Module 9: Auditing Resources and Events
- The audit entry shows the following:
- The action performed
- The user who performed the action
- The date and time of the action
- You can set up one audit policy for a domain to:
- track the success and failure of events]
- Examples:
- when users logon
- attempts by a specific user to open a specific file
- changes to users and groups
- changes to security policy
- eliminate or minimize the risk of unauthorized use of
resources
- You use Event Viewer to view audited events that
have been recorded in the security log
- You can archive log files to track trends over time
- You use the audit policy to select the types of security
events that will be recorded for a domain. The events will then appear in the security log
of the domain controllers.
- On a computer running Windows NT Workstation or Server that
is not a domain controller, the audit policy affects only the security log of that
computer.
- When planning an audit policy, consider the
following:
- Determine events to audit.
- Determine whether to audit success and/or failure of
events.
- In medium and high security networks you should track:
- Success and failure of users logging in.
- Use of resources.
- Determine if you need to track trends. If so, you have to
plan on archiving event logs.
Note: To much auditing can create excessive
overhead on the system. If your server is heavily used, you may need to keep auditing to a
minimum.
Implementing an Audit
Policy
|
- An audit policy is set on a computer-by-computer basis
==> audit policies are only set locally
- Example: to audit User logon and changes made to user
accounts on the PDC, you must set audit policy on PDC.
- Events are recorded in the local computers security
log, but can be viewed from any computer by a user with administrative privileges
to the computer where the events occurred.
- They can be viewed remotely with administrator privileges.
- Only administrators can set up auditing or files,
directories and printers on Domain Controllers
- On computers that aren't domain controllers, you must be a
member of the administrators group ON THAT COMPUTER - Remember, audit policies are set up
locally.
- Members of the Administrators and Server Operators groups
can view and archive security logs. By default, the user right "Manage
Auditing and Security Log" is only granted to the Administrator's group.
- You can only audit files and directories on NTFS volumes
- Select Audit in User Manager for Domains,
Audit these Events. There are two choices Success or Failure. The events are:
- Logon and Logoff --> user logged on or off.
- File and Object Access --> user accessed directory, file
or printer.
- Use of User Rights --> user exercised a right.
- User and Group Management --> user account or group was
created, changed or deleted. This includes password changes
- Security Policy Changes --> change was made to the
user rights, audit or trust relationship policies
- Restart, Shutdown and System --> user restarted or shut
down the computer or an event has occurred that affects system security or the security
log. (e.g. the audit log fills up and entries are discarded)
- Process Tracking --> detailed tracking information for
various events, such as program activation.
Auditing files and
directories
|
- Event Viewer provides info about errors, warnings, and
successes or failure of a task.
- Info is stored in three types of logs:
- System --> contains
errors, warnings or information generated by Windows NT. Selection of events is preset
by Windows NT.
- Security -->
contains info about success and failure of audited events. Events are recorded as result
of your audit policy.
- Application -->
contains error, warnings, or info generated by programs. Selection of events is preset
by program developer.
- Successful events have the key icon
- Unsuccessful events have the lock icon
To view a log on a remote computer
in another domain
- The appropriate trust relationship must exist
- Your Domain Admin Group must exist in the
local Administrators group of the domain OR computer for which you want to view the log.
Archiving the Security
Log
|
Best Practices |
Audit the Everyone Group instead of the Users Group -
this means anyone who can connect to the network is audited. |
|