Windows 2000 and Windows 2003 Servers use the Active Directory to store objects, such as user and computer accounts, as well as security information for the domain. When you promote a Windows 2000/2003 server to be a domain controller in the domain, you can use the Domain Security Policy MMC Snap-in to set up auditing for the domain. With few exceptions, this Snap-in works the same for both Windows 2000 and Windows 2003 servers. This utility is the first step toward setting up events to audit. You use the Domain Security Policy tool to select the categories of events to audit. You can then select the individual objects (such as files, folders, or printers) that will be audited. After you have selected the kinds of events you want to audit, you need to configure auditing on the resources that you consider important, just as you did in Windows NT 4.0. Use Start, Programs, Administrative Tools (or Start, Administrative Tools for Windows 2003), Domain Security Policy (Domain Controller Security Settings for Windows 2003) to start this tool. In Figure 43.5, you can see the MMC that is displayed, with the Security Settings object in the left pane of the console expanded to show the various objects that can be used to configure and monitor security for the domain. Figure 43.5. Use the Domain Security Policy tool to enable auditing.Note The remainder of this section uses examples from Windows 2000 Advanced Server. Windows 2003 Server operating systems can be configured using pretty much the same procedures discussed in this chapter. You will find, however, that there are additional items in the Default Domain Controller Security Settings window. These are specific to the Windows 2003 operating system. However, when you finish reading this chapter, you will find that using Windows 2003 will be easy to learn, because the differences are basically due to the new features that Windows 2003 offers. In the right pane, double-click Local Policies and then Audit Policy. In Figure 43.6, you can see the events you can set up for auditing for the domain. Figure 43.6. Use the Audit Policy object in the left pane to configure auditing.To enable auditing, first select the kinds of events you want to audit. For example, to enable logging for successful or failed logon attempts, use the category Audit Logon Events. If you double-click this item, you can then select to audit successful or unsuccessful logon attempts (Success, Failure), as shown in Figure 43.7. Figure 43.7. When you enable auditing for a category, you can enable both successful access and failed access attempts.
You can choose to audit other categories in this utility, such as changes made to user accounts (Audit account management), and file or printer access (object access). To audit object access on the domain controller, use Audit Directory Service Access. To audit object access on a member server in the domain, select Audit Object Access. For each category, just double-click the entry in the MMC and select the Define These Policy Settings check box. You can then select either Success or Failure, to decide which kinds of access to audit. In some environments, it might be desirable to log successful logons so that you can track when users are active on the network. Enabling failed logons can also be useful when you're trying to determine whether someone is attempting to break into your system, or whether a user is having a problem with his account, such as a forgotten password. Enabling Auditing for Files and FoldersKeeping track of when users log on to the domain or when failed logon attempts occur enables you to track user account usage in the domain. It's also a good idea to keep track of access to important files and folders that reside on your servers. Although the NTFS allows you to grant or deny access with a large degree of precision, it can sometimes be difficult to determine the right combination of user rights and access permissions to use to set up the required access. For example, the description for the Backup Operators Builtin group you'll find in the Active Directory Users and Computers administrative tool is "Backup Operators can override security restrictions for the sole purpose of backing up or restoring files." Does this mean they can read your files when not using a backup program? No, but to be sure, you can always set up event logging for important files or directories, and then use the Event Viewer to determine when these files or directories were successfully (or unsuccessfully) accessed. After you've used the Domain Security Policy administrative tool to enable auditing for objects, you can configure specific objects for auditing. The simplest way to set up auditing for a file or folder is to bring up the Windows Explorer accessory and use the properties page for a folder or a file:
After you've set up auditing, you can check the event log periodically to determine which users have successfully accessed the folder or file, and also those that have failed to gain access, depending on which check boxes you have selected. If all this seems complicated, it is! The Active Directory allows you to finely tune the access permissions, user rights, and auditing for objects that exist in the directory. Obviously, you should structure your file system and user groups with careful planning so that you don't end up with a large number of variables to contend with. If you try to set up auditing for every folder on a user-by-user basis, for example, you'll spend a lot of time setting up auditing every time you add a new user or create a new directory. Notice also that inheritance can be blocked from above as well as propagated to objects that are beneath the object you are auditing. For example, if you have multiple organizational units in your domain, you can set up auditing based on the domain, and let these auditing records filter down the tree to apply also to the organizational units that fall underneath it. Or you can elect to set up auditing differently for each organizational unit. Note The Active Directory can be only as complex as you make it. For many small organizations, a single domain and the builtin containers (that is, Users and Computers) are sufficient for managing a small number of users. For a small home network, you should probably be using a less expensive operating system, such as Windows XP configured in a workgroup instead of using the domain-based Active Directory service. For more information about container objects in the directory, as well as how the directory is organized, see Chapter 30, "Using the Active Directory," or Appendix D, "The Lightweight Directory Access Protocol." Enabling Auditing for PrintersThe method used for selecting users and groups and the access that will be audited is just about the same for printers as it is for files and folders. You use the same dialog box to select users and groups, and a similar dialog box to select the type of access to be audited. To set up a printer for auditing, use the following steps:
Logging Shutdown and Startup Events with Windows 2003 ServerWindows 2003 prompts the administrator to give a text message to indicate why the server is being shut down or restarted. This text shows up in the Event Viewer just like any other audited event. Additionally, should the system crash, a similar text message window will pop up after the system boots, allowing you to enter a text message regarding the crash. In this manner, your audit trail can be used to determine what events led up to a crash. If you archive these events to a separate file using the Event Viewer, you can save them for future reference when similar problems occur. In Figure 43.11 you can see an example of the Shut Down event dialog box for Windows 2003. Figure 43.11. You can record an event when shutting down the system.
Using the Event ViewerThe Event Viewer is another tool you'll find in the Administrative Tools folder. It functions much the same as it did in Windows NT 4.0, although now the MMC is used as the interface, and some additional functionality has been added. In Figure 43.12 you can see the Event Viewer for Windows 2003 with the Security object selected. Figure 43.12. The Event Viewers for Windows 2000 Server and Windows 2003 Server now use MMC. This view is from Windows 2003 Server.In addition to the Application, Security, and System log files, other log files might show up, depending on the services you've installed on the server. For example, in Figure 43.12, the Directory Service, DNS Server, and File Replication Service log files are also listed because they are installed on the domain controller. On member servers that are not domain controllers, your view might be different. In the right pane of the Event Viewer, you will see a line item for each event in the file. Double-click any event to bring up a properties sheet that contains the detailed information about the event that was logged. In Figure 43.13, for example, you can see an example of a failed logon attempt by the user Administrator on the system. Figure 43.13. Yes, even the administrator can forget his password once in a while.
Notice also in Figure 43.13 that you can use the up- and down-arrow buttons to move through line items so that you don't have to double-click each one to view the details. This can make scanning a set of events easier. Directly under these arrows is a button that looks like two sheets of paper. Clicking this button copies the details of the logged event to the Clipboard. You can then use a word processor or another utility that has a paste function to save or print the details of the event. Using the Event Viewer Action MenuYou can use a central MMC to manage the event logs from the local computer that you are logged onto. You can also add other computers in your network to the console tree in the left pane so that you can manage their log files from the same place. Choose Action, Connect to Another Computer. Figure 43.14 shows the dialog box that pops up. Enter the name or IP address of another computer here, and, if you have access to that computer, click the OK button and it will be added to the tree. Figure 43.14. You can connect to multiple computers to manage event log files from a central location.
The Action menu also allows you to manage the properties of each log file. You can set the maximum size the log file can grow to, or set whether events should be overwritten when the file becomes full (see Figure 43.15). Figure 43.15. Choose Action, Properties to manage a log file.
The Filter tab allows you to specify information that will be used to narrow down the records you want to look at. You can select the date range, event type, source, category, event ID, and user, among other things. To return the display to show all records in the file, select View, All Records. Finally, you can use the Action menu to save a log file to another file, export the information in a log file to a text file, rename the log file, create a new log file, or clear all events from the log file. |