Windows 7 / Getting Started

Auditing the Environment

Auditing is a way to gather and keep track of activity on the network, devices, and entire systems. By default, Windows 2008 enables some auditing, whereas many other auditing functions must be manually turned on. This allows for easy customization of the features the system should have monitored.

Auditing is typically used for identifying security breaches or suspicious activity. However, auditing is also important to gain insight into how the network, network devices, and systems are accessed. As it pertains to Windows 2008, auditing can be used to monitor successful and unsuccessful events on the system. Windows 2008 auditing policies must first be enabled before activity can be monitored.

Audit Policies

Audit policies are the basis for auditing events on a Windows 2008 system. Depending on the policies set, auditing might require a substantial amount of server resources in addition to those resources supporting the server's functionality. Otherwise, it could potentially slow server performance. Also, collecting lots of information is only as good as the evaluation of the audit logs. In other words, if a lot of information is captured and a significant amount of effort is required to evaluate those audit logs, the whole purpose of auditing is not as effective. As a result, it's important to take the time to properly plan how the system will be audited. This allows the administrator to determine what needs to be audited, and why, without creating an abundance of overhead.

Audit policies can track successful or unsuccessful event activity in a Windows 2008 environment. These policies can audit the success and failure of events. The policies that can be monitored consist of the following:

  • Audit system events: The system events policy logs specific system events such as a computer restart or shutdown.
  • Audit logon events: Logons over the network or by services are logged.
  • Audit object access: The object access policy logs an event when a user attempts to access a resource (for example, a printer or shared folder).
  • Audit privilege use: Privileged use is a security setting and can include a user employing a user right, changing the system time, and more. Successful or unsuccessful attempts can be logged.
  • Audit process tracking: An event can be logged for each program or process that a user launches while accessing a system. This information can be very detailed and take a significant amount of resources.
  • Audit policy change: Each time an attempt to change a policy (user rights, account audit policies, trust policies) is made, the event is recorded.
  • Audit account management: When an account is changed, an event can be logged and later examined.
  • Audit directory service access: Any time a user attempts to access an Active Directory object that has its own system access control list (SACL), the event is logged.
  • Audit account logon events: Each time a user attempts to log on, the successful or unsuccessful event can be recorded. Failed logon attempts can include logon failures for unknown user accounts, time restriction violations, expired user accounts, insufficient rights for the user to log on locally, expired account passwords, and lockedout accounts.

The audit policies can be enabled or disabled through the local system policy, domain controller security policy, or Group Policy Objects. Audit policies are located within the Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy folder of the Group Policy Management Editor.

Audit Policy Subcategories

Windows 2008 allows more granularity in the setting of the audit policies. In previous versions of the Windows Server platform, the audit policies could only be set on the general categories. This usually resulted in a large number of security events, many of which are not of interest to the administrator. System management software was usually needed to help parse all the security events to find and report on the relevant entries.

Windows 2008 exposes additional subcategories under each of the general categories, which can each be set to No Auditing, Success, Failure, or Success and Failure. These subcategories allow administrators to fine-tune the audited events.

Unfortunately, the audit categories do not quite match the audit policies. Table-3 shows how the categories match the policies.

TABLE-3 Matching Audit Policies to Audit Categories 
Audit Policy 			Audit Category
Audit system events 		System
Audit logon events 		Logon/Logoff
Audit object access 		Object Access
Audit privilege use 		Privilege Use
Audit process tracking 		Detailed Tracking
Audit policy change 		Policy Change
Audit account management 	Account Management
Audit directory service access 	DS Access
Audit account logon events 	Account Logon
TABLE-4 Audit Subcategories 
Audit Category 		Audit Subcategory
System Security 	State Change
			Security System Extension
			System Integrity
			IPSec Driver
			Other System Events

Logon/Logoff 		Logon
			Logoff
			Account Lockout
			IPSec Main Mode
			IPSec Quick Mode
			IPSec Extended Mode
			Special Logon
			Network Policy Server
			Other Logon/Logoff Events

Object Access 		File System
			Registry
			Kernel Object
			SAM
			Certification Services
			Application Generated
			Handle Manipulation
			File Share
			Filtering Platform Packet Drop
			Filtering Platform Connection
			Other Object Access Events

Privilege Use 		Sensitive Privilege Use
			Non Sensitive Privilege Use
			Other Privilege Use Events

Detailed Tracking 	Process Creation
			Process Termination
			DPAPI Activity
			RPC Events

Policy Change 		Audit Policy Change
			Authentication Policy Change
			Authorization Policy Change
			MPSSVC Rule-Level Policy Change
			Filtering Platform Policy Change
			Other Policy Change Events

Account Management 	User Account Management
			Computer Account Management
			Security Group Management
			Distribution Group Management
			Application Group Management
			Other Account Management Event

DS Access 		Directory Service Access
			Directory Service Changes
			Directory Service Replication
			Detailed Directory Service Replication

Account Logon 		Kerberos Service Ticket Operations
			Credential Validation
			Kerberos Authentication Service
			Other Account Logon Events

You can use the AUDITPOL command to get and set the audit categories and subcategories. To retrieve a list of all the settings for the audit categories and subcategories, use the following command:

auditpol /get /category:*

To enable auditing of the Distribution Group Management subcategory of the Account Management category for both success and failure events, the following command can be used:

auditpol /set /subcategory:"Distribution Group Management"/success:enable /failure:enable

This command would need to be run on each domain controller for the policy to have a uniform effect. To get all the options for the Audit Policy command, use the following command:

auditpol /?
[Previous] [Contents] [Next]

In this tutorial:

  1. Windows Server 2008 Management and Maintenance
  2. Initial Configuration Tasks
  3. Managing Windows Server 2008 Roles and Features
  4. Server Manager
  5. Server Manager Diagnostics Page
  6. Server Manager Reliability and Performance Monitor
  7. Server Manager Configuration Page
  8. Server Manager Storage Page
  9. Auditing the Environment
  10. Auditing Resource Access
  11. Managing Windows Server 2008 Remotely
  12. Server Manager Command-Line Tool
  13. Using Common Practices for Securing and Managing Windows Server 2008
  14. Keeping Up with Service Packs and Updates
  15. Maintaining Windows Server 2008
  16. Running the Domain Controller Diagnosis Utility