Auditing on Windows 2000

By Drew Bird | Aug 17, 2000 | Print this Page
http://www.enterprisenetworkingplanet.com/netsysm/article.php/623821/Auditing-on-Windows-2000.htm

It's not glamorous, and it can hardly be described as exciting, but auditing has an important part to play in the overall security strategy of networked systems. The good news is that not only does Windows 2000 include a complete auditing system, it's also easy to configure, use, and manage.

How Windows 2000 auditing differs from NT 4.0

The auditing capabilities of Windows 2000 are comparable with those of Windows NT 4.0--the basic events that can be reported are similar. The mechanisms that enable auditing are slightly different, however, and the Directory Services side of Windows 2000 brings with it new auditing capabilities.

In Windows NT 4.0, the auditing policy is set on the machine and applies only to that machine--or, in the case of domain controllers, to all controllers in the domain. Although this approach is still possible, in Windows 2000, audit policies set at the domain level can also filter down to servers and workstations within the domain. In this case, audit policy settings made at the domain level will override those set locally. Also new in Windows 2000 is the capability to audit a number of Active Directory-related events.

Why you should audit

"Before you decide what information you want to record, be aware of the number one rule of auditing: Don't over-audit "

A thoughtfully configured and diligently maintained auditing policy can help you to maintain a watchful eye on your Windows 2000 servers, potentially alerting you to security issues before they becomes a problem. Used like this, auditing becomes part of a proactive security policy, as well as reacting to specific security problems. If an incident occurs and you need to figure out what happened and who was responsible, an auditing system can give you the information you need.

Setting up auditing is a simple process and does not take long. But before you reach for the mouse and keyboard, take a moment and plan carefully what objects and events you need to audit.

Setting up auditing

Before you decide what information you want to record, be aware of the number one rule of auditing: Don't over-audit. By default, none of the Windows 2000 auditing features are turned on. If you were to enable every possible aspect of auditing, you would end up with a server that does little else except auditing. This behavior would have a detrimental effect on the performance of your server, hogging valuable processor and disk time. Having said that, you must also make sure that you enable enough options that auditing gives you the information you need.

To set up auditing on Windows 2000, you will need to be an Administrator or a member of the Administrators Group. If you want to set up the local audit policy on a Windows 2000 server system, choose the Start|Programs|Administrative tools|Local Security Policy|Audit Policies option. On a Windows 2000 Professional system, the audit policy is accessed from Start|Settings|Control Panel|Administrative Tools|Local Security Policy|Local Policies|Audit Policy.

As I mentioned earlier, the domain audit policy can override the local policy. When you look at the Local Security Policy screen, you will notice that in addition to the column showing what audit options are set locally, the Effective Policy Settings are shown as well; so, you know whether you are receiving audit settings from the domain.

The main audit options are self-explanatory, each having a success or failure option. It's important to note that if you want to perform auditing on objects such as the Registry, printers, files, or folders, you must select the Object Access option. If you don't, then when you attempt to turn on auditing of these objects, you'll receive an error instructing you to make the necessary adjustments to the local audit policy--or, in the case of a domain environment, to the domain audit policy.

Resources you can audit

Managing the Security Log

As with all log files, the characteristics of the Security Log can be managed through the Properties option, found on the Action menu. By default, the size of the log files is set to 512K, and when this file size is reached, the oldest audit events are overwritten. If you intend to save your audit information, change this setting so that you clear the log manually. When you clear the log, you will have the option of saving it to a file.

This manual method does require that you develop a routine of clearing and saving the log file on a regular basis. The 512Kb log file size limit may be sufficient if you are only auditing few actions or objects, but it will need to be increased in a high security environment where many audit actions are being recorded.

Windows 2000 object auditing can be applied in a variety of areas. The following list briefly runs through which objects can be audited and how you access the auditing features of each.

  • Files and folders Auditing on files and folders can only be done on NTFS partitions. To configure auditing, navigate to the file and folder you want to audit, right-click, and choose Properties| Security|Advanced|Auditing. From here you can elect which users will be audited along with which actions you want to audit.

  • Printers Printer auditing can be enabled by highlighting the printer from with the Printers folder, right-clicking the printer, and then choosing Properties|Security|Advanced|Auditing. In many environments, printing is an open permission and a low risk activity, so consider which options you choose carefully. Is knowing when a print job was successfully printed an important piece of information?

  • Registry - Auditing in the Registry can be particularly onerous to the system, so be sure that you are not auditing keys you don't need to. To configure auditing on a specific key, in the Registry Editor, highlight the key and then choose Security|Permissions|Advanced|Auditing. As before, you can select which users you would like to be audited along with what actions you would like recorded.

  • Directory Access New in Windows 2000, you can select to have Directory Services access audited. Auditing for the directory is implemented as part of the Group Policy and is only available on domain controllers. It can be accessed by going to Start|Programs|Administrative Tools|Active Directory Users and Computers. Once in the utility, Click View|Advanced Features; then, on the Domain Controllers folder, choose Properties|Group Policy. Right-click on the Default Domain Controller Policy folder and choose Edit. Choose Computer Configuration|Windows Settings|Security Settings|Local Policies|Audit Policy. Finally, click on Audit Directory Services Access and make your audit selections. A wide range of directory service events can be audited, including successful and failed logon attempts, object creation, and resource access.

Viewing your audit information

Of course, doing the auditing is only part of the process. For auditing to be a useful tool, you need to review the audit logs periodically to check what events have occurred. These periodic reviews will be in addition to the reactive checks that you perform when you are investigating a specific problem.

The events generated by the audit process are written to the Security Log of the event viewer, which you can access by going to Start|Programs|Administrative Tools|Event Viewer and then highlighting Security Log. Events are listed either as an Audit Success, designated by a key icon; or as a failure, designated by a padlock icon. To view the details of the event, double-click the entry in the log. All audit events with the exception of Directory Access events can be accessed from here. Directory Access audit information appears in the Directory Service event log, which only appears in the Event Viewer on Windows 2000 domain controllers.

Best practices

How long you keep the audit logs will depend on the kind of environment you are working in. In a low security setting, you may elect to keep the logs only for, say, the last six months. In a high security environment, you may decide to keep them permanently. Though it is tempting to make a paper record of your audit logs, it is probably more practical to keep them electronically, and then to make sure that you have backups of the logs. Keeping the log files electronically not only saves paper and space, but also makes it considerably easier for you to search them if you are looking for a specific event.

Enabling auditing on Windows 2000 is a simple process and one that allows you to keep a watchful eye on the goings on of your systems. It also forms an important part of your overall security strategy. //

Drew Bird (MCT, MCNI) is a freelance instructor and technical writer. He has been working in the IT industry for 12 years and currently lives in Kelowna, Canada.