CHAPTER 16

                               AUDITING RESOURCES AND EVENTS

 

 

Lesson 1:  Understanding Auditing 

 

Auditing allows you to track both user activities and Windows 2000 activities, which are

called events, on a computer.  The security log maintains a record of valid and invalid logon

attempts and events related to creating, opening, or deleting files or other objects.  An audit

entry in the security log contains the following information:

 

• The Action that was performed
• The user who performed the action
• The success or failure of the event and when the even occurred.

 

 

Using an Audit Policy

 

An audit policy defines the types of security events that Windows 2000 records in the security

log on each computer.  The security log allows you to track the events that you specify.

 

Windows 2000 writes events to the security log on the computer where the event occurs.    You

can set up a log to do the following:

 

Track the success and failures of events, such as logon attempts, changes to user account or group

membership, and changes to your security settings.

Eliminate or minimize the risk of unauthorized use of resources.

 

 

Using Event Viewer to View Security Logs

 

You use Event Viewer to view events that Windows 2000 has recorded in the security log.  You

can also archive log files to track trends over time, for example to determine the user of printers or

files or to verify attempts at unauthorized use of resources.

 

 

Lesson Summary:

 

•   You learned about Windows 2000 auditing, which helps you ensure that your network is secure

by tracking user activities and system wide events.  Auditing allows you to have Windows 2000

write a record of these events to the security log. 

•   To specify which events to record, you set up an audit policy.
•   Use Event Viewer to view the security log.

 

 

 

=====================================================================

 

winpro16.html                                                 PAGE 2                                                    2001/12/18

 

 

 

•   Each audit entry in the security log contains the action that was performed, the user who

performed the action, and the success or failure of the action.

•   You can also archive log files to track trends over time.

 

 

Lesson 2:  Planning an Audit Policy

 

When you plan an audit policy, you must determine the computers on which to set up auditing. 

Auditing is turned off by default.

 

•   Accessing file and folders
•   Logging off and on.
•   Shutting down and restarting computer running Windows 2000
•   Changing user accounts and groups.
•   Attempting to make changes to objects in directory services based on Active Directory,

only if your Windows 2000 computer is not part of a domain.

•   You must put time aside to read the log, or assign it to another person to do, I if you

do not have the time to read it.

 

After you have determined the types of events to audit, you must also determine whether to

audit the success or failures or both.  Tracking successful events can tell you how often Windows

2000 users gain access to specific files, printer or other objects.

 

Tracking Failed events can alert you to possible security breaches.

 

 

 

Other guidelines in determining your audit policy include the following:

 

•   Determine whether you need to track trends of system use.  If so, archive event logs.
•   Review security log frequently.  Define an audit policy that is useful and manageable. 
•   Don’t forget the computer will be slowed down a little when auditing is in effect.  Audit

resource access by using the Everyone group instead of the Users group.  This will

audit all users on the network.  Restrict Logon hour, and record failures.  This will track

people who are trying to hack into the system.

•   Why use successful logons.  This will prevent hackers to log on successfully  for the first time.
•    For example, if John is on holidays, and you see someone logging on as his name, you

 know that someone is accessing his account. 

•   Use this audit with a lot of caution, it will create a lot of entries in the Event Viewer.

 

 

=====================================================================

 

winpro16.html                                                 PAGE 3                                                    2001/12/18

 

 

 

Lesson Summary:

 

•   The types of events that you can audit include the following: accessing files and folders, logging on

and off, shutting down and restarting a computer running Windows 2000 Professional, and

changing user accounts and groups.

•   You can audit the failure or success of events or both.
•   You can use the information for resource planning.
•   You can tracked failed events to look for possible security breaches.

 

 

 

Lesson 3:  Implementing an Audit Policy

 

For computers running Windows 2000 Professional, you set up an audit policy for each individual

computer.  You need to follow the following requirements:

 

You must have Manage Auditing and Security Log user right for the computer where you want to

configure an audit policy or review an audit log.  By default, Windows 2000 grants these rights

to the Administrators group.

 

The files and folders to be audited must be on Microsoft Windows 2000 File system (NTFS) volume,

but not FAT.

 

 

Setting Up Auditing

 

1.  Set the audit policy. It will audit objects, but not specific objects.
2.  Enable auditing of specific resources.  You specify the specific events to audit for files, folders,

printers, and Active Directory objects.  Windows 2000 then tracks and logs the specified events.

 

 

 

Setting an Audit Policy

 

You must determine if you are tracking successes or failures for each event you track.  You

set audit policies in the Local Security Settings window, which you open by selecting Local

Security Policy on the Administrative Tools menu.  NOTE:  You need to enable Success and

Failures switch to make this work.

 

 

 

=====================================================================

 

winpro16.html                                                 PAGE 4                                                    2001/12/18

 

 

 

Types of Events Audited by Windows 2000

 

======================================================================

Event                                      Description

======================================================================

 

Account Logon Events           A domain controller received a request to validate a user

                                                Account.

 

Account Management           An administrator created, changed or deleted a user

                                                Account or group

 

Directory Service Access      A user gained access to an Active Directory object.

 

Logon Events                         Users logon and logoff,

 

Object Access                        A user gained access to a file, folder or printer.

 

Policy Change                        Change made to security options, user rights, or

                                                Audit policies.

 

Privilege Use                          A user exercised a right, such as changing the

                                                System time.

 

Process Tracking                   A program performed an action.

 

System Events                       A user restarted or shut down the computer, or an

                                                Event occurred that affects Windows 2000 security

                                                 Or the security log.

 

 

====================================================================

 

 

If you want to force the Policy into effect:

 

You can go into command prompt and type secedit^refreshpolicy^machine_policy (enter)

 

Try and log on and make an error in your password, it should be reflected in the event

viewer when you see it.  To audit a specific file, you need to select object access file/folder/printer.

 

 

 

 

=====================================================================

 

winpro16.html                                                 PAGE 5                                                    2001/12/18

 

 

 

HOW TO:

 

• Enable audit object access/local policies/audit policies.
• Properties of the file or folder of solitary.exe (sol.exe) C:\WINNT\System32
• Security tab/Advanced/Auditing Tab/Add/Users.

 

 

Effective Policy Setting

 

• Indicates whether or not auditing is turned on.
• No auditing indicates it is not auditing this event.
• Failure indicates it is auditing failed attempts.
• Success indicates it is auditing successful attempts.
• Success, failure indicates it is auditing all attempts.

 

 

Local Policy Settings

 

•   A check mark in the Success check box indicates that auditing is in effect for

successful attempts.  A check mark in the Failure check box indicates that auditing is in

effect for failed attempts.

 

•   Once you have set the audit policy, remember that the changes that you make to your

computer’s audit policy don’t take effect until you restart your computer.

 

 

Auditing Access to Files and folders

 

If security breaches are an issue for your organization, you can set up auditing for files and

folders on NTFS Partitions.

 

Once you have set your audit policy to audit object access, you enable auditing for specific

files and folders and specify which types of access, by which users or groups, to audit. 

You can enable auditing for specific files and folders as follows:

 

1.   On the Security tab/ Properties/ Advanced.
2.   Auditing tab/ Add, then chose the users you want to audit.
3.   Choose Success or failure.  By default, any auditing changes that you make to a parent folder

also apply to all child folders and all files in the parent and child folders.

 

4.   To prevent changes that are made to a parent folder from applying to the currently selected

file or folder, clear the Allow Inheritable Auditing Entries From Parent to Propagate To This

5.   Object check box.  Click OK.

 

 

=====================================================================

 

winpro16.html                                                 PAGE 6                                                    2001/12/18

 

 

 

Auditing Access to Printer

 

Audit access to printers to track access to sensitive printers.  To audit access to printer, set

your audit policy to audit object access, which includes printer.  Then enable auditing for

specific printers and specify which types of access to audit and which users will have access.

 

• Properties/Security tab/Advanced.
• Auditing tab/ Add/ select the groups/ OK
• Apply
• Access/ select successful or failed
• Click OK

 

 

Lesson Summary:

 

•   You can select the events to audit for files and folders, and you can select the events you want

to audit for printers.

•   You use the Local Security Settings window to set audit policies, and then you restart your

computer to enable auditing.

•   You can set up auditing on NTFS partitions.
•   Once you have set your audit policy to audit object access, you enable auditing for specific

files, folders and printers and specify which type of access, by which users or groups to audit.

 

 

 

Lesson 4:  Using Event Viewer

 

You use Event Viewer to perform a variety of tasks, including viewing the audit logs that are generated

as a result of setting the audit policy and auditing events.

 

=====================================================================

Logs maintained by Windows 2000

=====================================================================

Application Log                      Contains errors, warnings or information that programs,

                                                such as a database program or e-mail program generates.

 

Security Log                           Contains information about the success or failure of

                                                Audited events.  The events that Windows 2000

                                                Records are a result of your audit policy.

 

System log                              Errors, warnings and information that Win2000 generates.

 

 

=====================================================================

 

winpro16.html                                                 PAGE 7                                                    2001/12/18

 

 

 

Viewing Security Logs

 

•   Start/Programs/Administrative Tools/Event Viewer
•   Console Tree/Security Log.
•   Details pane, Event Viewer. Successful events appear as a key icon.  Unsuccessful events appear

with a lock icon.  Other important information includes the date and time that the event occurred, the

category of the event, and the user who generated the event.

•   Select the event, then click Properties on the Action menu.

 

 

Windows 2000 records events in the security log on the computer at which the even occurred.  You

can view these events from any  computer as long as you have administrative privileges for the computer

where the events occurred.

 

To view the security log on a remote computer, start the MMC and create a custom console; point

Event Viewer to a remote computer when you add this snap-in to a console.

 

 

Locating Events

 

You can user the Filter command to search for specific events by using the Find command also.  To

filter or find events, start Event Viewer, and then click Filter or find on the View menu.

 

 

Managing Audit Logs

 

You can track trends in Windows 2000 by archiving event logs and comparing logs form different

 periods.

 

You can configure the properties of each individual audit log.  To configure the settings for logs,

select the log in Event Viewer, and then display the Properties for the log.

 

Archiving Logs

 

You can archive security logs which allows you to maintain a history.  If you want to archive, clear,

or view an archived log, select the log you want to configure in Event Viewer, click the Action menu,

and then click one of the options.

 

• Archive the Log
• Clear the Log
• View an archived log

 

 

 

 

=====================================================================

 

winpro16.html                                                 PAGE 8                                                    2001/12/18

 

 

Lesson Summary:

 

1)         Windows 2000 P has the following three logs by default:  The Application log, the Security

log and the System log.

2)         You can use Event Viewer to view the contents of the Windows 2000 logs.

3)         You can use the Filter or Find command in Event Viewer to easily locate specific events

or types of events.

4)         You can manage Windows 2000 by archiving logs .evt files can only be viewed in Event

Viewer comma delimited, between fields tab delimited leaves spaces between fields.

.txt view the file in Wordpad.