Auditing Windows 2000 A uditing provides a means of tracking all events in Windows 2000 to monitor system access and ensure system security. Auditing Overview In Windows 2000, auditing provides a means of tracking events and is an important facet of security for individual computers as well as the enterprise. As described in other chapters (notably Chapter 6, which covers the Event Viewer), Microsoft defines an event as any significant occurrence in the operating system or an application that requires users (particularly administrators) to be notified. Events are recorded in event logs that you can manage with the Event Viewer console snap-in. Auditing enables you to track specific events. More specifi- cally, auditing enables you to track the success or failure of specific events. For example, you might audit logon attempts, tracking who succeeds in logging on (and when) and who fails at logging on. Or, you might audit object access on a given folder or file, tracking who uses it and the tasks they perform on it. You can track an overwhelming variety of events in Windows 2000, as you’ll learn a little later in the chapter. Windows 2000 provides several categories of events you can audit. The following list describes these event categories: ✦ Account Logon Events: Track user logon and logoff via a user account. ✦ Account Management: Track when a user account or group is created, changed, or deleted; a user account is renamed, enabled, or disabled; or a password is set or changed. 19 19 CHAPTER ✦✦✦✦ In This Chapter Auditing Overview Configuring Auditing Examining the Audit Reports Enabling Auditing— Some Case Studies ✦✦✦✦ 4667-8 ch19.f.qc 5/15/00 2:08 PM Page 709 710 Part V ✦ Availability Management ✦ Directory Service Access: Track access to the Active Directory. ✦ Logon Events: Track non-local authentication events such as network use of a resource or a remote service logging on using the local System account. ✦ Object Access: Track when objects are accessed and the type of access per- formed. For example, track use of a folder, file, printer, and so on. Configure auditing of specific events through the object’s properties (such as the Security tab for a folder or file). ✦ Policy Change: Track changes to user rights or audit policies. ✦ Privilege Use: Track when a user exercises a right other than those associ- ated with logon and logoff. ✦ Process Tracking: Track events related to process execution such as program execution. ✦ System Events: Track such system events as restart, startup, shutdown, or events that affect system security or the security log. Within each category, you’ll find several different types of events—some common and some specific to the objects or events being edited. For example, when you audit registry access, the events are very specific to the registry. So rather than cover every possible event that can be audited, this chapter explains how to enable and configure auditing, and looks at specific cases and how auditing improves secu- rity and monitoring in those cases. Configuring Auditing Configuring auditing can be either a one- or two-step process, depending on the type of events for which you’re configuring auditing. For all but object access, enabling auditing simply requires that you define the audit policy for the given audit category. You have an additional step for object access auditing, however, that is configuring auditing of specific objects. For example, enabling auditing for the policy Audit object access doesn’t actually cause any folders or files to be audited. Instead, you have to configure each folder or file individually for auditing. Enabling Audit Policies Before you begin auditing specific events, you need to enable auditing of that event’s category. You configure auditing through the computer’s local security pol- icy, group policy, or both. If domain audit policies are defined, they override local audit policies. This chapter assumes you’re configuring auditing through the local security policy. If you need to configure auditing through group policies, use the Domain Security Policy console to enable auditing. 4667-8 ch19.f.qc 5/15/00 2:08 PM Page 710 711 Chapter 19 ✦ Auditing Windows 2000 To configure auditing through the local security policy, open the Security Policy console snap-in by choosing Start➪ Programs➪ Administrative Tools➪ Local Security Policy. Open the Security Settings/Local Policies/Audit Policy branch. As Figure 19-1 illustrates, each audit policy category appears with its local setting and effective setting. The effective setting reflects the application of group policies, if any. Figure 19-1: Use either the local security policy or domain policy to enable auditing. Double-click a policy to display its settings (Figure 19-2). You can enable auditing of both success and failure of events in the selected category. Using the logon exam- ple given previously, for example, you might audit successful logon to track who is using a given system and when. You might track unsuccessful logon to track attempts at unauthorized use of a system. Select Success, Failure, or both, as desired, and then click OK. Figure 19-2: Select the types of events (success or failure) for which you want to enable auditing. 4667-8 ch19.f.qc 5/15/00 2:08 PM Page 711 712 Part V ✦ Availability Management After you configure each category as desired, close the Security Policy console. See the next section if you’re configuring auditing of object access. Otherwise, audit events will begin appearing in the Security log. Make sure you configure the Security log’s size and overflow behavior to accommodate the audit events. Auditing Object Access The second step in configuring object access auditing is to enable auditing on the individual objects you want to monitor, such as folders, files, registry keys, and so on. You typically configure the objects where you find them in the UI, such as Explorer for folders and files, the Printers folder for printers, and Regedt32 for the registry keys. The types of events you can audit for a given object depend on the object itself. Events for file access, for example, are different to events for registry key access. See Chapter 23 for more information on controlling and monitoring printer access. To configure auditing for a folder or file, open Explorer and locate the object. Right- click the object and choose Properties to view its property sheet. Click Security➪ Advanced to open the Access Control Settings dialog box. Click the Auditing tab to show the Auditing page, then click Add. Select a user, computer, or group that you want to audit, and click OK. Windows 2000 displays an object dialog box that lists the events you can audit for the selected object (Figure 19-3). Figure 19-3: Select Successful or Failed as desired to configure auditing for each event type. Note 4667-8 ch19.f.qc 5/15/00 2:08 PM Page 712 713 Chapter 19 ✦ Auditing Windows 2000 Select Successful for a given event if you want to record successful completion of the event. Select Failed to monitor failed attempts. The option “Apply these audit- ing entries to objects and/or containers within this container only” applies auditing to only the contents of the selected container (such as the files in the selected folder). The contents of subfolders are audited unless this option is selected. As you’re defining the audit policy for a selected object, keep in mind that you could potentially generate a huge number of events in the Security log. Unless you have a specific reason to audit success on a given event, you should consider only auditing failure to reduce traffic to the log and load on the computer. Auditing failed access is typically most useful for tracking attempts at unauthorized access. After you’re satisfied with the audit event selections, click OK. Repeat the process to add other users, groups, or computers to the list. On the Access Control Settings dialog box (Figure 19-4), you’ll find two options that control how auditing entries are affected by the parent object and affect child objects: Figure 19-4: Use the Auditing page of the Access Control Settings dialog box to configure auditing for a selected object. ✦ Allow inheritable auditing entries from parent to propagate to this object. Select this option if you want auditing properties to be inherited by the cur- rent object from its parent object. Deselect this option to prevent audit prop- erties from being inherited. ✦ Reset auditing entries on all child objects and enable propagation of inheritable auditing entries. Select this option to clear and audit properties configured within child objects (such as subfolders) and to allow the audit properties for the current object to propagate to child objects. Caution 4667-8 ch19.f.qc 5/15/00 2:08 PM Page 713 714 Part V ✦ Availability Management Close the object’s property sheets when you’ve finished defining the audit policy for the object. Auditing will begin immediately. Examining the Audit Reports As explained previously, Windows 2000 records audited events to the Windows 2000 Security log. You can use the Event Viewer console snap-in to view the event logs, save logs as log files for future viewing, and save the logs in either tab- or comma-delimited formats. Using the Event Viewer You can use the Event Viewer console snap-in to view and manage the event logs. In addition to the Security log, you can manage the Application and System logs, as well as any additional logs created by Windows 2000 services or applications. By default, the Event Viewer displays the logs dynamically, meaning new events are added to a log as you’re viewing it. You also can save a log to disk to use as a bench- mark or simply to archive a log before clearing it. Figure 19-5 shows the Security log in the Event Viewer. Figure 19-5: You can browse the Security log (and others) using the Event Viewer. For detailed information on the Event Viewer console snap-in, including how to save logs and configure log behavior, see Chapter 5. Cross- Reference 4667-8 ch19.f.qc 5/15/00 2:08 PM Page 714 715 Chapter 19 ✦ Auditing Windows 2000 Using Other Tools The Event Viewer provides the means through which you configure the event logs as well as view them. Because you can save a log to a text file, however, you can use other applications to view a log. For example, you might save a log to a comma- delimited file so you can import the file into Microsoft Access or other database application to create a database you can easily organize by event ID, source, and so on. Or, you might export the data to a text file, and import it into a word processor to create a report. Just make sure you pick an application that can import tab- or comma-delimited files and export the log files in the appropriate format. See also Chapter 20 for information on using the Alert services of the Performance Logs and Alerts console. A handful of other third-party tools exist for viewing a system’s log files. One in particular worth considering is RippleTech’s LogCaster. Providing a mechanism to manage the event logs is just a small part of what LogCaster does. It not only pro- vides a unified interface for viewing the event logs, but it also serves as an excellent warning system for administrators. LogCaster provides real-time monitoring of the event logs, services, TCP/IP devices, performance counters, and ASCII logs. It pro- vides automatic delivery of alerts through a variety of mechanisms including pag- ing, e-mail, ODBC, SNMP, and others. When a given event occurs, you can have LogCaster automatically notify you regardless of where you are. Whether you’re tracking system performance, want to be notified of audit events, or want to be warned of a possible system intrusion, you’ll find LogCaster an excellent resource. You can locate RippleTech on the Internet at www.rippletech.com. Enabling Auditing Although you could audit every event, doing so wouldn’t be practical because you’d place an undue load on the system and either end up with an enormous log file or spend all your time worrying about archiving the logs. The following sections examine some specific situations and how you might employ auditing. Leaving Auditing Off The first option is to leave auditing off altogether, and this is not a bad option in some situations. If you’re not concerned with security, there’s no real reason to enable or perform auditing. Turning off auditing reduces system overhead and helps simplify log management. However, most organizations will or should be concerned with security at least to some degree, so this option might not fit your needs. 4667-8 ch19.f.qc 5/15/00 2:08 PM Page 715 716 Part V ✦ Availability Management Turning All Auditing On At the other end of the auditing spectrum is complete auditing. If you’re very con- cerned about security or shooting for C2 security certification, this might be an option. However, bear in mind that your system will probably generate a huge num- ber of events requiring very active management of the security log. As an alterna- tive to full logging, consider logging only failure events and not success events. Auditing Problem Users Certain users, for one reason or another, can become an administrator’s worst nightmare. In some cases, it’s through no fault of the user, but is instead due to problems with the user’s profile, account, and so on. In other cases, the user can be at fault, frequently using the wrong password, incorrectly typing the account name, trying to log on during periods when they are not allowed to, or even trying to access resources for which they have no permissions (or need). In these situations, you’ll want to monitor events associated with the given user and might even need to retain the information for counseling or termination purposes. Which types of events you audit for a given user or group depends on the problem area. For example, audit account logon events if the user has trouble logging on or attempts to log on during unauthorized hours. Track object access to determine when a user or group is attempting to access a given resource such as a folder or file. Tailor other auditing to specific tasks and events generated by the user or group. Auditing Administrators Auditing administrators is a good idea, not only to keep track of what administra- tors are doing, but also to detect unauthorized use of administrative privileges. Keep in mind, however, that auditing impacts system performance. In particular, you should consider auditing account logon events, account management, policy change, and privilege use of an administrator only if you suspect an individual. Rather, control administrators by delegating through the wise use of groups and organizational units. Auditing Critical Files and Folders One very common use for auditing is to track access to important folders and files. In addition to tracking simple access, you probably will want to track when users make or attempt to make specific types of changes to the object such as Change Permissions and Take Ownership. This helps you monitor changes to a folder or file that could affect security. 4667-8 ch19.f.qc 5/15/00 2:08 PM Page 716 717 Chapter 19 ✦ Auditing Windows 2000 Summary Auditing enables you to monitor events associated with specific users, groups, ser- vices, and so on. These events are recorded to the Security log. The ability to moni- tor these events is not only useful for troubleshooting, but also is an important tool for monitoring and managing security. You can keep tabs on the actions of specific users or groups and monitor attempts at unauthorized access to the system or its resources. Configuring auditing for most types of events is a one-step process. You configure the policy for Success, Failure, or both in the local or group security policy under Security Settings\Local Policies\Audit Policy. Configuring auditing of object access, such as monitoring access to folders/files, printers, or the registry, requires the additional step of configuring auditing on each object to be monitored. ✦✦✦ 4667-8 ch19.f.qc 5/15/00 2:08 PM Page 717 4667-8 ch19.f.qc 5/15/00 2:08 PM Page 718 . Auditing Windows 2000 A uditing provides a means of tracking all events in Windows 2000 to monitor system access and ensure system security. Auditing. Policy console to enable auditing. 4667-8 ch19.f.qc 5/15/00 2:08 PM Page 710 711 Chapter 19 ✦ Auditing Windows 2000 To configure auditing through the local