CHAPTER 9

                        AUDITING RESOURCES AND EVENTS

 

Lesson 1:  Introduction to Auditing ………………………………             331

Lesson 2:  Planning and Implementing the Audit Policy …………             334

Lesson 3:  Using Event Viewer to View the Security Log ……….             346

 

 

Lesson 1:  Introduction to Auditing

 

Auditing is useful to track system activity and maintain Network security.  You use a security log

to track entries that occur on the network.

 

 

The two kinds of Audit Policies:

 

•  Domain Controller – Determines which activity will be audited and the type of security logging on

that entire domain.

•  NT Workstation or Member Server – Logs security on the individual or member server only.

 

You can set up one Audit policy for a domain to:

 

•   Track the success and failure of events, such as when user attempt to log on, read file,

make changes to user and group permissions, change the security policy, and make a

 network connection.

•   Eliminate or minimize the risk of unauthorized use of resources. 
•   Track trends over time by maintaining an archive of security logs.  Tracking these

trends is useful in determining the use of printers or files.

 

Audit Requirements:

 

Auditing can be done on any computer running Windows NT.  However, to audit folders or

files they must be located on the NTFS Volume.  You must have the following requirements:

 

•   You must be a member of the Administrators group on the computer where the Audit

policy is being set.

•   If you are not a member of the Administrators group, you must have the user right

“Manage Auditing and security log.”  This user right is granted to the Administrator group

by default.

 

NOTE:  Members of the Server Operators group are unable to set up an Audit policy, but they can

administer security logs, perform tasks such as viewing and archiving them.

 

 

 

 

=====================================================================

 

wntadm9.html                                          PAGE 2                                              2001/11/01

 

 

 

Lesson Summary:

 

•   Auditing is function of Windows NT for maintaining network security that allows you to track user

activities and system-wide events on a network. 

•   The Audit policy allows you to select the types of

security events that will be recorded and will appear in the security log. 

•   On a domain controller, the Audit policy applies to all domain controllers in the domain. 
•   On a computer running Windows NT Workstation, or on a member server, the Audit

policy applies only to that specific computer. 

•   To audit folders and files, the folders and files must be located on an NTFS volume. 
•   To set up an Audit policy, you must have administrative privileges for the computer.

 

 

Lesson 2:  Planning and Implementing the Audit Policy

 

 

Here is a list of some events to audit for your network:

 

=====================================================================

To track                                                          Consider auditing

=====================================================================

Unauthorized logon attempts                             Users logging on and off

 

Unauthorized attempts to use resources Use of folder and file resources

 

System tasks performed by a user                     User of user rights

 

Changes made to user and group accounts        User and group management

 

Changes made to the user rights or                    Security policy changes

Audit policy                                                     

 

Tampering with a server                                    Restarting or shutting down the system

 

Which program users are using              Process tracking.

 

 

=====================================================================

 

 

•   Determine whether to audit the success or failure of an event or both.  A success

say successful access to the printer by users can help you plan resources.  Tracking

failures can help track security breaches.

•  Minimum-security, consider tracking successful use of resources, payroll or sensitive

data.

 

 

======================================================================

 

wntadm7.html                                 PAGE 3                                                  2001/11/01

 

 

•   Medium security networks, track successful use of key resources, sensitive and payroll

data, changes to security policies.

•   High security network, successful and unsuccessful logon attempts and use of all resources,

and administrative and security policy changes.

 

IMPORTANT  Auditing uses up a lot of Hard disk space, so only use if for useful information.

 

 

 

Implementing an Audit Policy

 

To audit events that occur primarily on the PDC you must audit only the PDC.  So in summary the

audit must be done on the hardware being audited.

 

Events are recorded in the local computer’s security log, be they can be viewed from any computer

who has administrative privileges on the computer on the computer where the vents occurred.

 

There are two steps in setting up an Audit:

 

Defining the Audit Policy by selecting the events in audit in User Manager for domains

Specifying the files, folders and printers to audit and the users and groups that you want to track. 

You can use Windows NT Explorer to specify the folder and file events to audit.

 

Defining Domain Audit Policy

 

You must select the audit events you want in the User Manager for Domains. See the following list:

 

======================================================================

This event                                           Is used to track when

======================================================================

Logon and Logoff                               Logging on or off or breaks a network

                                                            Connection

 

File and Object Access                      Accessing a folder, file or printer that is set

                                                            For auditing.

 

Use of User Rights                            A user exercises a right.

 

User and Group                                  A user account or group is created, modified

Management                                      deleted or when account restrictions, such as

                                                            logon hours and workstation restrictions,

                                                            are modified.

 

Security Policy                                   A change is made to the user rights,

Changes                                              audit or trust relationship policies.

 

Restart, shutdown and system          A user restarts or shuts down the computer

                                                            Causing an event to occur that affects system

                                                            Security.

 

Process Tracking                               Evens occur that cause programs to start for

                                                            Example, selecting a program on the Start

                                                            Menu, or clicking a link on a Web page that

                                                            Starts a Setup program.

 

 

 

========================================================================

 

wntadm7.html                                                 PAGE 4                                           2001/11/01

 

 

                       

NOTE:  If you set up an Audit policy on a computer running Windows NT Workstation or on a

member server, you use User Manager.  All Audit Policy dialog box options in User Manger are

identical to those in User Manager for Domains.                                   

 

Auditing Files or Folders

 

Once you define the Audit Policy, you must specify the folders or files to audit.  To gain access

to the Directory Auditing in Windows NT Explorer, right-click the folder and file, click Properties,

click the Security tab, and then click Auditing.  Look in the book Page 340, expands on the

selection.

 

Auditing the Everyone Group

 

•   Auditing the Everyone Group includes all local and remote users who have connected to

the computer, including those who connect as Guest.  Do the following to Audit a file:

Start Windows NT Explorer and expand the Labfiles\Public\Library folder.

•   Right-click Bronte-txt and then on the menu that appears, click Properites.  The

Bronte Properties dialog box appears.

•   Click the Security tab. Note:  you can only audit on the NTFS partitions.  If there is

no security tab, the selected file is not on an NTFS partition.

•   Click Auditing.   The File Auditing dialog box appears.
•   Click Add.  The Add Users and Groups appears.
•   Under Names, click Everyone, click Add.
•   Click OK.  The Everyone group appears under Name in the File Auditing dialog box.

 

NOTE:  You can easily remove a user or group from auditing by selecting its name and then

clicking Remove.

 

 

========================================================================

 

wntadm7.html                                                 PAGE 5                                           2001/11/01

 

 

•   Under Events to Audit, select the Success check box for the following events:
• Delete
• Change Permission
• Take Ownership
•   Click OK to apply your changes and return to the Bronte Properties dialog box.
•   Click OK to return to Windows NT Explorer.
•   Quit Windows NT Explorer.

 

 

Auditing a Printer:

 

Setting up auditing a printer is similar to files and folders.  First you define the Audit Policy and

then you specify the printer evens to audit, and the users and groups you want to track to the

printer.  To gain access to the Printer Auditing Printer, Properties and Security tab,

Auditing.

 

=====================================================================

Audit this event                      To Track

=====================================================================

Print                                        Printer usages. Great for billing certain departments

 

Full Control                            Changes to job settings, pausing, restarting, moving

                                                Or deleting documents,  This is useful in high speed

                                                Networks.

 

Delete                                     Delete Print jobs.  Great in high-security networks.

 

Change                                   Changes to printer permissions, Medium and high-

Permissions                            Security networks.

 

Take Ownership                     Changes to printer ownership. Medium and high-

                                                Security networks.

 

=====================================================================

 

Lesson Summary:

 

• When planning the Audit policy, determine what resources and actions are necessary
• to monitor.  The audit policy is set on a computer-by-computer basis.  If is set on the
• PDC, you can audit events that occur on all domain controllers.  If it is on member or
• NT workstation you can only audit on that particular computer.

 

 

 

 

========================================================================

 

wntadm7.html                                   PAGE 6                                                     2001/11/01

 

 

 

 

•   To set up auditing, first set up The Auditing Policy for the domain or the

computer, then specify the folder or file and printer events to audit, then

specify the users and groups whose use of the resources you want to track.

•   Audit the Everyone group to track use of a resource by all users that can connect to it, not

just its use by domain users.

 

 

 

Lesson 3:  Using Event Viewer to View the Security Log

 

Event Viewer provides information about errors, warnings and the successes or failures of tasks. 

There are three types of logs:

 

System log.  Contain errors, warnings, and information generated by Windows NT and third-party

components, such as a NIC driver.

Security log.  Success and failures of audited events.  The events that are recorded are the result of

your Audit policy.

Application Log.  Contains errors, warnings, or information generated by programs, such as a

database or e-mail program.  The selection of events that are recorded is present by the program

developer.

 

 

The Event Viewer is located off the main menu, Programs/Administrative Tools (common)/Event

Viewer.    The Event Viewer is saved in three different ways:

 

• *.evt.  You know this is an Event Viewer file from the extension
• *.txt.   You can look at it in Word or Notepad.
• Comma delim file,  stores the information in binary.

 

 

How to Audit:

 

• Turn on the Auditing for User Managers
• Look at the Event Viewer log, security.
• Look at the proper extension to view, see above on the formats.
• You should save the logs.

 

*****KNOW where all selections are in the Menu **** for tests.

 

 

Administrative requirements for Viewing the Security Log

 

To view a security log, you must be a member of the Administrators or Server Operators group

on the computer where the security log resides.  If the Audit policy was set on the PDC, you

 

 

 

 

========================================================================

 

wntadm7.html                                     PAGE 7                                                    2001/11/01

 

 

must have administrative privileges on the PDC.  Don’t forget if you want to view the

security log on a computer in a different domain, the appropriate trust relationship must

exit.

 

 

Security log—Successful events appear with a key icon, unsuccessful events appear with a lock icon.

 

 

 

Filtering Events:

 

By default, Event Viewer lists all events recorded in the selected log.  Click Filter Events/

View menu.

 

Filtering has no effect on the actual content of the log, it changes only the view.

 

Locating Events:

 

You have the access to find a file in the View Menu.  You can search for event based dates.

 

Archiving Security Log

 

You can track trends by archiving event logs.  Helps develop resource use and plan for growth.

 

 

Lesson Summary:

 

•   Event Viewer is the administrative tool that is used to view a security log on any computer

running Windows NT.

•   The security log is where Event Viewer records the success or failure (whichever of

these you are auditing) of each audited event.

•  To view a security log, you must be a member of the Administrator or Server Operators

group on the computer where the security log resides.  If the computer is in a different

•   Use the Filter Events menu command to set which events and characteristics appear in

the security log when you start Even Viewer.

•   Use the Find menu command to locate events in the security log.
•   Archive security logs to track trends.  This is useful in determining resource use and

in planning for growth.

 

 

 

BEST PRACTICES:

 

•   Define an Audit policy that is useful, but manageable.  Only audit the necessary events,

don’t forget it uses a lot of hard drive space.

•   In a minimum-security network, track successful events if you need to determine

resource use.  In high-security network track all successful events.

•   In medium-security network, track unsuccessful events to alert you to possible

security breaches.  In high-security track all unsuccessful events.

•   In all networks, audit sensitive and confidential data.
•   Audit the Everyone group instead of the Users group.  This ensures that
•   Anyone who can connect to the network is audited, not just the users that you create

accounts for in the domain.

•   Set up a schedule for viewing audit logs.  Make it a regular part of your network

administration tasks.

•   Archive audit logs regularly to track trends.  Doing so is useful for determining resource

use and for planning purposes.