• No results found

Windows Logging Configuration: Audit Policy Configuration

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Windows Logging Configuration: Audit Policy Configuration"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)
(2)

Windows Auditing

Windows audit policy requires computer level and in some cases object level configuration. At the computer level, Windows has 9 audit policies that can be enabled for success and/or failure.

• Audit account logon events

• Audit account management

• Audit directory service access

• Audit logon events

• Audit object access

• Audit policy change

• Audit privilege use

• Audit process tracking

• Audit system events

Of these 9 audit policies, 2 require object level configuration as well. • Object Access

Normally we recommend disabling this policy except for specific computer where you need to audit access to files. Then only enable auditing on the specific files or folders where necessary and only for the specific groups and types of access necessary. For core functionally, you may leave this policy disabled. • Directory Service

This policy must be enabled on domain controllers in order for events related to changes on

organizational unit and group policy objects to be logged. This important to core filter functionality. In addition to enabling this audit policy at the computer level, you must also enable specific object level audit policies on OUs and GPOS in Active Directory Users and Computers which is described under Active Directory Object Level Auditing below.

(3)

Computer Level Audit Policy

For core functionality enable:

Success Failure

Audit account logon events X X

Audit account management X

Audit directory service access X

Audit logon events X X

Audit object access

Audit policy change X

Audit privilege use

Audit process tracking X

Audit system events X

There are 2 ways to configure this audit policy. 1. Local Policy

This is not the preferred method for computers that are members of an Active Directory domain since group policy can and should be used to centrally administer consistent policy configuration. Moreover, for any computer that is a member of a domain, the local policy configurations described in this section will be overridden by audit policies defined in any group policy objects applied to this computer. Therefore this method should only be used on standalone computers – that is – computers that do not belong to an Active Directory domain.

You can configure the local policy either interactively or you can script it using a security template and . • Interactive

Open Local Security Policy in Administrative Tools and drill down to the Security Settings\Local Policies\Audit Policy folder and enable the audit policies as defined above. Note: if any of the policies are read-only this indicates the computer is a member of a domain and receiving audit policy via a group policy object in Active Directory. You cannot override group policies with the local policy. You must change the group policy object. To determine which group policy object is impacting the computer’s audit policy run “gpresult /v”.

• Command prompt (script)

Export this embedded security template to a folder on the server. Open a command prompt and change directory to that folder. Run “secedit /configure /DB audipolicy /cfg auditpolicy.inf /log auditpolicy.log”. This command configures the local computer with the policies defined in the template. This command can be scripted in a batch file (*.cmd) which is attached below. Just make sure the template file, auditpolicy.inf, is in the same folder as where the batch file is started.

(4)

2. Group Policy

This is the preferred method for all computers that are members of an Active Directory domain. This must be performed for each domain in the forest. There is no way to configure a forest-wide audit policy. Create a group policy object that is applied to all member servers (non domain controllers) being monitored. For instance if all your servers are in an organizational unit named Servers, create and link a GPO to the Servers OU. Edit the GPO and maneuver to the Computer Configuration\Windows

Settings\Security Settings\Local Policies\Audit Policy folder and configure the policies according to the chart above. Follow up by logging onto one of the member servers and confirming the GPO is effect:

a) Run “gpudate” to force immediate refresh of group policy

b) Run “gpresult /v” to obtain a report of the group policy configurations in effect.

c) Examine the audit policy section of gpresult’s output and confirm the audit policy matches what you expect

Note that the above steps do not result in domain controllers being configured. This is because all domain controller computer accounts necessarily reside in the Domain Controllers OU. Therefore, edit the Default Domain Controllers Policy GPO linked to that OU and configure the same audit policy. Logon to one of the domain controllers and perform the same confirmation process described above to make sure domain controllers have appropriate audit policy.

Active Directory Object Level Auditing

This enables auditing of:

• Permission changes on organizational units

• Modification of group policy related properties on OUs • Modification of group policy objects

• Permission changes on group policy objects

1. Open Active Directory Users and Computers 2. Select View\Advanced Features

3. Right click on the root of the domain and select properties 4. Select the security tab

5. Click advanced 6. Select the Auditing tab 7. Add the following audit entries

Who Object type Object

Permissions

Property Permissions

Success/Failure

Everyone organizationalUnit Change Permissions

Success

Everyone organizationalUnit Write gpOptions Success

(5)

Everyone groupPolicyContainer Write All Properties

Success

Everyone groupPolicyContainer Change Permissions

Success

For a demonstration watch this video.

References

Download now ( PDF - 5 Page - 88.15 KB )

Related documents

Modern Electronic Communication 7th Edition by Beasley & Miller MCQ

11 In a Crosby FM transmitter, an FM signal having a center frequency of 2.04 Mhz and a deviation of 69 Hz is passed through four cascaded frequency multiplier stages: two

CAREER OBJECTIVE EDUCATION LEVEL

+ Collaborate with many local LSP in Vietnam in translation, edit and proofread for language pairs of Japanese – Vietnamese and English-Vietnamese.. + Past completed project

Audit Mpssvc Rule Level Policy Change

Spreadsheet with audit mpssvc level policy change analysis, any of a copy of them to change event generates audit account instead of the windows filtering engine and ipsec

White Paper. PCI Guidance: Microsoft Windows Logging

If nothing is listed here, and the audit object access Windows audit policy is configured to log on success and failure, no file activities will be logged on this directory....

Configuring IP Security Options

To enable the DNSIX audit trail facility, perform the following task in global configuration mode:. Specify Hosts to Receive Audit

Find the Who, What, Where and When of Your Active Directory

To enable an audit policy you need to open Group Policy Management Editor and select Computer Configuration > Policies > Windows Settings > Security Settings >

Monitoring Microsoft SQL Server Audit Logs with EventTracker The Importance of Consolidation, Correlation, and Detection Enterprise Security Series

The SQL Server Audit object is the audit component that collects Server or Database level actions or group of actions.. The Server Level Audit Specification object is the

SecurityIQ Active Directory Agent Installation Guide. SecurityIQ Version: 5.0p1

The Active Directory user configured in the Application configuration below must be granted permissions to manage the audit settings of the domain objects, as well as to access