Audit Policy Subcategories

Transcription

1 668 CHAPTER 20 Windows Server 2008 R2 Management and Maintenance Practices These recommended settings are sufficient for the majority of organizations. However, they can generate a heavy volume of events in a large organization. Or, there might be a subset of security events that an organization needs to track. In those cases, the next section discusses how to fine-tune the audit policy using audit policy subcategories. Audit Policy Subcategories Windows Server 2008 R2 allows more granularity in the setting of the audit policies. In previous versions of the Windows Server platform, the audit policies could only be set on the general categories. This usually resulted in a large number of security events, many of which are not of interest to the administrator. System management software was usually needed to help parse all the security events to find and report on the relevant entries. Windows Server 2008 R2 exposes additional subcategories under each of the general categories, which can each be set to No Auditing, Success, Failure, or Success and Failure. These subcategories allow administrators to fine-tune the audited events. Unfortunately, the audit categories do not quite match the audit policies. Table 20.5 shows how the categories match the policies. TABLE 20.5 Audit Policy Matching Audit Policies to Audit Categories Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events Account Logon Account Management DS Access Logon/Logoff Object Access Policy Change Privilege Use Detailed Tracking System There are over 50 different subcategories that can be individually set. These give the administrator and security professionals unprecedented control over the events that will generate security log entries. Table 20.6 lists the categories and the subcategories of audit policies.

2 Auditing the Environment 669 TABLE 20.6 Audit Subcategories Audit Subcategory System Logon/Logoff Object Access Privilege Use Security State Change Security System Extension System Integrity IPSec Driver Other System Events Logon Logoff Account Lockout IPSec Main Mode IPSec Quick Mode IPSec Extended Mode Special Logon Network Policy Server Other Logon/Logoff Events File System Registry Kernel Object SAM Certification Services Application Generated Handle Manipulation File Share Filtering Platform Packet Drop Detailed File Share Filtering Platform Connection Other Object Access Events Sensitive Privilege Use Non-Sensitive Privilege Use Other Privilege Use Events Detailed Tracking Process Creation Process Termination DPAPI Activity RPC Events 20

3 670 CHAPTER 20 Windows Server 2008 R2 Management and Maintenance Practices TABLE 20.6 Audit Subcategories Policy Change Account Management DS Access Account Logon Audit Subcategory Audit Policy Change Authentication Policy Change Authorization Policy Change MPSSVC Rule-Level Policy Change Filtering Platform Policy Change Other Policy Change Events User Account Management Computer Account Management Security Group Management Distribution Group Management Application Group Management Other Account Management Event Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication Kerberos Service Ticket Operations Credential Validation Kerberos Authentication Service Other Account Logon Events You can use the AUDITPOL command to get and set the audit categories and subcategories. To retrieve a list of all the settings for the audit categories and subcategories, use the following command: auditpol /get /category:* To enable auditing of the Distribution Group Management subcategory of the Account Management category for both success and failure events, the following command can be used: auditpol /set /subcategory: Distribution Group Management /success:enable /failure:enable This command would need to be run on each domain controller for the policy to have a uniform effect. To get all the options for the Audit Policy command, use the following command: auditpol /?

4 Auditing the Environment 671 Auditing Resource Access Object access can be audited, although it is not one of the recommended settings. Auditing object access can place a significant load on the servers, so it should only be enabled when it is specifically needed. Auditing object access is a two-step process: Step one is enabling Audit object access and step two is selecting the objects to be audited. When enabling Audit object access, you need to decide if both failure and success events will be logged. The two options are as follows:. Audit object access failure enables you to see if users are attempting to access objects to which they have no rights. This shows unauthorized attempts.. Audit object access success enables you to see usage patterns. This shows misuse of privilege. Enable the appropriate policy setting in the Group Policy Object. It is a best practice to apply the GPO as close to the monitored system as possible, so avoid enabling the auditing on too wide a set of systems. NOTE Monitoring both success and failure resource access can place additional strain on the system. Success events can generate a large volume of events. After enabling the object access policy, the administrator can make auditing changes through the property pages of a file, folder, or a Registry key. If the object access policy is enabled for both success and failure, the administrator will be able to audit both successes and failures for a file, folder, or Registry key. After object access auditing is enabled, you can easily monitor access to resources such as folders, files, and printers. Auditing Files and Folders The network administrator can tailor the way Windows Server 2008 R2 audits files and folders through the property pages for those files or folders. Keep in mind that the more files and folders that are audited, the more events that can be generated, which can increase administrative overhead and system resource requirements. Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following: 1. In Windows Explorer, right-click the file or folder to audit and select Properties. 2. Select the Security tab and then click the Advanced button. 3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button. 4. Click the Add button to display the Select User or Group window. 5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names button to verify the name. 20

5 672 CHAPTER 20 Windows Server 2008 R2 Management and Maintenance Practices 6. Click OK to open the Auditing Entries window. 7. In the Auditing Entry window, shown in Figure 20.13, select which events to audit for successes or failures. FIGURE The Auditing Entry window. 8. Click OK four times to exit. NOTE This step assumes that the audit object access policy has been enabled. When the file or folder is accessed, an event is written to Event Viewer s security log. The category for the event is Object Access. An Object Access event is shown in the following security log message: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 9/28/2009 6:22:56 PM Event ID: 4663 Task Category: File System Level: Information Keywords: Audit Success User: N/A Computer: DC1.companyabc.com