Lesson Configuring Auditing

What Is Auditing?

What Is Audit Policy?

Types of Events to Audit

Guidelines for Planning an Audit Policy

How to Enable an Audit Policy

How to Enable Auditing for Files and Folders

How to Enable Auditing for Active Directory Objects

Best Practices for Configuring Auditing

Introduction No security strategy is complete without a comprehensive auditing strategy.

More often than not, organizations learn this only after they experience a security incident. Without an audit trail of actions, it is almost impossible to successfully investigate a security incident. You must determine as part of your overall security strategy what events you need to audit, the level of auditing appropriate for your environment, how the audited events and collected, and how they are reviewed.

Lesson objectives After completing this lesson, you will be able to:

■ Describe auditing.

■ Describe what an audit policy is.

■ Describe types of events to audit.

■ Identify the guidelines for planning an audit policy.

■ Enable an audit policy.

■ Enable auditing for files and folders. Enable auditing for an organizational unit.

■ Apply best practices while configuring auditing.

What Is Auditing?

Auditing tracks user and operating system activities and records selected events Jn security logs

Wiu1 occurred Whodidin Wtwií

What wis the lesiEltf

Enable auditing to:

Creata a baseline CtevEfmine dgm^es

Detect threats and attacks Prevent further damage

Audit access to objects, management of accounts, an d users logging on and tagging off

Definition Auditing is the process that tracks user and operating system activities by recording selected types of events in the security log of a server or a workstation. Security logs contain various audit entries, which contain the following information:

The action that was performed

■ The user who performed the action

■ The success or failure of the event and when the event occurred

■ Additional information, such as the computer where the event occurred

Why perform auditing? Enable auditing and monitor audit logs to:

■ Create a baseline of normal network and computer operations.

■ Detect attempts to penetrate the network or computer.

■ Determine what systems and data have been compromised during or after a security incident.

■ Prevent further damage to networks or computers after an attacker has penetrated the network.

The security needs of an organization help determine the amount of auditing used. For example, a minimum-security network may choose to audit failed logon attempts to monitor against potential brute force attacks. A high-security network may choose to audit both successful and failed logon attempts to track any unauthorized users who successfully gain access to the network.

Although auditing may provide valuable information, excessive auditing fills the audit log with unnecessary information. This can potentially affect the performance of your system and make it extremely difficult to find relevant information.

Types of events to audit The most common types of events to audit are when:

■ Objects, such as files and folders, are accessed

■ Managing user accounts and group accounts

■ Users log on to and log off from the system

Additional reading For more information about auditing, see the TechNet article "Auditing overview" at http://www.microsoft.com/technet/treeview/default.asp?url=/ technet/prodtechnol/windowsserver2003/proddocs/server/ sag_SEconceptsAudit. asp.

What Is Audit Policy?

An audit poEicy determines the security events that wiil be reported to the network administrator

Set up an audit policy to:

Track success or failure of events

Minimize unauthorized use of resources

Maintain a record of activity

<- Security events are stored in security logs

Introduction Establishing an audit policy is an important part of security. Monitoring the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach.

Definition An audit policy defines the types of security events that Windows Server 2003

records in the security log on each computer. Windows Server 2003 writes events to the security log on the specific computer where the event occurs.

Set up an audit policy for a computer to:

■ Track the success and failure of events, such as attempts to log on, attempts by a particular user to read a specific file, changes to a user account or group membership, and changes to security settings.

■ Minimize the risk of unauthorized use of resources.

■ Maintain a record of user and administrator activity.

Use Event Viewer to view events that Windows Server 2003 records in the security log. You can also archive log files to track trends over time. This is useful to determine trends in the use of printers, access to files, and attempts at unauthorized use of resources.

You can set up an audit policy on any single computer, either directly by using the Local Policy snap-in or indirectly by using Group Policy, which is more commonly used in large organizations. After an audit policy is designed and implemented, information begins to appear in the security logs. Each computer in the organization has a separate security log that records local events.

Why set up an audit policy?

How can you implement an audit policy?

When you implement an audit policy:

■ Specify the categories of events that you want to audit. Examples of event categories are user logon, user logoff, and account management. The event categories that you specify constitute your audit policy. There is no default audit policy.

■ Set the size and behavior of the security log. You can view the security log with Event Viewer.

■ Determine which objects you want to monitor access of and what type of access you want to monitor, if you want to audit directory service access or object access. For example, if you want to audit attempts by users to open a particular file, you can configure audit policy settings in the object access event category so that successful and failed attempts to read a file are recorded.

Default audit policies The default auditing settings for servers are configured by administrative templates. The following security templates configure default auditing settings:

■ Setup security.inf

To view the policy settings that each security template configures, in the Security Templates snap-in, navigate to Local Policies\Audit Policy for each administrative template.

Additional reading For more information about audit policies, see the TechNet article "Auditing policy" at http://www.microsoft.com/technet/treeview/default.asp7urW technet/prodtechnol/windowsserver2003/proddocs/server/APtopnode.asp.

Types of Events to Audit

Account Logon Account Management Directory Service Access

* Logon Object Access Poiicy Change Privilege Use Process Tracking

* System

Introduction

The first step in creating a strategy for auditing the operating system is to determine what type of actions or operations that you need to record.

Determining what events What operating system events should you audit? You do not want to audit every to audit event, because auditing all operating system events requires enormous system resources and may negatively affect system performance. You should work with other security specialists to determine what operating system events to audit. Only audit events that you believe will be useful for later reference.

An effective way to begin determining what events to audit is to gather the relevant group of people and discuss:

■ What actions or operations you want to track.

■ On what systems you want to track these events.

For example, you may decide to track:

■ All domain and local logon events on all computers.

■ The use of all files in the Payroll folder on the HR server.

In Windows Server 2003, audit events can be split into two categories:

■ Success events

A success event indicates that the operating system has successfully completed the action or operation. Success events are indicated by a key icon.

Failure events

A failure event indicates that an action or operation was attempted, but did not succeed. Failure events are indicated by a padlock icon.

The success and failure events

Failure events are very useful for tracking attempted attacks on your environment, but success events are much more difficult to interpret. The vast majority of success events are indications of normal activity, and an attacker who accesses a system also generates a success event.

Often, a pattern of events is as important as the events themselves. For example, a series of failures followed by a success may indicate an attempted attack that was eventually successful.

Similarly, the deviation from a pattern may also indicate suspicious activity. For example, suppose the security logs show that a user at your organization logs on every workday between 8 A.M. and 10 A.M., but suddenly the user is logging on to the network at 3 A.M. Although this behavior may be innocent, it should be investigated.

Events that Windows The first step in implementing an audit policy is to select the types of events Server 2003 can audit that you want Windows Server 2003 to audit. The following table describes the events that Windows Server 2003 can audit.

Event Example

Account Logon An account is authenticated by a security database. When a user logs on to the local computer, the computer records the AccountLogon event. When a user logs on to a domain, the authenticating domain controller records the Account Logon event.

An administrator creates, changes, or deletes a user account or group; a user account is renamed, disabled, or enabled; or a password is set or changed.

A user accesses an Active Directory object. To log this type of access, you must configure specific Active Directory objects for auditing.

A user logs on to or off of a local computer, or a user makes or cancels a network connection to the computer. The event is recorded on the computer that the user accesses, regardless of whether a local account or a domain account is used.

A user accesses a file, folder, or printer. The administrator must configure specific files, folders, or printers for auditing.

A change is made to the user security options (for example, password options or account logon settings), user rights, or audit policies.

A user exercises a user right, such as changing the system time (this does not include rights that are related to logging on and logging off) or taking ownership of a file.

An application performs an action. This information is generally only useful for programmers who want to track details about application execution.

A user restarts or shuts down the computer, or an event occurs that affects Windows Server 2003 security or the security log.

Account Management

Directory Service Access

Logon

Object Access Policy Change

Privilege Use

Process Tracking

System

Events edited by default

The Setup security.inf template includes default settings that enable auditing of successful account logon events and successful logon events. No other events are audited by default.

Guidelines for Planning an Audit Policy

Determine t)ie computers to set up auditing on Determine which everts to audit

Determine whether to audit success or failure events

Determine whether you need to track trends

Review security log? frequently

Introduction Auditing too many types of events may create excess overhead, which may result in diminished system performance.

Guidelines Use the following guidelines when planning an audit policy:

■ Determine the computers to set up auditing on. Plan what to audit for each computer, because Windows Server 2003 audits events on each computer separately. For example, you may frequently audit computers used to store sensitive or critical data, but you may infrequently audit client computers that are used solely for running productivity applications.

■ Determine the types of events to audit, such as the following:

Access to files and folders

• Users logging on and off

• Shutting down and restarting a computer running Windows Server 2003

• Changes to user accounts and groups

■ Determine whether to audit success or failure events, or both. Tracking success events can tell you how often Windows Server 2003 or users access specific files or printers. You can use this information for resource planning. Tracking failure events can alert you to possible security breaches.

■ Determine whether you need to track trends of system usage. If so, plan to archive event logs. Some organizations are required to maintain a record of resource and data access.

■ Review security logs frequently and regularly according to a schedule. Configuring auditing alone does not alert you to security breaches.

How to Enable an Audit Policy

Your instructor will demonstrate how to:

Configure an audit policy on a local computer

Configure sn audi* policy on a domain or ûrganiiatonal unit

Introduction

Procedure for an audit policy on a local computer

There are two procedures for enabling an audit policy, depending on whether the computer is in a workgroup or a domain.

To enable an audit policy on a local computer:

1. From the Administrative tools menu, click Local Security Policy.

In the console tree, expand Local Policies, and then double-click Audit

Policy.

In the details pane, double-click the policy that you want to enable or disable.

4. Do one or both of the following, and then click OK:

♦ To audit success events, select the Success check box.

♦ To audit failure events, select the Failure check box.

For example, suppose you select the Success and Fail check boxes for logon and logoff events. If a user successfully logs on to the system, it is logged as a success audit event. If a user tries to access a network drive and fails, the attempt is logged as a failure audit event.

Note If you are a member of a domain, and a domain-level policy is defined, domain-level settings override the local policy settings.

Procedure for an audit To enable an audit policy on a domain or an organizational unit: policy on a domain or organizational unit 1. In Group Policy Management, create or browse to a GPO linked to an organizational unit, and then edit it.

2. In the console tree, navigate to Computer Configuration/Windows Settings/ Security Settings/Local Policies/Audit Policy.

3. In the details pane, double-click the policy that you want to enable or disable.

4. Do one or both of the following, and then click OK:

• To audit success events, select the Success check box.

♦ To audit failure events, select the Failure check box.

How to Enable Auditing for Files and Folders

Your instructor will demonstrate how to enable auditing for files and folders

Introduction You enable auditing to detect and record security-related events, such as when a user attempts to access a confidential file or folder. When you audit an object, an entry is written to the security log whenever the object is accessed in a certain way.

After you enable auditing, you can keep track of users who access certain objects and analyze security breaches. The audit trail shows who performed the actions and who tried to perform actions that are not permitted.

Procedure To enable auditing for files and folders:

1. In Windows Explorer, locate the file or folder that you want to audit.

2. Right-click the file or folder, and then click Properties.

3. In the Properties dialog box, on the Security tab, click Advanced.

4. In the Advanced Security Settings dialog box, on the Auditing tab, do one of the following:

♦ To enable auditing for a new user or group, click Add. In the Enter the object name to select box, type the name of the user or group, and then click OK.

♦ To view or change auditing for an existing group or user, click the name, and then click Edit.

♦ To disable auditing for an existing group or user, click the name, and then click Remove.

5. Under Access, click Successful, Failed, or both Successful and Failed, depending on the type of access that you want to audit.

6. If you want to prevent child objects from inheriting these audit entries, select the Apply these auditing entries to objects and/or containers within this container only check box.

Practice: Enabling Auditing for Files and Folders in this practice, you will enable auditing for files and folders

In this practice, you will enable auditing for files and folders. Before you begin this practice:

■ Log on to the domain by using the ComputerNameUser account.

■ Open CustomMMC with the Run as command.

Use the user account Nwtraders\Com^uterNameAdmin (Example: LondonAdmin).

■ Ensure that the D:\HR Reports folder is created and shared from a previous practice or lab.

■ Review the procedures in this lesson that describe how to perform this task.

You get a call from the Human Resources manager, who tells you that files are being deleted. The Sales manager wants to know which user is deleting files. You must enable auditing on your server for the HR-Reports folder.

Create a GPO that enables an audit policy

Tool: Group Policy Management

■ GPO name: ComputerName Audit Policy

■ GPO link to the following location: Locations/ ComputerName/Computers

Enable auditing of the success and failure of the following security policy: Computer Configuration/Windows Settings/Security Settings/ Local Policies/Audit Policy/Audit object access

Objective Instructions

Scenario Practice

^ Verify the location of the computer account

1. Ensure your computer is in the Locations/ComputerName/Computers organizational unit.

If your computer is not in this organizational unit, search for it and move it.

2. From a command prompt, type gpupdate /force

3. If prompted to logoff, type N and press ENTER.

^ Audit the HR-Reports folder

■ Enable auditing for the folder D:\HR Reports by using the following criteria:

• Audit the group G NWTraders HR Personnel.

• Audit Successful - Delete of Subfolders and Files.

• Audit This folder, subfolders and files.

• Prevent child objects from inheriting these audit entries.

How to Enable Auditing for Active Directory Objects

Vour instructor will demonstrate how to:

Delegate an account for auditing Enable auditing for an organiiatiunai unit

Introduction When you enable auditing for an organizational unit, you audit the event generated when a user accesses an Active Directory object that has permissions. By default, auditing is set to Success in the Default Domain Controller GPO, and it remains undefined for workstations and servers where it does not apply.

Note By default, only members of the Administrators group have privileges to configure auditing. You can delegate the task of configuring auditing for server events to another user account by assigning the Manage auditing and security log user right in Group Policy.

To enable nonadministrators to manage and view audit logs on a member server, you must first delegate the authority to a user or group. To do this:

1. In Group Policy Object Editor, in the console tree, navigate to the following:

Computer Configuration/Windows Settings/Security Settings/ Local Polices/User Rights Assignment

2. Click Manage auditing and security log.

3. On the Action menu, click Properties.

4. In the Manage auditing and security log dialog box, select the check box, Define these policy settings, and then click Add User or Group.

5. Type the name of the appropriate user or user group from the list, and then click OK.

Procedure for delegating an account to enable auditing

Procedure for enabling auditing for an organizational unit

To enable auditing for an organizational unit:

1. In Active Directory Users and Computers, right-click the organizational unit that you want to audit, and then click Properties.

2. In the Properties dialog box, on the Security tab, click Advanced.

To view the security properties, you must click Advanced Features on the View menu of Active Directory Users and Computers.

3. In the Advanced Security Settings dialog box, on the Auditing tab, do one of the following:

• To enable auditing for a new user or group, click Add. In the Enter the object name to select box, type the name of the user or group, and then click OK.

♦ To remove auditing for an existing group or user, click the group or user name, click Remove, and click OK. Skip the rest of this procedure.

♦ To view or change auditing for an existing group or user, click the group or user name, and then click Edit.

4. In the Apply onto box, click the location where you want auditing to take place.

5. Under Access, indicate what actions you want to audit by selecting the appropriate check boxes:

• To audit success events, select the Successful check box.

• To stop auditing success events, clear the Successful check box.

• To audit failure events, select the Failed check box.

♦ To stop auditing failure events, clear the Failed check box.

♦ To stop auditing all events, click Clear All.

6. If you want to prevent child objects from inheriting these audit entries, select the Apply these auditing entries to objects and/or containers within this container only check box.

Practice: Enabling Auditing for an Organizational Unit in this practice, you wit I enable auditing for an organizational unit

After completing this practice, you will be able to configure an audit policy that audits the creation and deletion of objects in an organizational unit.

Before you begin this practice:

■ Log on to the domain by using the ComputerNameUser account.

■ Open CustomMMC with the Run as command using Nwtraders\ComputerNameAdmin (Example: LondonAdmin).

■ Review the procedures in this lesson that describe how to perform this task.

You are concerned that someone is adding and removing user, computer, and group objects in your ComputerName organizational unit. You want to configure an audit policy that audits the successful and unsuccessful creation and deletion of those objects in your ComputerName organizational unit.

^ Enable auditing for the organizational unit CoraputiirNaaie

• Enable auditing by using the following criteria:

• Audit the Everyone group.

• Audit the ComputerName organizational unit and all child objects.

• Audit the following access properties for success and failure events:

• Create Account Objects

• Delete Account Objects

• Create Computer Objects

• Delete Computer Objects

• Create Group Objects

• Delete Group Objects

Objectives Instructions

Scenario Practice

Best Practices for Configuring Auditing

How Develop Audit Objectives

Best practices Apply the following best practices while performing auditing:

■ Audit success events in the directory service access category.

By auditing success events in the directory service access category, you can find out who accessed an object in Active Directory and what operations were performed.

■ Audit success events in the object access category.

By auditing success events in the object access category, you can ensure that users are not misusing their access to secured objects.

■ Audit success and failure events in the system category.

By auditing success and failure events in the system category, you can detect unusual activity that indicates that an attacker is attempting to gain access to your computer or network.

■ Audit success and failure events in the policy change category on domain controllers.

If an event is logged in the policy change category, someone has changed the Local Security Authority (LSA) security policy configuration. If you use Group Policy to edit your audit policy settings, you do not need to audit events in the policy change category on member servers.

■ Audit success and failure events in the account management category.

By auditing success events in the account management category, you can verify changes that are made to account properties and group properties. By auditing failure events in the account management category, you can see if unauthorized users or attackers are trying to change account properties or group properties.

Audit success events in the logon category.

By auditing success events in the logon category, you have a record of when each user logs on to or logs off from a computer. If an unauthorized person steals a user's password and logs on, you can find out when the security breach occurred.

■ Audit success events in the account logon category on domain controllers.

By auditing success events in the account logon category, you can see when users log on to or log off from the domain. You do not need to audit events in the account logon category on member servers.

■ Set an appropriate size for the security log.

It is important to configure the size of the security log appropriately, based on the number of events that your audit policy settings generate.

Additional reading For more information about audit policy best practices, see the TechNet article

"Best practices" at http://www.microsoft.com/technet/treeview/ default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/ server/sag_SEconceptsImpAudBP.asp.

For more information about managing audit logs see:

TechNet article "Microsoft Operations Manager 2000" at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/

prodtechnol/mom/evaluate/mom2k.asp.

■ Article 325898, "HOW TO: Set Up and Manage Operation-Based Auditing for Windows Server 2003, Enterprise Edition" in the Microsoft Knowledge Base at http://support.microsoft.com/?kbid=325898.

Was this article helpful?

0 0

Responses

  • bisirat
    How to set manage auditing and security windows 2003?
    9 years ago
  • Jennifer
    How to develop audit objectives?
    9 years ago
  • tiia
    How to audit user access of files folders and printers in windows server 2003?
    9 years ago
  • EUGENE
    Does file audit affect performance windows 2003?
    9 years ago
  • Juha
    How to audit a object in windows 2003?
    9 years ago
  • steven
    How to audit local user account in windows server 2003?
    9 years ago
  • semret amanuel
    How can view audit logs server 2003?
    9 years ago
  • Saba Afwerki
    How to configure auditing on windows 2003 active directory?
    9 years ago
  • ENRICA
    How to do auditing in windows server 2003?
    9 years ago
  • pia
    How to configure auditing in Windows Storage server 2003?
    9 years ago

Post a comment