| Objective: Implement secure network administration procedures. Implementing a baseline security solution is only the first step in implementing security on servers and a network. After you've implemented security templates, you need to audit the servers and network to determine what is happening. Auditing in Windows Server 2003 can be a one- or two-part process, depending on what you are auditing. If you want to audit only system events such as user logins and privilege use, then you need to configure the appropriate auditing categories. If you also want to audit object access, you need to first enable this setting and then configure auditing specifically on the object. The following sections examine both types of auditing. Before we get into configuring auditing, however, it is important that you understand that auditing can be configured at more than one level. That is, you can configure auditing at the same levels to which you can apply Group Policy. These levels include a local computer, a domain, and a specific OU. You should keep this point in mind when you're implementing an organization's auditing plan. Configuring Auditing To start auditing, you need to begin by enabling it in Group Policy. You can do this by configuring the applicable GPO directly or by making your changes in a security template. For the purposes of this chapter, you can make the changes in a security template and then import that template into specific GPOs to implement the auditing solution. After auditing is configured, audit events are written into the security log of the event viewer. In this section, you will learn about some of the events that you are likely to encounter. Windows Server 2003 provides the following areas in which you can enable auditing: Audit Account Logon Events This option configures auditing to occur for user logons and logoffs. A success audit generates an audit entry when a user successfully logs in, and a failure audit generates an entry when a user unsuccessfully attempts to log in. Audit Account Management This option configures auditing to occur for each event of account management on a computer. Typical account management events include creating a user, creating a group, renaming a user, disabling a user account, and setting or changing a password. A success audit generates an audit entry when any account management event is successful, and a failure audit generates an entry when any account management event fails. Audit Directory Service Access This option configures auditing to occur when a user accesses an Active Directory object that has its own system access control list (SACL). This setting is only for Active Directory objects, such as GPOs, not for file system and registry objects. A success audit generates an audit entry when a user successfully accesses an Active Directory object that has an SACL specified, and a failure audit generates an entry when an unsuccessful access attempt occurs. Audit Logon Events This option configures auditing to occur upon each instance of a user logging on or off a computer. The audit events are generated on DCs for domain account activity and on local computers for local account activity. When both the Audit Logon Events and the Audit Account Logon Events options are configured, logons and logoffs that use a domain account generate logon or logoff audit events on the local computer as well as the DC. A success audit generates an audit entry when a logon attempt succeeds, and a failure audit generates an audit entry when a logon attempt fails. Audit Object Access This option configures auditing to occur upon each user access of an object, such as a file, folder, printer, or registry key that has its own SACL configured. To configure auditing for object access, you also need to configure auditing for each object on which you want to perform auditing. A success audit generates an audit entry when a user successfully accesses an object, and a failure audit generates an audit entry when a user unsuccessfully attempts to access an object. Audit Policy Change This option configures auditing to occur upon every occurrence of changing user rights assignment policies, audit policies, or trust policies. A success audit generates an audit entry when a change to one of these policies is successful, and a failure audit generates an audit entry when a change to one of these policies fails. Audit Privilege Use This option configures auditing to occur upon every occurrence of a user exercising a user right. A success audit generates an audit entry when the exercise of a user right succeeds, and a failure audit generates an audit entry when the exercise of a user right fails. Audit Process Tracking This option configures auditing to occur for events such as program activation, process exit, handle duplication, and indirect object access. A success audit generates an audit entry when the process being tracked succeeds, and a failure audit generates an audit entry when the process being tracked fails. Audit System Events This option configures auditing to occur when certain system events, such as computer restarts and shutdowns, occur. A success audit generates an audit entry when a system event is executed successfully, and a failure audit generates an audit entry when a system event is executed unsuccessfully.
For the purposes of auditing, you might want to create a new security template. However, if you want to make the configuration in an existing security template, you can do that as well. Step by Step 5.4 outlines the process of configuring and implementing auditing settings. Step By Step 5.4. Configuring and Implementing Auditing 1. | Open the custom security console you created in Step by Step 5.1.
| 2. | Create a new security template by right-clicking the storage location node and selecting New Template.
| | | 3. | Enter the template name and description as shown in Figure 5.16.
Figure 5.16. Be sure to provide a helpful name and description in case you need to later figure out what the template does. 
| | | 4. | In the new template, navigate to the Audit Policy node, as shown in Figure 5.17.
Figure 5.17. After the template has been created, you need to locate the auditing settings. 
| | | 5. | Double-click the items for which you want to configure auditing. For example, to configure the Audit Account Logon Events option, open its properties and select the Define These Policy Settings in the Template option and the Success and Failure options, as shown in Figure 5.18. Click OK to accept your configuration.
Figure 5.18. You can configure Success, Failure, or both for auditing. 
| | | 6. | Configure Success and Failure auditing for the Audit Object Access option.
| 7. | After you configure your desired auditing options, save the template by right-clicking it in the left pane and selecting Save from the context menu.
| 8. | Open the Active Directory Users and Computers console.
| 9. | Open the Group Policy Editor for the Sales OU by creating a new GPO or editing an existing GPO.
| | | 10. | Import the security template that contains your auditing settings, as discussed in Step by Step 5.3.
| 11. | Configure auditing options for the objects (files, folders, printers, and so on) for which you want to audit access. For example, to configure some auditing options for a Word document named July Executive Schedule.doc, right-click the document and select Properties from the context menu.
| 12. | Switch to the Security tab and click the Advanced button to open the Advanced Security Settings dialog box. Switch to the Auditing tab, which is shown in Figure 5.19.
Figure 5.19. You need to select the Auditing tab of the Advanced Security Settings dialog box. 
| 13. | Click the Add button to open the Select User or Group dialog box, as shown in Figure 5.20. From here you need to select the users or groups to which the auditing entries will be applied. Keep in mind that if you are going to audit multiple users or groups, it is most efficient (in terms of system usage) to have them in as few auditing entries as possible. Also, if you need to audit the actions of all users, you should use the Everyone group. If you do not know the names of the users or groups that you want to add to this auditing entry, click Advanced, Find Now to open a list from which you can choose. After you have configured the desired users and groups, click OK to continue. The Auditing Entry dialog box appears.
Figure 5.20. You need to select the users and groups for which you want to configure auditing before you can select what is to be audited. 
| | | 14. | On the Auditing Entry dialog box, which is shown in Figure 5.21, you can select what success or failure events you want to audit for on the selected object. Make your selections and then click OK to confirm them.
Figure 5.21. You have several items that you can select for object auditing. 
| 15. | Close the remaining dialog boxes; you are done configuring auditing.
|
With auditing configured, you might want to test it and see how it works. Recall that audit entries are written into the security log, so you need to go there to examine them. You can find the event logs by selecting Start, Programs, Administrative Tools, Event Viewer. If you open the security log, you can see the audit entries. A closed lock next to an item indicates a failure audit, and a key next to an item indicates a success audit, as seen in Figure 5.22. Figure 5.22. The security log can quickly fill up if you are auditing many items. 
Of course, there is more to successful auditing than just configuring it and checking the security log from time to time. The following are some of Microsoft's recommended practices for successfully implementing and maintaining a security auditing solution: Create an audit plan before you implement auditing You need to determine what you are auditing. Are you trying to audit for user access to unauthorized resources, or are you trying to audit for attempts to access the network illicitly? Perhaps you have in mind another entirely different reason for auditing. Like everything else you do related to managing a network, proper prior planning ensures the success of your solution. Collect and archive logs across the entire organization Visiting each computer and examining its local security log is not a viable solution for any but the smallest of organizations. To make the log collection process easier and more accurate, you should consider using a Microsoft product such as DumpEL, EventCombMT, or Log Parser. You can find the links to these tools in the "Suggested Reading and Resources" section at the end of this chapter. Audit system events for success and failure events By auditing system events, you can monitor unusual activity that could indicate when an attacker is trying to gain access or compromise systems. Audit policy change events for success events Auditing of successful policy change events can indicate that someone is changing items to which he or she should not have access. Audit account management events for success events Auditing of successful account management events can help you verify that changes are successful. You might be tempted to audit failure events, but that can lead to an overwhelming number of entries that can degrade system performance over time. Failure auditing should be done only for short periods, and it should look for specific activity only. Audit account logon events for success events on DCs Auditing of successful account logon events enables you to determine when users are logging on and off the network. This can be useful for tracking down activity occurring outside normal working hours. Configure specific object access auditing You should configure only the object auditing that you need. In other words, if all you want to audit is users attempting to read a document, you don't need to configure auditing for full control. By limiting the object access auditing you configure, you can cut down on extraneous log entries through which you would otherwise have to sift.
Challenge You are the systems administrator for Kelly's Jelly, Inc. You have been tasked by the IS manager with developing and implementing a customized security solution for the company's new network. The network will consist of Windows Server 2003 server computers and Windows XP Professional workstations. Kelly's business structure consists of the following major departments: Accounting Administration Design Engineering Maintenance Production Stock control
The user and computer accounts for each department are to be placed in an OU bearing the same name as the department. The member servers are to be placed in OUs by function: File and Print, Exchange, SQL, and RRAS. In addition, all Domain Controllers will remain in their default container. Your task is to create the required OU structure and security policies to implement custom security policies for the company. Try to complete this exercise on your own, listing your conclusions on a sheet of paper. After you have completed the exercise, compare your results to those given here. Answers Because each department is to have its own OU for user and computers, you will need to first create those seven organizational units. Additionally, you have four different types of member servers that will each require an OU to be created to house them. The default Domain Controllers OU will be used to hold all Domain Controllers in the company. Once you have created the 11 new OUs, you can then go about the task of creating and implementing security policies for the company. Typically you will apply the most general policies at the domain level. These policies should be common to all OUs under the domain root. Beyond that, you can create and implement the security policies for each of the organizational units as required. It's likely that the department OUs will get the same security policy via a linked group policy object, thus making your organizational units more organizational than they appeared at first. |
|
