Configuring Windows 2000 and Windows Server 2003 Auditing Policies

Windows 2000 and Windows 2003 Servers use the Active Directory to store objects, such as user and computer accounts, as well as security information for the domain. When you promote a Windows 2000/2003 server to be a domain controller in the domain, you can use the Domain Security Policy MMC Snap-in to set up auditing for the domain. With few exceptions, this Snap-in works the same for both Windows 2000 and Windows 2003 servers.

This utility is the first step toward setting up events to audit. You use the Domain Security Policy tool to select the categories of events to audit. You can then select the individual objects (such as files, folders, or printers) that will be audited. After you have selected the kinds of events you want to audit, you need to configure auditing on the resources that you consider important, just as you did in Windows NT 4.0.

Use Start, Programs, Administrative Tools (or Start, Administrative Tools for Windows 2003), Domain Security Policy (Domain Controller Security Settings for Windows 2003) to start this tool. In Figure 43.5, you can see the MMC that is displayed, with the Security Settings object in the left pane of the console expanded to show the various objects that can be used to configure and monitor security for the domain.

Figure 43.5. Use the Domain Security Policy tool to enable auditing.

Note

The remainder of this section uses examples from Windows 2000 Advanced Server. Windows 2003 Server operating systems can be configured using pretty much the same procedures discussed in this chapter. You will find, however, that there are additional items in the Default Domain Controller Security Settings window. These are specific to the Windows 2003 operating system. However, when you finish reading this chapter, you will find that using Windows 2003 will be easy to learn, because the differences are basically due to the new features that Windows 2003 offers.

In the right pane, double-click Local Policies and then Audit Policy. In Figure 43.6, you can see the events you can set up for auditing for the domain.

Figure 43.6. Use the Audit Policy object in the left pane to configure auditing.

To enable auditing, first select the kinds of events you want to audit. For example, to enable logging for successful or failed logon attempts, use the category Audit Logon Events. If you double-click this item, you can then select to audit successful or unsuccessful logon attempts (Success, Failure), as shown in Figure 43.7.

Figure 43.7. When you enable auditing for a category, you can enable both successful access and failed access attempts.

You can choose to audit other categories in this utility, such as changes made to user accounts (Audit account management), and file or printer access (object access). To audit object access on the domain controller, use Audit Directory Service Access. To audit object access on a member server in the domain, select Audit Object Access.

For each category, just double-click the entry in the MMC and select the Define These Policy Settings check box. You can then select either Success or Failure, to decide which kinds of access to audit.

In some environments, it might be desirable to log successful logons so that you can track when users are active on the network. Enabling failed logons can also be useful when you're trying to determine whether someone is attempting to break into your system, or whether a user is having a problem with his account, such as a forgotten password.

Enabling Auditing for Files and Folders

Keeping track of when users log on to the domain or when failed logon attempts occur enables you to track user account usage in the domain. It's also a good idea to keep track of access to important files and folders that reside on your servers. Although the NTFS allows you to grant or deny access with a large degree of precision, it can sometimes be difficult to determine the right combination of user rights and access permissions to use to set up the required access.

For example, the description for the Backup Operators Builtin group you'll find in the Active Directory Users and Computers administrative tool is "Backup Operators can override security restrictions for the sole purpose of backing up or restoring files." Does this mean they can read your files when not using a backup program? No, but to be sure, you can always set up event logging for important files or directories, and then use the Event Viewer to determine when these files or directories were successfully (or unsuccessfully) accessed.

After you've used the Domain Security Policy administrative tool to enable auditing for objects, you can configure specific objects for auditing.

The simplest way to set up auditing for a file or folder is to bring up the Windows Explorer accessory and use the properties page for a folder or a file:

1.	Choose Start, Programs, Accessories, Windows Explorer.
2.	Locate the folder or file you want to enable for auditing.

3.	Right-click the file or folder and select Properties from the menu that appears. For Windows 2003 Servers, you can also select Sharing and Security from this same menu.
4.	Select the Security tab and click the Advanced button that appears at the bottom of the display. This brings up the Access Control Settings properties page for the folder. Click the Auditing tab (see Figure 43.8). Figure 43.8. The Access Control Settings properties page allows you to control access and auditing for the folder.

5.	Click the Add button to bring up the standard Select User Computer or Group dialog box. You can use this dialog box to select the user(s) or group(s) that will generate audit records when access is attempted for the folder. Use the scrollbar to find the user, or enter the name of the user (or group) if you already know it, into the Name field. Click the OK button and the Auditing Entry dialog box appears (see Figure 43.9). Figure 43.9. After you've selected the user or group whose access will be audited, you can select the event(s) that will generate an audit record.

6.	This dialog box allows you to select the events to be audited in great detail. Use the Apply Onto drop-down list to choose whether the auditing entry is created for just this folder, the folder and files in the folder, subfolders, and combinations thereof. Use the Access pane to select the action that will be audited by clicking either the Successful or Failed (or both) check boxes. Tip Note the Apply These Auditing Entries to Objects and/or Containers Within This Container Only check box at the bottom of the dialog box. Because child objects in the Active Directory inherit attributes from parent objects, you should enable this check box if you want to restrict the auditing entry to just the users or groups you've selected in this particular container (that is, domain, or organizational unit). Note In Figure 43.9, the types of access are complicated because on a secure Windows 2000 computer, NTFS is used as the file system. In addition to the traditional access types such as read, write, and delete, you'll see a lot of other things that can be manipulated in the file system, such as changing the permissions or reading and writing extended attributes for the file or folder. Before you begin to select events for auditing, make sure you understand them. You should be well versed in how the NTFS operates before you begin auditing access types that you are unfamiliar with, or you might end up generating literally thousands of entries in the event log. See Chapter 39 for more information on this topic.
7.	When you've finished selecting the events to be audited, click OK.
8.	When the Access Control Settings properties sheet reappears, note the check boxes at the bottom of this dialog box. By default, the Allow Inheritable Auditing Entries from Parent to Propagate to This Object check box is selected. Remember that unless the parent object has blocked inheritance for auditing entries, this is the default in the Active Directory. The second check box resets the auditing entries for all objects that fall under the user or group in the Active Directory.
9.	Click OK to dismiss the Access Control Settings properties sheet, and then do the same for the initial properties page for the folder.

After you've set up auditing, you can check the event log periodically to determine which users have successfully accessed the folder or file, and also those that have failed to gain access, depending on which check boxes you have selected.

If all this seems complicated, it is! The Active Directory allows you to finely tune the access permissions, user rights, and auditing for objects that exist in the directory. Obviously, you should structure your file system and user groups with careful planning so that you don't end up with a large number of variables to contend with. If you try to set up auditing for every folder on a user-by-user basis, for example, you'll spend a lot of time setting up auditing every time you add a new user or create a new directory.

Notice also that inheritance can be blocked from above as well as propagated to objects that are beneath the object you are auditing. For example, if you have multiple organizational units in your domain, you can set up auditing based on the domain, and let these auditing records filter down the tree to apply also to the organizational units that fall underneath it. Or you can elect to set up auditing differently for each organizational unit.

Note

The Active Directory can be only as complex as you make it. For many small organizations, a single domain and the builtin containers (that is, Users and Computers) are sufficient for managing a small number of users. For a small home network, you should probably be using a less expensive operating system, such as Windows XP configured in a workgroup instead of using the domain-based Active Directory service.

For more information about container objects in the directory, as well as how the directory is organized, see Chapter 30, "Using the Active Directory," or Appendix D, "The Lightweight Directory Access Protocol."

Enabling Auditing for Printers

The method used for selecting users and groups and the access that will be audited is just about the same for printers as it is for files and folders. You use the same dialog box to select users and groups, and a similar dialog box to select the type of access to be audited. To set up a printer for auditing, use the following steps:

1.	For Windows 2000, choose Start, Settings, Printers. For Windows 2003 Server, choose Start, Printers and Faxes. When the Printers window appears, right-click the printer you want to set up auditing for and select Properties from the menu that appears. Select the Sharing or Security tab.
2.	Click the Advanced button at the bottom of this properties sheet. The Access Control Settings properties sheet appears. Click the Auditing tab.
3.	Click the Add button and the standard Select User, Computer or Group dialog box appears, just as it did when you were setting up auditing for folders in the preceding section. Select the user or group that will be audited and click Add.

4.	The Auditing Entry dialog box for printers appears looking a little different from the one used for files and folders (see Figure 43.10). Figure 43.10. Select the type of access to be audited for the user or groups you have chosen.
5.	Here the access types are much simpler than they were for file and folder objects. Select one of the first two if you want to track what users print and to keep track of users who manage printers. Note that if you select the Print option, the Read Permissions event is also selected because users must be able to read the permissions you've applied to the printer to determine whether they can print to it. Likewise, if you select Manage Printers, all other events are automatically selected with the exception of Manage Documents, because these other events occur while managing a printer.
6.	When you've finished selecting successful and failed events to audit, click OK to dismiss the properties sheet, and then click OK to dismiss the preceding properties sheets.

Logging Shutdown and Startup Events with Windows 2003 Server

Windows 2003 prompts the administrator to give a text message to indicate why the server is being shut down or restarted. This text shows up in the Event Viewer just like any other audited event. Additionally, should the system crash, a similar text message window will pop up after the system boots, allowing you to enter a text message regarding the crash. In this manner, your audit trail can be used to determine what events led up to a crash. If you archive these events to a separate file using the Event Viewer, you can save them for future reference when similar problems occur.

In Figure 43.11 you can see an example of the Shut Down event dialog box for Windows 2003.

Figure 43.11. You can record an event when shutting down the system.

Using the Event Viewer

The Event Viewer is another tool you'll find in the Administrative Tools folder. It functions much the same as it did in Windows NT 4.0, although now the MMC is used as the interface, and some additional functionality has been added. In Figure 43.12 you can see the Event Viewer for Windows 2003 with the Security object selected.

Figure 43.12. The Event Viewers for Windows 2000 Server and Windows 2003 Server now use MMC. This view is from Windows 2003 Server.

In addition to the Application, Security, and System log files, other log files might show up, depending on the services you've installed on the server. For example, in Figure 43.12, the Directory Service, DNS Server, and File Replication Service log files are also listed because they are installed on the domain controller. On member servers that are not domain controllers, your view might be different.

In the right pane of the Event Viewer, you will see a line item for each event in the file. Double-click any event to bring up a properties sheet that contains the detailed information about the event that was logged. In Figure 43.13, for example, you can see an example of a failed logon attempt by the user Administrator on the system.

Figure 43.13. Yes, even the administrator can forget his password once in a while.

Notice also in Figure 43.13 that you can use the up- and down-arrow buttons to move through line items so that you don't have to double-click each one to view the details. This can make scanning a set of events easier. Directly under these arrows is a button that looks like two sheets of paper. Clicking this button copies the details of the logged event to the Clipboard. You can then use a word processor or another utility that has a paste function to save or print the details of the event.

Using the Event Viewer Action Menu

You can use a central MMC to manage the event logs from the local computer that you are logged onto. You can also add other computers in your network to the console tree in the left pane so that you can manage their log files from the same place.

Choose Action, Connect to Another Computer. Figure 43.14 shows the dialog box that pops up. Enter the name or IP address of another computer here, and, if you have access to that computer, click the OK button and it will be added to the tree.

Figure 43.14. You can connect to multiple computers to manage event log files from a central location.

The Action menu also allows you to manage the properties of each log file. You can set the maximum size the log file can grow to, or set whether events should be overwritten when the file becomes full (see Figure 43.15).

Figure 43.15. Choose Action, Properties to manage a log file.

The Filter tab allows you to specify information that will be used to narrow down the records you want to look at. You can select the date range, event type, source, category, event ID, and user, among other things. To return the display to show all records in the file, select View, All Records.

Finally, you can use the Action menu to save a log file to another file, export the information in a log file to a text file, rename the log file, create a new log file, or clear all events from the log file.