11: Progress dialog for Security Configuration and Analysis
After a database analysis is complete, you can view the security information under the Security Configuration and Analysis node.
To view the results of a database analysis
In Security Configuration and Analysis, click View, and then click Customize.
Select the Description Bar to expose the database you are currently working with.
In the left pane, click Security Configuration and Analysis.
You can double-click any setting in the result pane to investigate discrepancies and modify database settings if desired.
Configuration results are displayed for the following areas:
Account policies. This includes password, account lockout, and Kerberos authentication policies. Kerberos authentication policies are relevant only on Windows 2000 domain controllers.
Event log. This includes audit policies such as object access, password changes, and logon and logoff activities.
Local policies. This includes audit policy, user rights assignment, and computer security options.
Restricted groups. This includes group memberships for selected groups that you consider to be sensitive.
Object trees. This includes directory objects (in Windows 2000 domain controllers), registry subkeys and entries, and the local file system.
Note | For each object tree, defined configuration files allow you to configure (and analyze) settings for security descriptors, including object ownership, the access control list (ACL), and auditing information. |
In the right pane, both database and actual system settings are displayed for each object. Discrepancies are highlighted with a red flag. Consistencies are highlighted with a green check mark. If neither a flag nor a check mark appears, the security setting is not specified in the database (that is, the security setting was not configured in the template that was imported).
After you review the results of the analysis, you might change your mind about the relevance of the security specification that was originally defined for an object. If so, you can update the baseline database used to perform the analysis.
If you consider an object to be relevant to security, check the Define this policy in the database check box when viewing the detailed analysis results. If this box is clear, the object is removed from the configuration and receives its inheritance from its parent object.
If you want to base future configurations or analyses on a different security specification, you can click the Edit Security Settings control to modify the security definition currently stored in the database.
The configuration and analysis operations available from the Security Configuration and Analysis snap-in can also be performed by using the Secedit.exe command-line tool. Using the command-line tool allows you to perform security configuration and analysis in conjunction with using other administrative tools, such as Microsoft Systems Management Server or the Task Scheduler built into Windows XP Professional. Secedit.exe also provides some capabilities that are not available in the graphical user interface, such as performing a batch analysis.
The Secedit.exe command-line tool allows the following high-level operations:
Analyze. Also available from the Security Configuration and Analysis snap-in.
Configure. Also available from the Security Configuration and Analysis snap-in.
Export. Also available after opening a database from the shortcut menu of the Security Configuration and Analysis snap-in. This dumps database configuration information into a template (.inf) file.
Validate. This verifies the syntax of a template created by using the Security Templates snap-in.
Note | For information about command-line syntax for Secedit.exe, see Security Configuration Manager tools in Windows XP Professional Help and Support Center. |
All Secedit.exe configurations and analyses are database-driven. Therefore, Secedit.exe supports switches for specifying a database (/db) as well as a configuration file (/cfg) to be imported into the database before performing the configuration.
By default, the configuration file is appended to the database. To overwrite existing configuration information in the database, use the /overwrite switch. As with the Security Configuration and Analysis snap-in, you can specify a log file (/log).
Note | While the Security Configuration and Analysis snap-in always configures all security areas, Secedit.exe allows you to specify areas (/areas) to be configured. Security areas not specified with the /areas switch are ignored even if the database contains security settings for those areas. |