Windows NT Server 4.0 Administration Notes


Module 9: Auditing Resources and Events

Introduction to Auditing
  • The audit entry shows the following:
    • The action performed
    • The user who performed the action
    • The date and time of the action
  • You can set up one audit policy for a domain to:
    • track the success and failure of events]
      • Examples:
        • when users logon
        • attempts by a specific user to open a specific file
        • changes to users and groups
        • changes to security policy
    • eliminate or minimize the risk of unauthorized use of resources
  • You use Event Viewer to view audited events that have been recorded in the security log
  • You can archive log files to track trends over time
  • You use the audit policy to select the types of security events that will be recorded for a domain. The events will then appear in the security log of the domain controllers.
  • On a computer running Windows NT Workstation or Server that is not a domain controller, the audit policy affects only the security log of that computer.
Planning an Audit Policy
  • When planning an audit policy, consider the following:
    • Determine events to audit.
    • Determine whether to audit success and/or failure of events.
  • In medium and high security networks you should track:
    • Success and failure of users logging in.
    • Use of resources.
  • Determine if you need to track trends. If so, you have to plan on archiving event logs.

Note: To much auditing can create excessive overhead on the system. If your server is heavily used, you may need to keep auditing to a minimum.

Implementing an Audit Policy

  • An audit policy is set on a computer-by-computer basis ==> audit policies are only set locally
    • Example: to audit User logon and changes made to user accounts on the PDC, you must set audit policy on PDC.
  • Events are recorded in the local computers security log, but can be viewed from any computer by a user with administrative privileges to the computer where the events occurred.
  • They can be viewed remotely with administrator privileges.

Auditing Requirements

    • Only administrators can set up auditing or files, directories and printers on Domain Controllers
    • On computers that aren't domain controllers, you must be a member of the administrators group ON THAT COMPUTER - Remember, audit policies are set up locally.
    • Members of the Administrators and Server Operators groups can view and archive security logs. By default, the user right "Manage Auditing and Security Log" is only granted to the Administrator's group.
    • You can only audit files and directories on NTFS volumes
Defining an Audit Policy
  • Select Audit in User Manager for Domains, Audit these Events. There are two choices Success or Failure. The events are:
  1. Logon and Logoff  --> user logged on or off.
  2. File and Object Access --> user accessed directory, file or printer.
  3. Use of User Rights --> user exercised a right.
  4. User and Group Management --> user account or group was created, changed or deleted. This includes password changes
  5. Security Policy Changes  --> change was made to the user rights, audit or trust relationship policies
  6. Restart, Shutdown and System --> user restarted or shut down the computer or an event has occurred that affects system security or the security log. (e.g. the audit log fills up and entries are discarded)
  7. Process Tracking --> detailed tracking information for various events, such as program activation.

Auditing files and directories

  • Select folder or file in Windows NT Explorer and then click Properties in the File menu.
  • Select Security tab and then Auditing button.
  • For directory auditing, by default, auditing changes apply only to the directory and files, not sub folders. Make the following selections as needed:
    • Replace Auditing on Subdirectories - to have auditing on subdirectories too.
    • Replace Auditing on Existing Files - if you want to apply auditing changes to the directory only.

    After this you can add users or groups and select in the Events to Audit box: ( know these baby)

    1. Read
    2. Write
    3. Execute
    4. Delete
    5. Change Permission
    6. Take Ownership

Auditing a Printer

    Events to audit (success or failure):

    1. Print --> printer usage. Useful for billing individual departments.
    2. Full Control --> changes to job settings, pausing restarting, moving or deleting documents, sharing a printer or changing printer properties. Useful in high security environments.
    3. Delete --> deleted print jobs. Useful in high security environments.
    4. Change Permissions --> changes to printer permissions. Useful in medium and high security environments.
    5. Take Ownership --> changes to printer ownership. Useful in medium and high security environments.

Using Event Viewer

  • Event Viewer provides info about errors, warnings, and successes or failure of a task.
  • Info is stored in three types of logs:
    • System --> contains errors, warnings or information generated by Windows NT. Selection of events is preset by Windows NT.
    • Security --> contains info about success and failure of audited events. Events are recorded as result of your audit policy.
    • Application --> contains error, warnings, or info generated by programs. Selection of events is preset by program developer.

Viewing Security Logs

  • Successful events have the key icon
  • Unsuccessful events have the lock icon

To view a log on a remote computer in another domain

  • The appropriate trust relationship must exist
  • Your Domain Admin Group must exist in the local Administrators group of the domain OR computer for which you want to view the log.

Locating Events

    Click in Event Viewer on the View menu and click Filter Events or Find in the same menu. In Filter or Find dialog box select the criteria:

    1. View From/View Through --> Filter only; for specifying data.
    2. Types --> select the type of events.
    3. Source --> specify software or component driver that logged the event.
    4. Category --> select the classification of the event as defined by the Source.
    5. User --> specify a user account
    6. Computer --> specify an computer
    7. Event ID --> shows an event number to identify the event
    8. Description --> Find only; specify the text that would appear in the description of the event.

Archiving the Security Log

  • This is useful for tracking trends.
  • This helps you determine resource use and plan for growth.
  • In the Event Log Settings dialog box, you can control:
    • Size of the logs to archive (64 K to 4,194,240 K; default 512 K).
    • How are events recorded:
      1. Overwrite Events as Needed
      2. Overwrite Events Older than x Days
      3. Do Not Overwrite Events (This requires that you clear the log manually)

    In the Log menu you can select also Save As, Clear All Events, Open.

Best Practices
Audit the Everyone Group instead of the Users Group - this means anyone who can connect to the network is audited.

 


E-mail Me! Comments and suggestions? E-mail me at grantwil@sk.sympatico.ca
Last Updated: Wednesday, March 10, 1999 Grant Wilson, Tisdale, SK. Canada