An Overview of Auditing
Auditing enables you to determine which activities are occurring on your system. Through auditing, you can track access to objects, files and folders; as well as any modifications made to the objects, files and folders. Auditing therefore enables you to collect information associated with resource access and usage on your system by allowing you to audit system logon, file access, object access, as well as any configuration changes. An audit trail can be defined as a list of audit entries which portray the life span of an object, or file and folder. When an event or action takes place that's configured for auditing, the action or event is written to the security log. Security auditing events are thus written to the security log of the system, and can be accessed from Event Viewer.
Audit entries in the security log can be one of the following:
-
Success event
-
Failure event
The main types of events which you should audit are listed below:
-
Computer logons and computer logoffs
-
Access to objects, and files and folders
-
System events, such as when the following occurs:
-
Computer reboots and computer shutdowns.
-
System time is modified
-
Audit logs are cleared.
-
-
Performance of user and computer account management activities, such as:
-
Creating new accounts
-
Changing permissions
-
Modifying account statuses
-
One of the primary steps in implementing auditing is to create an audit plan which would define the objectives of implementing auditing on your system. The aspects which should be included in your audit plan are:
-
List the type of access and information which should be audited.
-
Determine whether success events, failure events, or both success and failure events should be audited.
-
Determine the resources which are available for auditing purposes. Resources in this case refers to disk space, and memory and processor usage
-
Plan the scope of auditing according to the resources which are available for auditing purposes. A wide auditing scope with auditing of both success and failure events can cause a large quantity of data to be collected. This in turn could prevent you from easily finding the information considered important.
-
Define the quantity of time which would be required to view and analyze audit logs.
Auditing of security event categories are disabled by default. In order to track access to objects, and files and folders, you have to define and configure an audit policy. You have to determine the types of events which you want to audit, and include the security requirements of the organization when you configure audit policies. Another step in defining audit policies is to determine the particular event categories which should be audited.
The event categories which you can audit are
-
Account logon events: This policy is typically enabled on domain controllers, to track users which are logging on to the computer.
-
Account management: This policy tracks account management tasks performed on the computer, including creating, changing, and deleting user objects; and changing account passwords.
-
Directory service access: For domain controllers, the policy tracks when users access Active Directory objects which have system access control lists (SACLs).
-
Logon events: This audit policy tracks when the user logons and logoffs.
-
Object access: Tracks when a user accesses operating system components such as files, folders or registry keys.
-
Policy change: This policy tacks when changes are made to the security configuration settings of the computer, and includes changes made to:
-
Audit policies
-
Trust policies
-
User rights
-
-
Privilege use: Tracks when a user effects a user right. The user rights excluded from auditing because of the volume of log entries which they generate are:
-
Back Up Files And Directories
-
Bypass Traverse Checking
-
Create A Token Object
-
Debug Programs
-
Generate Security Audits
-
Replace Process Level Token
-
Restore Files And Directories
-
-
Process tracking: This audit policy tracks when certain events take place on the computer, such as when a program starts, or a process ends.
-
System events: This policy tracks the following events:
-
The computer restarts, or shuts down.
-
Any events that impact the security log or the security of the system.
-
For each of the above mentioned event categories, you can choose between three values when you enable auditing. These values in turn determine the condition for which an audit entry would be created:
-
Successes only; an audit entry will be created when a particular event or action successfully finalizes.
-
Failure only; an audit entry will be created when a particular event or action fails.
-
Successes and Failures; an entry will be created when the particular event or action successfully finalizes or fails.
You can define audit polices for:
-
The local computer
-
A domain controller
-
A domain
-
An organization unit (OU)
Audit policies can be configured through Group Policy for the entire site, or a domain and OU. You can also configure audit policies for servers and workstations.
You can enable the Security Options policies to secure certain server components from a number of threats and accidents:
-
Accounts: Administrator Account Status; enables/disables the local Administrator account of the computer.
-
Accounts: Guest Account Status; enables/disables the local Guest account of the computer.
-
Accounts: Rename Administrator Account; defines the alternative name for the security identifier (SID) of the local Administrator account
-
Accounts: Rename Guest Account; defines the alternative name for the security identifier (SID) of the local Guest account
-
Audit: Audit The Use Of Backup And Restore Privilege; when the Audit Privilege Use policy is enabled, it configures the computer to audit user privileges.
-
Audit: Shut Down System Immediately If Unable To Log Security Audits; results in the computer shutting down when no further auditing entries can be written to the security log due to the log reaching its maximum size limit.
-
Devices: Allowed To Format And Eject Removable Media; defines those local groups which are allowed to format and eject removable NTFS file system media.
-
Devices: Restrict CD-ROM Access To Locally Logged-on User Only; stops users from accessing the CD-ROM drives of the computer.
-
Devices: Restrict Floppy Access To Locally Logged-on User Only; stops users from accessing the floppy disk drive of the computer.
-
Domain Member: Maximum Machine Account Password Age; sets the frequency at which the computer account password of the system is modified.
-
Interactive Logon: Do Not Require CTRL+ALT+DEL; specifies the Disable option so that users are secured from Trojan horse attacks.
-
Interactive Logon: Require Domain Controller Authentication To Unlock Workstation; stops the computer from being unlocked through cached credentials.
-
Microsoft Network Client: Digitally Sign Communications (Always); sets the computer to require packet signatures for Server Message Block client communications.
-
Microsoft Network Server: Digitally Sign Communications (Always); sets the computer to require packet signatures for Server Message Block server communications.
-
Network Access: Do Not Allow Anonymous Enumeration Of SAM Accounts And Shares; stops anonymous users from gathering information on the names of local user accounts and shares.
-
Network Access: Remotely Accessible Registry Paths And Sub-paths; defines the registry paths and sub-paths which certain users can access.
-
Network Access: Shares That Can Be Accessed Anonymously; defines the shares which can be accessed by anonymous users.
-
Network Security: Force Logoff When Logon Hours Expire; configures the computer to end any current local user connections that have used up their defined logon hours or time.
-
Shutdown: Allow System To Be Shut Down Without Having To Log On; enables the Shut Down button in the Log On To Windows dialog box.
The information recorded on an event in a security event log is listed below:
-
The type of event logged: Error, Warning, or Information, and Success Audit or Failure Audit
-
The date on which the event occurred
-
The software or program that logged or recorded the event.
-
The user that performed the action which resulted in an event being logged.
-
The computer name on which this action was performed
-
The event identity number
-
The event description
A few recommendations for auditing security events are summarized below:
-
Define an audit plan which details what you want to audit
-
Configure the security event log size so that it is suitable for the security requirements of the organization
-
Archive security logs on a regular basis.
-
Audit both success events and failure events in the System Events category
How to define an audit policy on the local computer
-
Click Start, Programs, Administrative Tools, and then click Local Security Policy.
-
Expand the Local Policies in the left pane.
-
Click Audit Policy.
-
The options which you can define audit policy for are listed in the right pane.
-
Proceed to select and double-click the desired option.
-
When the Properties dialog box for the policy which you have selected opens, enable success audit, failure audit, or both success and failure audits.
-
Click OK.
How to define an audit policy on the domain controller
-
Click Start, Programs, Administrative Tools, and then click Domain Controller Security Policy.
-
Expand the appropriate nodes in the left pane to move to Computer Configuration, Windows Settings, Security Settings, Local Policies, and then Audit Policy.
-
Click Audit Policy.
-
Proceed to select and double-click the desired option.
-
When the Properties dialog box for the policy which you have selected opens, enable success audit, or failure audit, or both success and failure audits.
-
Click OK.
How to define the event categories to audit for a site, domain, or OU
-
Click Start, Administrative Tools, and then click Active Directory Users And Computers
-
In the left console pane, right-click the site, domain, or OU; and then select Properties from the shortcut menu.
-
Click the Group Policy tab, add a new policy, and click Edit
-
In the Group Policy Object Editor console, in the left console tree, expand Computer Configuration, Windows Settings, Security Settings, Local Policies and then expand Audit Policy
-
In the details pane, right-click the particular event category which you want to audit; and then select Properties from the shortcut menu.
-
When the Properties dialog box of the event category opens, select one or both of the following options: Success, Failure
-
Click OK.
How to enable auditing for Active Directory objects.
-
Open the Active Directory Users And Computers console
-
Ensure that Advanced Features are enabled on the View menu
-
Select the Active Directory object which you want to configure auditing for, and then select Properties on Action menu.
-
When the Properties dialog box of the object opens, click the Security tab.
-
Click Advanced to move to the Advanced Security Settings For dialog box for the Active Directory object.
-
Click the Auditing tab.
-
Click Add, and then specify the users or groups for which you want to audit object access.
-
Click OK.
-
When the Auditing Entry For dialog box for the object appears, choose the event(s) that you want to audit by choosing either one of, or both of the following options: Successful, Failed; alongside the particular event(s).
-
Use the Apply Onto list box to set where the auditing should take place. The default setting is This Object And All Child Objects.
-
Click OK.
How to enable auditing for files and folders
-
Open Windows Explorer.
-
Right-click the file or folder which you want to configure auditing for, and then select Properties from the shortcut menu.
-
On the Security tab, click Advanced.
-
Click the Auditing tab on the Advanced Security Settings For dialog box of the file or folder.
-
Click Add, and then choose the users/groups for which you want to audit file or folder access. Click OK.
-
In the Auditing Entry For dialog box for the file/folder, select the events that you want to audit by checking either the Successful option, Failed option, or both of these options alongside the particular event(s). You can choose to audit the following events:
-
Full Control
-
Traverse Folder/Execute File
-
List Folder/Read Data
-
Read Attributes
-
Read Extended Attributes
-
Create Files/Write Data
-
Create Folders/Append Data
-
Write Attributes
-
Write Extended Attributes
-
Delete Subfolders and Files
-
Delete
-
Read Permissions
-
Change Permissions
-
Take Ownership
-
-
Use the Apply Onto list box to specify the location where auditing should occur. The default setting is This Folder, Subfolders And Files.
-
Click OK.
How to apply an audit policy to Active Directory users and OUs using Group Policy
-
Click Start, Run, enter mmc in the Run dialog box, and click OK.
-
Using the File menu, click Add Snap in, and then click Add.
-
Select the Group Policy Object Editor management tool and then click Add.
-
When the Select Group Policy Object dialog box opens, click Browse to choose the proper GPO for the specific domain or OU.
-
In the left pane, expand Computer Configuration, Windows Settings, Security Settings, and then expand File System to set a audit policy for the file system
-
Right-click the File System node to add audit settings for a file/folder.
-
Using the browse interface, locate the file/folder for which you want to configure auditing.
-
Click Edit Security to specify the auditing settings.
How to access Event Viewer to view security log information
-
Click Start, Programs, Administrative Tools, and then click Event Viewer
How to view information in the security log through Event Viewer
-
Open Event Viewer
-
In the console tree in the left pane, click Security
-
The details pane is populated with all events that exist in the security log, together with summary information such as Date, Time, Category, Event ID, and User; on each entry.
-
A key icon is displayed alongside successful audit events.
-
A lock icon is displayed alongside unsuccessful audit events.
-
-
You can double-click on an event entry to view its properties.
How to filter events in the security log
-
Open Event Viewer
-
In the console tree in the left pane, click Security
-
On the View menu, click the Filter option.
-
On the Filter tab, specify the filter criteria that you want to use to display a specific event(s) in the security log.
-
In the Event Types section of the dialog box, specify the types of events tht you want to display in the security log.
-
In the Event Source list, choose the source that logged the event(s) which you want to display.
-
In the Category list, choose the event category.
-
In the Event ID box, enter the event identity number
-
In the User box, enter the user name
-
In the Computer box, enter the computer name.
-
Use the From list boxes to enter the start parameters for the events which should be filtered.
-
Use To list boxes to enter the end parameters for the events which should be filtered.
-
Click OK to display the filtered events in the security log.
-
Clicking the Restore Defaults button on the Filter tab removes the security log filter.
How to configure the size of the security event log
-
Open Event Viewer
-
In the console tree in the left pane, right-click Security and then select Properties on the shortcut menu.
-
When the Security Properties dialog box opens, on the General tab, enter the maximum log file size. The default setting is 512 KB. You can set the maximum log file size to any size from 64 KB to 4,194,240 KB.
-
Choose one of the following options listed beneath the When Maximum Log File Size Is Reached section of the dialog box:
-
Overwrite Events As Needed: When selected, the oldest events in the security log are replaced when new events need to be logged.
-
Overwrite Events Older Than _ Days: Enter the number of days after which the system can overwrite an event.
-
Do Not Overwrite Events (Clear Log Manually): When selected, you have chosen to manually clear the security log. The system does not overwrite or replace any events in the security log when the maximum log file size is reached. If the security log is not manually cleared, all new events are dropped, and are therefore not recorded in the security log.
-
How to clear the security log
-
Open Event Viewer
-
In the console tree in the left pane, right-click Security and then select Clear All Events on the shortcut menu.
-
When the Event Viewer message box appears, click Yes to archive the existing entries in the security log prior to it being cleared; or click No to simply delete the existing entries in the log.
-
If you chose to archive the entries in the security log, enter a name and a file format for the log file.
-
Click Save.
How to archive a security log
-
Open Event Viewer.
-
In the console tree in the left pane, right-click Security and then select Save Log File on the shortcut menu.
-
Enter a name for the file and then enter a file format for the file.
-
Click Save.
Adam
Does anyone have any experience with any third-party change auditing tools? I need a tool that will automate change auditing of AD, file servers, Group Policy, Exchange and Windows Server. I’m currently looking at the NetWrix Change Reporter Suite, which I’ve heard really good things about, as well as ScriptLogic Active Administrator, ManageEngine ADAuditPlus and Quest ChangeAuditor. So far I’m learning toward the NetWrix tool because all of these audit modules are offered in one suite, but I’m wondering if anyone has a recommendation for the above.