Home / Windows 7

Auditing of Active Directory Services

Auditing enables you to track actions performed by users across the domain such as logging on and off or accessing files and folders. When you create and apply an auditing policy, auditable events are recorded in the Security log of the computer at which they happen. You can then use Event Viewer to view any computer's Security log by connecting to the required computer.

New Audit Functionality

Windows Server 2012 introduces new expression-based audit policies, which are continued in Windows Server 2012 R2. Dynamic Access Control in Windows Server 2012/R2 allows you to create audit policies by using expressions based on user, computer, or resource request. Expression-based audit policies are helpful in situations where you need to minimize audit logs but still track the necessary data. You can apply expression policies centrally through Group Policy using Global Object Access Auditing. Global Object Access Auditing enables administrators to define computer system access control lists (SACLs) per object type for the file system or registry. The SACL is then applied to every object for that type.

Active Directory Auditing

Windows Server 2008 introduced the command-line tool auditpol.exe as well as subcategories in the Audit Directory Service Access category. In addition, Windows Server 2008 R2 introduced an Advanced Audit Policy subnode in the Group Policy Management Editor. In previous versions of Windows Server, a single Directory Service Access category controlled the auditing of all directory service events. Windows Server 2012 expanded on this. Windows Server 2012 R2 continues to leverage four subcategories for auditing directory service access:

  • Directory Service Access:
    Tracks all attempts at accessing AD DS objects whose SACLs have been configured for auditing. This includes deletion of objects.

  • Directory Service Changes:
    Tracks modifications to AD DS objects whose SACLs have been configured for auditing. The following actions are included:

    • When an attribute of an object has been modified, the old and new values of the attribute are recorded in the Security log.
    • When a new object is created, values of their attributes, including new attribute values, are recorded in the Security log. This includes objects moved from another domain.
    • When objects are moved from one container to another, the distinguished names of the old and new locations are recorded in the Security log.
    • When objects are undeleted, the location in which they are placed is recorded in the Security log. Any added, modified, or deleted attributes are also recorded.

  • Directory Service Replication:
    Tracks the beginning and end of the synchronization of a replica of an Active Directory naming context.

  • Detailed Directory Service Replication:
    Tracks additional AD DS replication events, including the establishment, removal, or modification of an Active Directory replica source naming context; replication of attributes for an AD DS object; or removal of a lingering object from a replica.

Using GPOs to Configure Auditing

Group Policy enables you to configure success or failure for several types of actions. In other words, you can choose to record successful actions, failed attempts at performing these actions, or both. For example, if you are concerned about intruders that might be attempting to access your network, you can log failed logon events. You can also track successful logon events, which is useful in case the intruders succeed in accessing your network.

You can use Group Policy to enable auditing at domain controllers, member servers, and client computers. Be aware that all auditing takes place at the local computer on which the events take place only and that these events are recorded on that computer's Security log. To enable auditing on all domain controllers, configure the auditing settings in the Default Domain Controllers Policy GPO; to enable auditing on other domain computers, configure the auditing settings in the Default Domain Policy GPO or in another GPO as required.

Available Auditing Categories

Windows Server 2012 R2 enables you to audit the following types of events:

  • Account logon:
    Logon or logoff by a domain user account at a domain controller. You should track both success and failure.

  • Account management:
    Creation, modification, or deletion of computer, user, or group accounts. Also included are enabling and disabling of accounts and changing or resetting passwords. You should track both success and failure.

  • Directory service access:
    Access to an AD DS object as specified by the object's SACL. This category includes the four subcategories mentioned earlier in this section; enabling directory service access from the Group Policy Management Editor enables all four subcategories. Enable this category for failures (if you record success, a large number of events will be logged).

  • Logon events:
    Logon or logoff by a user at a member server or client computer. You should track both success and failure (success logging can record an unauthorized access that succeeded).

  • Object access:
    Access by a user to an object such as a file, folder, or printer. You need to configure auditing in each object's SACL to track access to that object. Track success and failure to access important resources on your network.

  • Policy change:
    Modification of policies, including user rights assignment, trust, and audit policies. This category is not normally needed unless unusual events are occurring.

  • Privilege use:
    Use of a user right, such as changing the system time. Track failure events for this category.

  • Process tracking:
    Actions performed by an application. This category is primarily for application developers and does not need to be enabled in most cases.

  • System events:
    Events taking place on a computer such as an improper shutdown or a disk with very little free space remaining. Track success and failure events.
Note:
Note the difference between Logon and Account Logon events. Logon events refer to authentication of a local user at a workstation or member server, while Account Logon events refer to the authentication of a domain user account at a domain controller.
Tip:
TIP Know which types of actions to audit for different scenarios. For example, the exam might present a drag-and-drop interface in which you must select success and failure actions to achieve a given objective.

Configuring Basic Auditing Policies

Use the following procedure to specify basic audit policy settings:

  1. Access the Group Policy Management Editor snap-in for the appropriate GPO linked to a site, a domain, or an organizational unit (OU).
  2. Navigate to the Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy node.
  3. Click this node to display the available policies in the details pane.
  4. Right-click the appropriate policy and select Properties.
  5. In the Properties dialog box for the policy, select Define these policy settings; then select Success, Failure, or both, as desired. Then click OK. Refer to the Explain tab of each policy's Properties dialog box for more information on what the setting does.

To track object access or directory service access, you must configure the SACL for each required object. Perform the following procedure:

  1. In File Explorer, right-click the required file, folder, or printer and select Properties.
  2. Select the Security tab of the object's Properties dialog box.
  3. Click Advanced to open the Advanced Security Settings dialog box, and then select the Auditing tab.
  4. To add users or groups, click Add.
  5. In the Auditing Entry dialog box, click the Select a principal link. Type the required user or group in the Select User, Computer, Service Account or Group dialog box; then click OK.
  6. On the Auditing Entry dialog box for the Principal, select the types of actions you want to track. As an optional task under Windows Server 2012 R2, you might choose to add a condition to limit the scope of the auditing entry. Click OK when complete.
  7. The completed auditing entries appear in the Auditing tab of the Advanced Security Settings dialog box. Click OK twice to close these dialog boxes. To modify any existing audit entries, select the entry and click the Edit button.

After you have configured object access auditing, attempts to access audited objects appear in the Security Log, which you can view from the Event Viewer-either in Server Manager or in its own snap-in from the Administrative Tools folder. For more information on any audited event, right-click the event and select Event Properties.

Tip:
Ensure that the security log has adequate space to audit the events you configure for auditing because the log can fill rapidly. The recommended size is at least 128 MB. You should also periodically save the existing log to a file and clear all past events. If the log becomes full, the default behavior is that the oldest events will be overwritten (and therefore lost). You can also configure the log to archive when full and not to overwrite events, but new events will not be recorded. Loss of recorded events could be serious in the case of high-security installations.

Configuring Advanced Audit Policies

The Advanced Audit Policy Configuration node in Windows Server 2012 R2 enables you to configure granular auditing policies for the 10 subcategories shown. Using these policies, you can even determine which access control entry (ACE) in an object's ACL allowed access to an audited object. This capability can assist you in modifying an object's ACL to ensure that only the appropriate access is permitted. These policies enable an administrator to manage object access centrally. This concept is also known as Global Object Access under Windows Server 2012 R2. To access Advanced Audit Policies, open the Group Policy Management Editor snap-in for the appropriate GPO and navigate to the Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies node.

To configure any of these policies, simply right-click the desired policy and select Properties. You can define auditing for success and/or failure of each policy setting. Consult the Explain tab of each policy setting's Properties dialog box for further information.

For more information on the available advanced policy settings, refer to "Advanced Security Audit Policy Settings" and references cited therein at http://technet.microsoft.com/en-us/library/dd772712(WS.10).aspx.
Tip: You should ensure that advanced audit policy settings are not overwritten by basic audit policy settings. To do so, navigate to the Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options node and enable the Audit : Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting.
Note:
For additional information on configuring audit policies, including a comprehensive guide for setting up a series of policies on a test network, refer to "Advanced Security Audit Policy Step-by-Step Guide" at http://technet.microsoft.com/en-us/library/dd408940(WS.10).aspx.

Using Auditpol.exe to Configure Auditing

The Auditpol.exe tool performs audit policy configuration actions from the command line. This is the only tool you can use to configure auditing on a Server Core computer or to configure directory service auditing subcategories.

To use this tool, type the following in a command line:

Auditpol command [sub-command options]

Table-1 describes the available commands, and Table-2 describes several of the more important subcommands and options you should be aware of.

Table-1 Auditpol Commands


Command	   Meaning
/get 	   Displays the current auditing policy.
/set 	   Sets the audit policy.
/list 	   Displays audit policy categories and subcategories or lists users 
	   for whom a per-user audit policy is defined.
/backup	   Saves the audit policy to a specified file.
/restore   Retrieves the audit policy from a specified file.
/clear     Clears the audit policy.
/remove    Removes per-user audit policy settings and disables system audit 
	   policy settings.

Table-2 Auditpol Subcommands and Options


Option 			Meaning
/user:< username > 	Specifies the security principal for a per-user audit.
                        Specifies the username by security identifier (SID) or 
                        by name. It requires either the /category or 
                        /subcategory subcommand when used with the /set command.

/category:< name >	Specifies one or more auditing categories separated by |
                        and specified by name or globally unique identifier
                        (GUID). /subcategory:<name> Specifies one or more 
                        auditing subcategories separated by | and specified by 
                        name or GUID.

/success:enable 	Enables success auditing when using the /set command.

/success:disable 	Disables success auditing when using the /set command.

/failure:enable 	Enables failure auditing when using the /set command.

/failure:disable 	Disables failure auditing when using the /set command.

/file 			Specifies the file to which an audit policy is to be backed up or
			from which an audit policy is to be restored.

For example, to configure auditing for directory service changes, you would type the following:

Auditpol /set /subcategory:"directory service changes" /success:enable

Additional subcommands and options are available with most of the auditpol commands discussed here. For information on the available subcommands and options available for a specified command, type auditpol / command /?.

Configuring User Account Control User Account Control (UAC) is a feature that was designed to protect your computer from unauthorized changes. It is designed to enable all users, even administrators, to run with a standard access token. When a user requires administrative privileges for a task that can affect system properties, such as installing a program, modifying data under %ProgramFiles% or %Windir%, or starting up an application, the user might receive a prompt requesting administrative credentials. By default, UAC is enabled under Windows Server 2012 R2. Because many applications are considered trusted in your organization, there might come a time when you decide to disable UAC (not recommended), or modify notification settings. You can modify UAC via the Control Panel, Local Security Policy, or Group Policy.

Configuring User Account Control

User Account Control (UAC) is a feature that was designed to protect your computer from unauthorized changes. It is designed to enable all users, even administrators, to run with a standard access token. When a user requires administrative privileges for a task that can affect system properties, such as installing a program, modifying data under %ProgramFiles% or %Windir%, or starting up an application, the user might receive a prompt requesting administrative credentials.

By default, UAC is enabled under Windows Server 2012 R2. Because many applications are considered trusted in your organization, there might come a time when you decide to disable UAC (not recommended), or modify notification settings. You can modify UAC via the Control Panel, Local Security Policy, or Group Policy.

Using Control Panel to Configure UAC

You can configure UAC from the Control Panel on a local server or workstation using the following process:

  1. From the settings tile, open Control Panel and click User Accounts.
  2. When the User Accounts panel opens, click User Accounts to change user account settings.
  3. Click Change User Account Control settings to open the User Account Control Settings dialog box shown. You can also access this link via System and Security → Action Center under Control Panel.
  4. Use the slider to change how Windows Server notifies you for any changes. Select the setting that best meets your needs, and click OK to commit the changes.

Configuring UAC via Policy

You can configure User Account Control using the Local Security Policy Snap-in for MMC. You can manage UAC settings under Security Settings\Local Policies\ Security Options. For larger networks, it might be more appropriate to configure UAC through Group Policy. To configure UAC using Group Policy, perform the following steps:

  1. Open Group Policy Management, and either create a new GPO or modify an existing one.
  2. Under Computer Configuration, expand Policies\Windows Settings\Security Settings\Local Policies\Security Options.
  3. Scroll to the bottom of the Policy setting list to view all the available settings for User Account Control. Enable the appropriate settings to suit your needs. Save the policy and link it accordingly.
Note:
For more information on UAC, refer to "What is User Account Control?" at http://windows.microsoft.com/en-us/windows7/what-is-user-account-control.
[Previous....Configuring Security Policies]