THE BOTTOM LINE
Security can be divided into three areas. Authentication is used to prove the identity of a user. Authorization gives access to the user that was authenticated. To complete the security picture, you need to enable auditing so that you can have a record of the users who have logged in and what the user accessed or tried to access.
CERTIFICATION READY What are the steps in enabling auditing for an NTFS folder?
2.4
c06FileandPrintServices.indd Page 177 12/14/10 3:59:14 PM user-s146
c06FileandPrintServices.indd Page 177 12/14/10 3:59:14 PM user-s146 /Users/user-s146/Desktop/Merry_X-Mas/New/Users/user-s146/Desktop/Merry_X-Mas/New
178 | Lesson 6
Figure 6-12
Audit events in the local security policy
• Who has used a certain printer
• Who restarted a system
• Who has made some system changes
Auditing is not enabled by default. To enable auditing, you specify what types of system events to audit using Group Policy or the local security policy (Security Settings\Local Policies\Audit Policy).
See Figure 6-12. Table 6-6 shows the basic events to audit that are available in Windows Server 2003 and 2008. Windows Server 2008 has additional options for more granular control. After you enable logging, you then open the Event Viewer security logs to view the security events.
Table 6-6
Audit events EVENT EXPLANATION
Account logon Determines whether the OS audits each time the computer validates an account’s credentials, such as account login.
Account management Determines whether to audit each event of account management on a computer including changing passwords and creating or deleting user accounts.
Directory service access Determines whether the OS audits user attempts to access Active Directory objects.
Logon Determines where the OS audits each instance of a user attempting to log on to or log off his or her computer.
Object access Determines whether the OS audits user attempts to access non-Active Directory objects including NTFS files and folders and printers.
Policy change Determines whether the OS audits each instance of an attempt to change user rights assignments, auditing policy, account policy, or trust policy.
c06FileandPrintServices.indd Page 178 12/14/10 3:59:14 PM user-s146
c06FileandPrintServices.indd Page 178 12/14/10 3:59:14 PM user-s146 /Users/user-s146/Desktop/Merry_X-Mas/New/Users/user-s146/Desktop/Merry_X-Mas/New
File and Print Services | 179
Auditing NTFS files, NTFS folders, and printers is a two-step process. You must first enable Object Access using Group Policy. Then you must specify which objects you want to audit.
AUDIT FILES AND FOLDERS
GET READY. To audit files and folders, perform these steps:
1. Open Windows Explorer.
2. Right-click the file or folder that you want to audit, click Properties, and then click the Security tab.
3. Click Edit, and then click Advanced.
4. In the Advanced Security Settings for <object> dialog box, click the Auditing tab.
5. Click the Edit button.
6. Do one of the following:
• To set up auditing for a new user or group, click Add. In Enter the object name to select, type the name of the user or group that you want, and then click OK. See Figure 6-13.
Enabling audit-ing of successful events can affect server performance, in particular for busy folders.
WARNING
Table 6-6 (continued)
EVENT EXPLANATION
Privilege use Determines whether to audit each instance of a user exercising a user right.
Process tracking Determines whether the OS audits process-related events such as process creation, process termination, handle duplication, and indirect object access. This is usually used for troubleshooting.
System Determines whether the OS audits if the system time is changed, if the system is started or shut down, if there is an attempt to load extensible authentication components, if there is a loss of auditing events due to auditing system failure, and if the security log is exceeding a configu-rable warning threshold level.
Figure 6-13
Auditing an NTFS folder
c06FileandPrintServices.indd Page 179 12/14/10 3:59:16 PM user-s146
c06FileandPrintServices.indd Page 179 12/14/10 3:59:16 PM user-s146 /Users/user-s146/Desktop/Merry_X-Mas/New/Users/user-s146/Desktop/Merry_X-Mas/New
180 | Lesson 6
• To remove auditing for an existing group or user, click the group or username, click Remove, click OK, and then skip the rest of this procedure.
• To view or change auditing for an existing group or user, click its name, and then click Edit.
7. In the Apply onto box, click the location where you want auditing to take place.
8. In the Access box, indicate what actions you want to audit by selecting the appropriate check boxes:
• To audit successful events, select the Successful check box.
• To stop auditing successful events, clear the Successful check box.
• To audit unsuccessful events, select the Failed check box.
• To stop auditing unsuccessful events, clear the Failed check box.
• To stop auditing all events, click Clear All.
9. If you want to prevent subsequent files and subfolders of the original object from inheriting these audit entries, select the Apply these auditing entries to objects and/
or containers within this container only check box.
10. Click OK to close the Advanced Security Settings dialog box.
11. Click OK to close the Properties dialog box.
AUDIT PRINTING
GET READY. To audit printing in Windows Server 2008, perform these steps:
1. Right-click the printer in Devices and Printers, and select Printer Properties.
2. Select the Security tab, and click the Advanced button.
3. Select the Auditing tab.
4. Click the Add button and
• To set up auditing for a new user or group, click Add. In Enter the object name to select, type the name of the user or group that you want, and then click OK.
• To remove auditing for an existing group or user, click the group or username, click Remove, click OK, and then skip the rest of this procedure.
• To view or change auditing for an existing group or user, click its name, and then click Edit.
5. Click OK to close the Advanced Security Settings dialog box.
6. Click OK to close the Properties dialog box.
Because the security log is limited in size, select only those objects that you need to audit and consider the amount of disk space that the security log will need. The maximum size of the security log is defined in Event Viewer by right-clicking Security Log and selecting the Properties option.
S K I L L S U M M A R Y
INTHISLESSON YOULEARNED:
• NTFS permissions allow you to control which users and groups can gain access to files and folders on an NTFS volume.
• Each of the standard permissions consists of a logical group of special permissions.
• Explicit permissions are permissions granted directly to the file or folder.
c06FileandPrintServices.indd Page 180 12/14/10 3:59:20 PM user-s146
c06FileandPrintServices.indd Page 180 12/14/10 3:59:20 PM user-s146 /Users/user-s146/Desktop/Merry_X-Mas/New/Users/user-s146/Desktop/Merry_X-Mas/New