NT 110
Chapter 9
Auditing Resources and Events
In
this lesson we'll take a look at how we can audit various events on an NT
computer. We'll see how to implement a
Domain Audit Policy and how to view the audited events in the Event Log.
Introduction to Auditing
By
enabling auditing, we can assess the state of our network security. We can track users activities and system
wide events. We can also create reports
of these events. Examples of the things
we can audit:
1.
Actions
performed on the computer
2.
The
users that performed the actions
3.
And
the date and time when the actions were performed.
By
setting an audit policy, we select the types of events we want to keep track
of. After setting the audit policy we
can view the results in the Event Log.
When
we set an audit policy on a Domain Controller, we actually set the audit policy
for all the domain controllers (that includes PDC and all the BDCs).
When
we set an audit policy on a Workstation or Member Server, we are setting the
audit policy for only the individual workstation or member server.
Various
events we can audit include:
Ø
success
and failure of events
Ø
when
users have logged on
Ø
who
and when someone has accessed a file
Ø
any
changes that might have been made to permissions to a file or folder
Ø
any
changes that might have been made to the security policy
Ø
any
network connections that may have been established.
In
order to enable auditing on files and folders, those objects must be on NTFS
formatted partitions.
You
must be a member of the Administrators group or have the user right to Manage auditing and security log in
order to change or set auditing policies.
NOTE: Server Operators are not able
to create an audit policy, but they can view and archive security logs
Planning and Implementing the
Audit Policy
Consider
what level of security your organization requires. Based on your assessment of how high a level of security your
require, you then set up auditing policies.
|
To Track |
Consider Auditing |
|
Unauthorized
logon attempts |
Log
on and log off |
|
Unauthorized
attempts to use resources |
Use
of folder and files |
|
System
tasks performed by user |
Use
of user rights |
|
Changes
made to user/group accts |
User
and Group Management |
|
Changes
made to user rights/audit policy |
Security
policy changes |
|
Tampering
with a server |
Restart
and shut down of system |
|
Which
program users are using |
Process
tracking |
ü
Determine whether to audit success, failure or both.
By auditing success of events, you can assess how often a certain resource is
being used. Use the information for capcity planning (planning if you need to
make more space available on a server, or change from 10Mps ethernet to 100Mps
Ethernet. If you monitor the failure of
events will alert you to possible security breeches.
In minimum
security networks consider auditing:
1.
Successful
use of resources only if you need this information for planning purposes.
2.
Successful
use of sensitive and confidential data, such as payroll files. This will let you know the names of the
users who are actually using these files.
In medium
security networks, consider auditing:
1.
Successful
use of key resources. Again, this is
done for planning purposes.
2.
Successful
and unsuccessful administrative and security policy changes. This is to keep
tabs on users and Administrators. We
can keep track of when and who has changed to the security policies.
3.
Successful
use of sensitive and confidential data, such as payroll files.
In high
security networks, consider auditing:
1.
Successful
and unsuccessful user logons. This will
help to see if someone is try to hack a logon attempt
2.
Successful
and unsuccessful use of all resources
3.
Successful
and unsuccessful administrative and security policy changes.
WARNING: Auditing is a very processor
intensive task. This will slow down all
other processes on the machine which auditing has been implemented on. Only monitor as much, and as long as, you
have to. Then stop or reduce the
auditing.
Implementing the Audit Policy
You
can audit individual workstations, member servers, or domain controllers. You CANNOT audit the ENTIRE DOMAIN from a
central location.
Audited
events show up in the security log in the Event Viewer. Anyone with the adequate privileges can view
the security log on a local or remote computer.
Setting
up an auditing policy takes part in two phases:
1.
In
user manager (or user manager for domains) you select the events you wish to
audit
2.
After
specifying the types of events you want to audit, you then select the
resources, such as files, folders and printers, that you want to audit usage
of.
Defining the Audit Policy
These
are the types of events you can audit:
|
This event: |
Is used to track when: |
|
Logon
and Logoff |
User
log on or off OR makes or breaks a network connection |
|
File
and Object Access |
User
accesses a folder, file or printer. Set this to audit file or printer access |
|
Use
of user rights |
User
exercises a user right. (except logging in and out) |
|
User
and Group Management |
User
account or group is created, modified, deleted, or when account restrictions,
such as logon hours are modified |
|
Security
Policy Changes |
Change
is made to user rights, audit or trust policies |
|
Restart,
Shutdown, and System |
User
restarts or shutsdown system |
|
Process
Tracking |
Events
that cause programs to start |
Auditing Folders and Files
After
defining the system audit policies you must next decide which objects to
audit. You right click on the object
you want to audit, click on properties, and then click on the security
tab. Next, click the audit button.
For
the individual file, folder, or printer you can track the following:
1.
Read
2.
Write
3.
Execute
4.
Delete
5.
Change
Permissions
6.
Take
Ownership
Review
the chart on pg. 341 for the exact details of these audit events.
Auditing
the Everyone Group
So
far, we haven't found the Everyone group much help, mostly just deleting this
group when dealing with Share or NTFS permissions. However, when we're talking about auditing, the Everyone group is
the best group to audit! When you click
the Add button in the Auditing dialog box, select the everyone group, and then
you'll get a record of any account that has accessed the resource. Cool.
Auditing a Printer
You
audit a printer the same way you choose to audit file or folder usage. Right click the printer you want to audit in
the printers folder.
The
following table explains the printer auditing options:
|
Audit this event: |
To Track: |
|
Print |
Who
is printing. Bill dept's with this info |
|
Full
Control |
Who
is changing job settings, pausing, starting, resuming, sharing, stop sharing,
or changing printing properties. |
|
Delete |
Who
is deleting print jobs |
|
Change
Permissions |
Changes
to printer permissions |
|
Take
Ownership |
Changes
to printer ownership |
Using the Event Viewer to
View the Security Log
After
you've set a system audit policy, and defined the objects who's usage you want
to audit, you'll want to see the results.
You can find the results of your auditing in the Event Viewer. There are three logs in the event view:
1.
System Log. Gives you error, warnings,
and information gathered by NT operating system and 3rd party
components.
2.
Security Log. Information regarding the
audited events as you've set them in the audit policy.
3.
Applications Log. Errors, warnings, information
generated by programs. The developer of
the individual programs determines the reported events in the Event Log.
Administrative Requirements
for Viewing the Security Log
The
Security Log lives on the computer that the policy was set up on. You must be:
1.
An
Administrator
2.
Server
Operator
To
view the security log.
You
can also view the security logs from computers on other domains if the right
trust relationship is set up.
If
you want to view the security log on a remote computer, just open the Event
Viewer, click the Log Menu, and then click on computer. You can then select a computer from the
list.
Filtering Events
When
you open the Event Viewing you see ALL the records. If you're interested in see just a few records of interest, you
can filter the records. Click the View
Menu, then click on Filter Events
Locating Events
Use
Find on the View Menu to search for specific events. Find does NOT allow a search for dates, however.
Archiving the Security Log
You
can save old security logs so that you can audit events that took place
months/years ago. You want to archive
security logs on a regular basis because the security log can get very large,
very fast. This also let's up on drive
space used as well.
In
the Event Log Settings dialog box you can define how large you would like the
event log to get. You also make the
choice whether you want to Overwrite old events in order to save space, or
overwrite events older than X days,
or Not to ever overwrite the event log.
WARNING: If you decide to audit logon's, you MUST make sure that the event log
doesn't get full. If the security log
becomes full users will not be able to log on.
This is a security measure; if the system cannot keep track of who has
logged on, it will not let anyone log on.
This is bad, don't let it happen.
The
log size can be anywhere from 512k to 4GIG!
Best Practices:
ü
Audit
only those events you really need to know about; this will minimize the load on
your CPU
ü
In
a minimum security environment:
track successful events to determine resource usage.
ü
In
a medium security environment:
track successful and unsuccessful access; this will allow you to assess for
possible security breeches.
ü
In
a high security environment
track all successful and unsuccessful events
ü
Be
sure to track the Everyone Group!
ü
Set
aside a time everyday to check the Event Viewer. Often the system will warm you of things that you'll be able to
fix in advance before problems get so bad that the computer won't even start
anymore. You also want to be able to
assess on a daily basis whether a hacker attack may be taking place.
ü
Archive
you old logs and keep them in a save place.
Someday an Attorney or Management will ask you for these; stay out of
jail and keep them in a safe place.