Auditing Active Directory and Reviewing Audit Logs
Auditing is a vital component of network security. You should edit a number of Active Directory events--and be sure to read the audit logs on a daily basis.
So far in this series, I've worked through the basics of auditing. However, I haven't yet covered two main areas: auditing the Active Directory and reviewing the audit logs. In this article, I'll discuss these topics.
Auditing the Active Directory
- Go into Active Directory Users and Computers and right-click on your domain name. Select Properties from the resulting context menu.
- In the domain's properties sheet, select the Group Policy tab. Select the group policy to which you want to apply auditing, and click Edit. Windows 2000 will open the Group Policy console.
- Navigate through the Group Policy Console's tree to Domain Controller Policy | Computer Configuration | Windows Settings | Security Settings | Local Policies | Audit Policy. When you select the Audit Policy object, various types of auditing will be displayed in the column to the right.
- Double-click on Active Directory Service Access. The Security Policy Setting dialog box will open, as shown in Figure 1. Select the Define These Policy Settings check box, followed by the Success and/or Failure check boxes, and click OK.
Figure 1: Select the Define These Policy Settings check box followed by the Success and/or Failure check boxes.
- Windows will return you to the Group Policy console. You'll see that Directory Service Access auditing has been enabled, as shown in Figure 2.
Once you've enabled directory service auditing, you're free to close the Active Directory Users and Computers console and all of the consoles and windows you've opened through it. It's now time to begin the audit process. To do so, follow these steps:
- Open any Active Directory-related console (except Active Directory Users and Computers). For the purposes of my examples, I'll be using the Active Directory Sites and Services console.
- Right-click on an object you want to audit, and select Properties from the resulting context menu.
- In the object's properties sheet, select the Security tab and click the Advanced button. The object's Access Control Settings properties sheet will open.
- Select the Auditing tab. You can use the Add and Remove buttons to determine which groups or users should be audited. You can also select a user or group and click the View/Edit button to see an Auditing Entry dialog box similar to the one shown in Figure 3; this dialog box lets you determine exactly which aspects of the object should be audited for the selected user or group.
Figure 3: The Auditing Entry dialog box lets you decide what should be audited on a per-user basis