Implementing Auditing
Auditing Overview
Auditing enables you to determine which activities are occurring on your system and allows you to track access to objects, files and folders; and modifications made to the objects, files and folders. Auditing also enables you to collect information associated with resource access and usage on your system by allowing you to audit system logon, file access, and object access. Security auditing events are written to the Security log of the system and can be accessed from the Event Viewer tool. Because event logs grow over time and typically consume valuable disk space, you have to regularly delete event log entries contained in the Security log.
The types of events which you should audit are listed below:
-
Computer logons and computer logoffs
-
Access to objects, and files and folders
-
System events.
-
Performance of user and computer account management activities.
To prevent auditing from consuming valuable system resources, you should only audit events which are necessary, and audit access to confidential data. This is mainly due to the following characteristics of auditing:
-
When auditing is enabled, auditing uses memory resources and processor resources.
-
The audit log utilizes hard disk space.
-
Sorting through huge amounts of logged audited entries can be a cumbersome and time-consuming task.
As mentioned previously, events that are audited are written to the Security log. You can use the Event Viewer tool to view information on these events.
An audit entry in Event Viewer contains the following information
-
Event Type: Error, Warning, or Information, and Success Audit or Failure Audit
-
Date and time when the event occurred.
-
Software or program which logged the event.
-
User which carried out the activity which caused the event being logged.
-
Computer on which the activity was done
-
Event ID
-
Event Description
Event Viewer allows you to perform the following actions on the Security log entries which it stores:
-
View events
-
Sort events by type and time.
-
Filter events
-
View and analyze advanced event log information.
-
Connect to the Event Viewer tool of a remote computer.
-
Export the file to a .TXT, .CSV, or .EVT file
The activities which you need to perform to implement auditing are listed here:
-
You need to determine and enable the event categories that you want to audit. The different event categories that you can audit are listed here:
-
Account logon events
-
Account management
-
Directory service access
-
Logon events
-
Object access
-
Policy change
-
Privilege use
-
Process tracking
-
System events
-
-
You need to define the objects that should be audited.
-
You need to specify the actions which should be logged in the audit log. You can audit:
-
Successes only
-
Failure only
-
Successes and Failures
-
-
You need to configure the size for the audit log.
-
You need to determine whether auditing will be implemented for the following:
-
Local computer
-
Domain controller
-
Active Directory domain
-
Organization unit (OU)
-
How to enable auditing for the local computer
-
Click Start, Administrative Tools, and then click Local Security Policy.
-
In the left pane, in Security Settings, expand Local Polices.
-
Click Audit Policy.
-
In the details pane, right-click the particular event category which you want to audit and then select Properties from the shortcut menu.
-
The Properties dialog box of the event category opens.
-
Select one or both of the following options: Success, Failure.
-
Click OK.
How to enable auditing for a domain controller
-
Click Start, Administrative Tools, and then click Active Directory Users And Computers.
-
In the left console pane, right-click the Domain Controllers OU, and then select Properties from the shortcut menu.
-
Click the Group Policy tab.
-
You can add a new policy, or choose an existing policy. Click Edit.
-
In the Group Policy Object Editor console, in the left console tree, expand Computer Configuration, Windows Settings, Security Settings, Local Policies and then expand Audit Policy.
-
In the details pane, right-click the particular event category which you want to audit; and then select Properties from the shortcut menu.
-
When the Properties dialog box of the event category opens, select one or both of the following options: Success, Failure
-
Click OK.
How to enable auditing for an Active Directory domain or organizational unit
-
Click Start, Administrative Tools, and then click Active Directory Users And Computers.
-
Right-click the domain or OU for which you want to configure auditing and then select Properties from the shortcut menu.
-
Click the Group Policy tab, add a new policy, and click Edit
-
In the Group Policy Object Editor expand Computer Configuration, Windows Settings, Security Settings, Local Policies and then expand Audit Policy
-
Right-click the particular event category which you want to audit; and then select Properties from the shortcut menu.
-
Select one or both of the following options: Success, Failure
-
Click OK.
How to enable auditing for objects stored in Active Directory
Before you can implement auditing for Active Directory objects, you have to first enable the Audit Directory Service Access option
-
Click Start, Administrative Tools, and then click Active Directory Users And Computers.
-
Click the View menu item and verify that Advanced features are enabled.
-
Select the Active Directory object which you want to configure auditing for.
-
Click the Action menu and then select Properties.
-
Click the Security tab when the Properties dialog box of the object opens.
-
Click Advanced
-
The Advanced Security Settings dialog box for the Active Directory object opens.
-
Click the Auditing tab.
-
Click Add
-
Specify the users or groups for which you want to audit object access.
-
Click OK.
-
When the Auditing Entry For dialog box opens, select the event(s) that you want to audit by choosing either one of, or both of the following options: Successful, Failed; alongside the particular event(s).
-
Use the Apply Onto list box to specify where the auditing should occur.
-
Click OK.
How to enable auditing for files and folders
-
Open Windows Explorer.
-
Right-click the file or folder which you want to configure auditing for, and then select Properties from the shortcut menu.
-
Click the Security tab.
-
Click the Advanced button.
-
Click the Auditing tab on the Advanced Security Settings dialog box.
-
Click Add.
-
Specify the users or groups for which you want to audit file or folder access. Click OK.
-
Select the events that you want to audit by checking either the Successful option, Failed option, or both of these options alongside the particular event(s).
-
Click OK.
How to enable auditing for printers
-
Click Start, and then select Printers And Faxes.
-
When the Printers And Faxes system folder opens, right-click the printer which you want to configure auditing for, and then select Properties from the shortcut menu.
-
Click the Security tab
-
Click the Advanced button
-
Click the Auditing tab on the Advanced Security Settings dialog box of the printer.
-
Click Add.
-
Specify the users or groups for which you want to audit printer access. Click OK.
-
Select the events that you want to audit by checking either the Successful option, Failed option, or both of these options alongside the particular event(s).
-
Use the Apply Onto list box to specify the location where auditing should occur.
-
Click OK.
How to view Security log information in Event Viewer
-
Open Event Viewer.
-
In the left pane, click Security.
-
The details pane is populated with all events that exist in the Security log.
-
You can double-click on an event entry to view its properties.
How to configure the size of the Security log
-
Open Event Viewer.
-
In the left pane, right-click Security and then select Properties on the shortcut menu.
-
The Security Properties dialog box opens.
-
On the General tab, enter the maximum log file size in the Maximum Log Size field. You can specify a value from 64 KB to 4,194,240 KB for the maximum log file size.
-
In the When Maximum Log File Size Is Reached area, there are a number of options which you can choose.
-
Select the Overwrite Events As Needed option if you want the oldest events in the Security log replaced by newer events which are logged.
-
Select the Overwrite Events Older Than _ Days option if you want to specify the time duration after which events should be removed.
-
Select the Do Not Overwrite Events (Clear Log Manually) option if you want to manually clear events.
-
Click OK.
How to find specific audited events in the Security log
-
Open Event Viewer.
-
In the left pane, click Security.
-
Click the View menu, and then click the Find option.
-
The Find In dialog box for the Security log opens.
-
In the Event Types area of the Find In dialog box, specify the types of the event which you want to find.
-
In the Event Source list, select the source that logged the event(s) which you want to find.
-
In the Category list, select the event category.
-
In the Event ID box, provide the event identity number.
-
In the User box, provide the user name.
-
In the Computer box, provide the computer name.
-
In the Description box, provide an event description.
-
In the Search Direction section of the Find In dialog box, set how the security log should be searched. The search can be performed from bottom to top or from top to bottom.
-
Click the Find Next button
-
The security log is searched, based on the search criteria that were defined.
-
All events that are matched are highlighted.
-
You can click Find Next to continue searching the security log for events which match your search criteria.
-
Click the Close button to stop the search.
How to manually remove entries from the Security log
-
Open Event Viewer.
-
In the left pane, right-click Security and then select the Clear All Events command on the shortcut menu.
-
The Event Viewer message box opens.
-
Click Yes if you want to archive the existing entries in the Security log before it is deleted. You have to specify a name and a file format.
-
Click No to delete the existing entries in the log.
Comments - No Responses to “Implementing Auditing”
Sorry but comments are closed at this time.