Secrets of Event Viewer for Active Directory Security Auditing
Windows Event Viewer doesn t need any introduction to the IT Administrators. However, some of its hidden secrets, especially those related to Active Directory Security need the introduction. At first sight, Event Viewer looks a cluttered place where a lot of events, even for a single action are displayed. Still IT Auditor knows how to extract what meaningful events from this cluttered pool. In this article, we will try to unmask some hidden or simple secrets of Event Viewer about AD Security. Enabling the Security Auditing of Active Directory For security auditing, it is required to modify the existing default Domain s policy, which is setup while creating a domain. You have to, in fact, deal with Advanced Audit Policy Configuration for this. Follow the steps below for enabling the security auditing of Active Directory in Windows 2008 R2. Go to Start Menu Administrative Tools Group Policy Management. In the console tree in the left pane, go to Forest Domains Domain Name. Expand it. Right click on Default Domain Policy and click Edit. It will show Group Policy Management Editor. Go to Computer Configuration Windows Settings Security Settings Advanced Audit Policy Configuration Audit Policies. This will list all available audit policies. Here, you can enable the following policies for following purposes Type of Auditing Path Domain Logon/Logoff Auditing In Logon/Logoff, enable 1. Audit Logon 2. Audit Logoff File System Auditing In Object Access, enable 1. Audit Detailed File Share 2. Audit File Share 3. Audit File System Handle Manipulation Auditing In Object Access, enable 1. Audit Handle Manipulation Table 1: Tables of required auditing values Double click any of the events listed in the above table to access its properties. Check the box Configure the following audit events and then enable the required Success and Failure events. Click Apply and OK to enable the monitoring for the selected events. Similarly, you can configure the advanced auditing policies for other available options as well. Click here to know these steps in detail.
Custom Views to Keep a Check Once the security auditing of Active Directory has been enabled, you will receive these events in the Security section under Windows. You can customize the view to keep a check only on critical and error logs. Follow the steps below, 1. Right click on Security. This will display the context menu. Figure 1: Option to create custom view 2. Select Create Custom View option. This will show the following dialog box.
3. Select Critical and Error to show only these two types of logs in the new custom view. Keep Security selected in Event logs. 4. You can also provide the path of a folder where logs of other resources like software or server are saved. 5. Click OK. This will show the following box asking to save the created view. Figure 2: Dialog box to save the filter 6. You can provide a new name for this view. 7. It will be displayed under the node Custom Views. You can also create a new folder to save this node by clicking New Folder. 8. A newly created custom view is displayed hereunder.
Figure 3: New Custom View Right pane in this window displays a list of actions you can perform such as 1. Import Custom View: It lets you import the custom view, which can be exported later on. 2. Filter Current Custom View: Click it to customize the current view using the same dialog box, which you used to create it. 3. Properties: Click it to change the name and description of this view. 4. Find: Click it to search in the current view. Other basic options let you rename, delete, or refresh the view. Event Notification by Email Email notifications of critical and error events alerts you instantly about a critical change or error in the IT infrastructure. Such email alerts are more than helpful to tackle an IT emergency in an organization. You can configure Event Viewer to send notifications for particular types of logs. However, this inbuilt default feature works only with Exchange Server that too using the login credentials of a Windows User with which this task will be created.
Follow the steps below, 1. Select an event in the Event Viewer, for which you want to receive the notification. 2. Click Attach a Task to this Log link in the Right pane. This will display Create a Basic Task wizard. Figure 4: Wizard to create a task 3. Provide a customized name and description. 4. Click Next. This will show the step when an event is logged.
Figure 5: When an event is logged 5. Click Next. This will display the step where you can configure what should be done when this event is recorded.
Figure 6: Select action to be performed 6. Select the option Send an email. Please note that selecting Display a Message will show the message on the selected desktop computer. 7. Click Next after selecting Send an email. This will show the following step.
Figure 7: Send email 8. Here, you have to provide the following details. a. Email Address of the Sender b. SMTP Server of the sender s email account c. Recipient s email account d. Subject of the email to be sent e. Text and attachment of the email to be sent You can provide multiple recipients email accounts after separating them using a colon ( ; ). It is recommended to create this task with the login credentials of a user, which have an Exchange account with the same name and credentials. 9. Enter the details.
Figure 8: Filling the details 10. Click Next. This will complete all steps of the wizard and will display the summary.
Figure 9: Summary 11. Select the option named Open the Properties dialog box for this task when I click Finish. 12. Click Finish. This will close this wizard and opens the properties dialog box of this task.
Figure 10: Task Properties If you don t want to make any changes, then click OK. Conclusion You can enable the security auditing of Active Directory and create custom view to keep a check on the instant critical and error events. In addition, you can run a program, display a message, and send instant notifications through email to intended recipients on detecting a suspicious event. Else, you can use LepideAuditor Suite to simplify your auditing needs.