Using Auditing in Windows Server 2003
Using Auditing in Windows Server 2003
In this section I cover how to enable auditing, monitor certain events, and analyze the log files using tools from Microsoft. I briefly mention third-party tools that you might also consider. Even though I m mostly talking about Windows Server 2003, the logging mechanism is substantially similar for Windows 2000 Server, so most of this material still applies there.
What s in the Log Entry?
Every entry in a log file has a predetermined layout. The first field is the Type. This can be Information, Warning, Error, Success Audit, or Failure Audit. The next two fields are the Date and Time. The fourth field is the source of the event. Next comes the Category, which can range from Logon or Logoff to Privilege Use. The next three fields are the event ID, the user under whose account the event occurred, and the computer that recorded the event. The Description field is the important one, because it s where most of the interesting detail about the event is recorded: which account was used, what access was requested , and so on.
Controlling What Gets Audited
To change audit settings for a machine running Windows Server 2003, open the Local Security Policy snap-in from the Administrative Tools folder. Then open Local Security Settings, Local Policies, and Audit Policy. You can see the local security settings in Figure 18-1.
Figure 18-1: You can view local security settings.
| Note | You will probably be better off if you set your auditing policies on the domain; you do this using the Group Policy snap-in and targeting it at the domain, site, or organizational unit (OU) for which you want to set policies. |
The local security settings you can audit correspond to the entries in Table 18-1. To enable auditing on the event types, right-click the policy and select Security from the shortcut menu. This opens the Local Security Policy Setting dialog box, shown in Figure 18-2, that allows you to select which type of attempt you wish to audit: success or failure. For this example, I ve selected both Success and Failure. (If you see a list of failures followed by a success, it could mean that an intruder has successfully infiltrated your network, or it could mean a user has a bad memory.)
Figure 18-2: Change the audit policy using the Local Security Policy Setting dialog box.
| Note | As shown in Figure 18-2, if a domain-level policy setting is defined, it will override the local policy setting you change here. |
Auditing access to Active Directory objects is a crucial step in maintaining the security of your server. Enabling auditing for Active Directory events is similar to the method just described. Launch Active Directory Users And Computers from the Administrative Tools folder. Right-click the OU and select Properties from the shortcut menu. A Properties dialog box similar to the one depicted in Figure 18-3 appears. Click the Group Policy tab. Ensure the group policy you wish to alter is selected in the list, and then click Edit.
Figure 18-3: Edit a domain s group policy in the policy s Properties dialog box.
The Group Policy dialog box appears. Navigate to the audit policy (open, in order, Computer Configuration, Windows Settings, Security Settings, Local Policies, and finally Audit Policy), as shown in Figure 18-4.
Figure 18-4: Change audit options for a domain in the Group Policy dialog box.
As before, choose the event you wish to watch by right-clicking on the entry in the list and then selecting Security from the shortcut menu. You can alter settings in the dialog box pictured in Figure 18-5, and henceforth those events are quietly logged for your viewing pleasure . I ve chosen to audit object access because I want to monitor a folder in my file system; this is useful for monitoring the base configuration of your Windows Server 2003 servers.
Figure 18-5: Change the security policy setting using the Security Policy Setting dialog box.
Auditing an Object s Access
Now that auditing object access is enabled, you can monitor access to a folder. In itself, this is not particularly useful for Microsoft Exchange, but it is useful if you want to ensure that no one modifies the Exchange binaries or other items that are stored in folders. You cannot, however, use this auditing method to audit access to Exchange folders within a mailbox database.
Click Advanced to open the Access Control Settings dialog box for the folder, as shown in Figure 18-6. Click Add to add a new audit entry. If you want to log an entry when a guest reads the folder s contents or executes a file, make the appropriate selections in the list in the Auditing Entry dialog box shown in Figure 18-7.
Figure 18-6: Set access control settings in the Access Control Settings dialog box.
Figure 18-7: Set entries to log in the Auditing Entry dialog box.
If you monitor all these logon successes and failures and the many other possible events, management and proper analysis of the data can be difficult because the log files can grow very quickly. To properly manage the task, you should use analysis tools. Event Viewer lets you scan the log files and perform some rudimentary filtering, and EventCombMT and some third-party tools allow a greater depth of analysis.
| Note | Just because you see failure audit events, don t assume that you re under attack! These are perfectly normal in a range of circumstances. There are many code paths in Windows that attempt to open items with more permissions than they need, then gracefully fall back to a more limited set of permissions; this is an easy way to figure out what permissions the calling code has, but it can cause failure audits to be generated. |
Automated Analysis Tools
Looking at event logs manually is fun for about 90 seconds, then it descends into tedium ”and it gets worse from there. The alternative is to use automatic tools that can scan and filter events for you.
Using EventCombMT
EventCombMT is an application distributed from the Microsoft Web site; among other sources, you can get it from the Security Operations Guide for Windows 2000 , available from http://www.microsoft.com/downloads/release.asp?releaseid=37123. It s a powerful analysis tool that allows you to collect log data from multiple servers, filtered based on your criteria and combined into a file for your perusal. To use the tool, of course, you must download and install EventCombMT, which is (as of this writing) bundled in the SecOps.exe compressed self-extracting archive on the Security Operations Guide for Windows 2000 Web site. Figure 18-8 shows EventCombMT on initial startup. You see that a domain, Example.net, is already set and the default output directory for the generated text files is c:\Temp.
Figure 18-8: The EventCombMT application is shown at startup.
EventCombMT Interface
From the File menu, you can start the Event Viewer by selecting (logically) Launch Event Viewer. Open Log Directory opens the folder that holds the processed query results. Set Output Directory allows you to change the default output log directory. Open Saved Event Logs allows you to perform the same analysis on saved log files instead of the system logs.
The Options menu allows you to cache security identifiers (SIDs), skip servers that aren t responding, and cache dynamic-link library (DLL) information for optimizing EventCombMT s memory usage. Resolve Hostname From 675 Records can be slow and error prone, especially if you use Dynamic Host Configuration Protocol (DHCP) because the IP address might have changed since the log entry was made; hence, it is disabled by default. The Only Get One Matching Event option allows you to do exactly that. It allows simple querying that might be required, for instance, in the event of a catastrophic error. (That could well be the last event logged anyway.)
Throttling the CPU slows the performance of EventCombMT, and that can minimize network traffic. Because the application is multithreaded, you can saturate your network easily if you have many servers. If you select Popup Warnings For Full Event Logs, then once they are full, EventCombMT displays a warning for you. Notify If Criteria Found pops up an informational dialog box if the search criteria are matched in a log file. If you choose Capture Event ID Statistics, you can track how many times an ID occurs in your log files. If you are going to use analysis tools that operate best on comma-separated files, select Save Files As CSV Files. This results in the output being named *.csv and being easily imported into applications like spreadsheets or databases that enjoy a diet of comma-delimited text files.
If you need to log on under a different user name , select Use Alternate Credentials. This is particularly useful if you log on to many different servers to collate records. Note that this option does not currently work with remote procedure call (RPC) and File Replication System (FRS) log searches. Another consideration is that the encryption method for the password is not particularly strong.
When a query returns no records, the corresponding file is deleted from the default output directory. Choosing the Create Files For Failed/Empty Searches option creates a file and fills it with a message stating that no records were returned; if a file already exists, its contents are truncated and the file is not deleted. The final Option menu item is the Data submenu, which allows you to save space in your text files by printing data as words and bytes. For some values, this might be practically indecipherable, but it is useful if disk space is at a premium.
The Searches menu allows you to save and replay past searches and access built-in searches. If you find yourself repeating searches, be sure to save them so you can easily reload them later. Explore the built-in searches; they might save you a lot of time. Many might be immediately useful to you, and some are quite sophisticated.
The EventCombMT dialog box looks a little complicated at first glance, but it really is quite simple to use. The most important features are the Server list box, in which you right-click to add servers, Log File and Event Type check boxes, and the Event IDs list. I ll use these three parts in the next section.
Putting EventCombMT to Work
Home.example.net is the sole domain controller in my domain, so I added HOME as a server by right-clicking in the Server list box (just below the Domain text box) and choosing Get DCs In Domain from the shortcut menu. Your method for adding servers might vary depending on your network architecture and search requirements.
In this example, I want to search the security log for event ID 560, which represents an object access event. I select only the Security log file check box, and then select both success and failure audit event types. I type 560 in the Event IDs text box and then click Search. This returns 9 records, as indicated in Figure 18-9. A file named HOME-Security_LOG.txt is created in the output directory and is automatically opened. One of the nine lines from the file (slightly edited to make it more readable) is shown here:
560, AUDIT SUCCESS, Security,
Thu Nov 14 12:39:44 2002, EXAMPLE\a_user, Object Open:
Object Server: Security
Object Type: File
Object Name: D:\MyFolder
New Handle ID: 648
Operation ID: {0,5070557}
Process ID: 8
Primary User Name: HOME$
Primary Domain: EXAMPLE
Primary Logon ID: (0x0,0x3E7)
Client User Name: a_user
Client Domain: EXAMPLE
Client Logon ID: (0x0,0x4C7C95)
Accesses ReadAttributes Privileges
Figure 18-9: The EventCombMT application is shown for the preceding example.
Other Tools
There are a variety of useful tools that allow you to manipulate the event log in interesting ways.
DumpEvt
DumpEvt, from SomarSoft ( http://www.somarsoft.com ), is a free utility that allows you to export Windows Server 2003 event logs into a form that applications like databases can easily import. There is a DLL version of the application that allows applications written in languages like Visual Basic to perform the same export operations with more user-specific functionality.
DumpEl
DumpEl.exe is included with the Windows 2000 Resource Kit (it s also available from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp ). It allows you to dump the contents of a specified server s application, security, or system logs to a text file from the command line.
Perl
Perl is a scripting language that, given its powerful regular expressions capabilities, is perfectly suited for parsing and analyzing exported audit log files. As you level out at the top of the steep learning curve, you ll realize that Perl is a powerful solution to many data processing needs, and learning to harness its power is something you should do if you haven t already. ActivePerl, a popular implementation of the Perl interpreter, is available from http://www. activestate .com/Products/ActivePerl/ .
EventQuery.vbs
Microsoft ships a VBScript tool named EventQuery with Windows XP and Windows Server 2003. You can use it to query the application, system, or security logs for events from a particular source, during a specified time range, generated by a specified user or computer, or matching a particular ID ” pretty much exactly what you need to quickly scan the logs on a single machine. The command syntax is completely documented in the Windows online help, so I won t repeat it here. However, with a little tweaking, you can easily use this script as the core of an automated scanning and reporting regime that will make it easy for you to stay on top of the contents of your audit log.
EAN: 2147483647
Pages: 189