Ecora Enterprise Auditor Instructional Whitepaper Who Made Change
Ecora Enterprise Auditor Who Made Change Instructional Whitepaper Introduction... 3 Purpose... 3 Step 1 - Enabling audit in Windows... 4 Event Types... 5 Audit account logon events... 5 Audit account management... 5 Audit directory service access... 5 Audit logon events... 5 Audit object access... 5 Audit policy change... 6 Audit privilege use... 6 Audit process tracking... 6 Audit system events... 6 Step 2 - Tuning security event log (optional)... 15 Step 3 Select WMI browser data collection options in Ecora Auditor... 16 Step 3 Select WMI browser data collection options in Ecora Auditor... 16 Step 4 Fact-Finding Reports for Who Made Change... 19 Appendix A: Common Auditing Event Codes... 32 Ecora Software Corp. 2004 Propriety Information 2
Ecora Enterprise Auditor Who Made Change Introduction Today s regulatory and business requirements are placing increasing pressure on organizations around the world to provide detailed information about IT infrastructure. Ecora has received numerous requests asking how to identify who made a specific change a.k.a. who made change reports. This is important when preparing for a detailed audit such as those dictated by Sarbanes-Oxley or similar regulatory laws. Companies are looking closely at who has access, how access is controlled, and the who, what, when, and where of unauthorized access. In many cases, tracking behavior is driven by CEOs and CFOs right into the laps of IT Management. Fortunately, Ecora s Enterprise Auditor places a powerful tool at your disposal to meet these demands. Auditor comes with hundreds of predefined reports that provide documentation about all aspects of your infrastructures operating systems, databases, applications, and network devices. In addition, you can easily create custom reports for specific areas of interest. One strength of Ecora s product is in configuration and change management to identify and manage change at multiple levels within your enterprise. This paper will help you identify the what and where of changes in your environment. Purpose This whitepaper defines the process of collecting and reporting who made change for both Active Directory and Windows objects. Object changes are collected in the Windows security event log when auditing is enabled. Active Directory changes can be collected from domain controllers in a 2000/2003 Active Directory domain, and all other changes can be collected from the local computer being audited. Tracking who made change with Ecora Enterprise Auditor is a four step process. In Windows: 1. Enable auditing for security events. 2. Tune Windows security event log (optional). In Ecora Auditor software: 3. Select WMI browser data collection options. 4. Run standard FFR security reports or customize report definitions based on your criteria. Ecora Software Corp. 2004 Propriety Information 3
Step 1 - Enabling auditing in Windows This step is essential to collect the proper information to determine who made change. This information is collected in the Windows security event logs and is easily accessible to Ecora s Enterprise Auditor for Windows. The first step is to turn on auditing. If you want domain-level auditing, perform the following steps on a Domain Controller. If you want local auditing of a member server, perform the following steps on the member server. To enable auditing 1. Go to Administrative Tools and open Local Security Policy Settings. 2. Expand Local Policies and select Audit Policy. Ecora Software Corp. 2004 Propriety Information 4
Event Types Different types of events can be audited for change and the type of auditing you enable depends on the information you want to track. The different types of events include: Audit account logon events Used for each instance of a user logging on or logging off a computer when this computer is used to validate the account. If auditing is successful for account logon events on a domain controller, an entry is logged for each user who is validated against that domain controller, even though the user is actually logging on to a workstation that is joined to the domain. Note that "account logon events" are generated where the account lives. Audit account management Used for account management on a computer, such as when a user or group is created, changed, or deleted; user is renamed, disabled, or enabled; password is set or changed. Audit directory service access Used when a user accesses an Active Directory object that has its own system access control list (SACL). The audit directory service access policy does not apply to workstations and servers where it has no meaning. Note that you can set a SACL on an Active Directory object using the Security tab in that object's Properties dialog box. This policy is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects. Audit logon events Used for each instance of a user logging on, logging off, or making a network connection to this computer. Note that "logon events" are generated where the logon attempt occurs. Audit object access Used in the event when users access objects such as: a file, folder, registry key, printer, etc. The object must have its own system access control list (SACL) specified (users/groups need to be specified for the Ecora Software Corp. 2004 Propriety Information 5
object you want to track). Note that you can set a SACL on an object using the Security tab in that object's Properties dialog box. Audit policy change Used for any incidence of a change to user rights assignment policies, audit policies, or trust policies. Audit privilege use Used for each instance of a user exercising a user right. Audit process tracking Used to provide detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Audit system events Used when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log such as clearing the log. 3. Once you have decided the type of information you want to track, double-click on the appropriate item(s) and select Success and/or Failure. 4. Once you have made all your choices, click OK and close the Local Security Policy screen. Ecora Software Corp. 2004 Propriety Information 6
Auditing Windows and Active Directory objects As mentioned above, Windows objects (such as file, folders, registry keys, etc.) and Active Directory objects (such as domains, organization units, sites, etc.) can be tracked for changes only if the object has its system access control list (SACL) specified for the particular users/groups that you want to track. The SACL can be modified using the Security tab in that object's Properties dialog box. Auditing Windows Directories For example, to track changes for a directory, you would: 1. Using Windows Explorer, right-click on a folder (in this example C:\WINNT) and select Properties... NOTE: Screen shots are for example only. There are slight differences between 2000, 2003, and XP. Ecora Software Corp. 2004 Propriety Information 7
2. Click on the Security tab. 3. Click on the Advanced button. Ecora Software Corp. 2004 Propriety Information 8
4. Click on the Auditing tab. 5. You can now add, view, or modify users and groups that you want tracked for this object. Once users and or groups have been selected, you can specify what item to track by enabling the successful and/or failed checkboxes. Ecora Software Corp. 2004 Propriety Information 9
6. Click OK to return to Access Control Settings. 7. Verify that the proper users, groups, and access rights have been selected. 8. Click on Apply, then OK, and close all properties screens. Ecora Software Corp. 2004 Propriety Information 10
Auditing Windows Registry To track changes for any registry key, you would: 1. Click Start Run. 2. Type in regedt32 and press enter. 3. Expand the registry until you locate a key you want to audit. Ecora Software Corp. 2004 Propriety Information 11
4. Highlight the registry key you want audited 5. On the Registry Editor menu, click Security then Permissions... 6. Click on the Advanced button. Ecora Software Corp. 2004 Propriety Information 12
7. Click on the Auditing tab. 8. You can now add, view, or modify users and groups that you want tracked for this object. Once users and or groups have been selected, you can specify what item to track by enabling the successful and/or failed checkboxes. Ecora Software Corp. 2004 Propriety Information 13
9. Click OK to return to Access Control Settings. 10. Verify that the proper users, groups, and access rights have been selected. 11. Click on Apply, then OK, and close all dialog boxes. Ecora Software Corp. 2004 Propriety Information 14
Step 2 - Tuning security event log (optional) The Windows security event log can be used to capture and document events that could have security implications, such as unauthorized changes, object access, and attempted logons. Depending upon your individual requirements, such as disk space or time interval you may want to tune the security event log parameters to meet your needs. Set the properties of the security event log to match items you are trying to track, such as time intervals, as well as physical limitations, such as hard disk space. 1. From the desktop, click on Start Programs Administrative Tools Event Viewer 2. Right-click Security Log and click on Properties. 3. Allocate long enough time intervals and maximum log sizes to collect accurate data. 4. Verify the settings. Click Apply, then OK and close all dialog boxes. Ecora Software Corp. 2004 Propriety Information 15
Step 3 Select WMI browser data collection options in Ecora Auditor Prior to reporting any change information, you need to specifically collect the information from the Windows security event logs. Specify the collection parameters using the data collection screens in Ecora Enterprise Auditor for Windows. 1. Start the Windows data collection process and you will see the data collection options dialog box. 2. Click on the WMI Browser tab. Ecora Software Corp. 2004 Propriety Information 16
3. In the Device name box, type in a computer name with WMI enabled and click Connect next to the Device name box. 4. Make sure that Namespace contains root\cimv2 and click Connect next to the Namespace box. Ecora Software Corp. 2004 Propriety Information 17
5. In the Class name list, scroll down and double-click Win32_NTLogEvent. Double clicking will display all property names (in the Property name pane). 6. At the bottom of the Category column, click on the Filter button. 7. Make sure Collect events from security log is checked and the correct number of days are selected (default is 7 days). The other settings pertain to different collection options and can be checked or unchecked based on your requirements. 8. Click OK. You will be returned to Data collection options dialog box. 9. Click Next and select an auto discovery method for finding systems. Select the appropriate systems and the data will be collected. 10. Once the data has been collected, you are now ready to report who made change. Ecora Software Corp. 2004 Propriety Information 18
Step 4 Fact-Finding Reports for Who Made Change Ecora Enterprise Auditor includes standard out of the box Fact-Finding Reports that contain event codes and filters for who made change. You can create new reports or customize any FFR report to meet your specific needs. Standard Fact-Finding Reports 1. Click on the Fact-Finding button from Ecora Enterprise Auditor main interface. 2. Expand the database tree to locate Security Reports, and click on Event Log Analysis. Several reports exist for overall security log events. These reports can be used as is or they can be copied to create templates for customization. Customized Fact Finding Reports There are two ways to customize reports. You can use any existing report as a template: 1. From Ecora Auditor s main interface, choose Edit Fact-Finding Report Definitions. 2. Highlight the report to use as a template, then click Copy. The second way is to create a report from scratch. Ecora Software Corp. 2004 Propriety Information 19
Sample Reports Four sample reports are created below to show the flexibility of the type of information that can be tracked for changes. The four samples are: Add users to the Local (or Domain) Administrators Group Changed Audit Policies Clearing Audit Logs Security for an Active Directory Organization Unit Add Users to the Local Administrators Group 1. From Ecora Auditor s main interface, choose Edit Fact-Finding Report Definitions. 2. Click New. Ecora Software Corp. 2004 Propriety Information 20
3. In the left pane, expand the tree to locate Servers Custom WMI OS Event Log Win32NTLogEvent. 4. Select (by either drag and drop or double clicking) the following attributes (from the Available Settings box) in this order Domain Computer, EventCode, TimeGenerated, User, and Message. 5. Click Edit next to Default table in the lower section. This is where you can get very creative. You can sort and set criteria. For example, you can specify the report for only a single computer, group of computers, or all computers. You can report on specific Event codes and by specific users. You can even produce a report based on a particular text string in the message column. Ecora Software Corp. 2004 Propriety Information 21
6. The report that shows which users were added and by whom involves Event Code 636 (Security Enabled Local Group Member Added) and the message column is modified to look for Administrators group. The report can be easily modified for the Domain Administrators group by changing the event code to 632 and the message text to Domain Administrators. 7. After saving the report definition and running the report, you will see results similar to the following sample data. This report shows that AJones was added to the Builtin\Administrators group by the user swlight at 8:42am on October 15th. Ecora Software Corp. 2004 Propriety Information 22
Changed Audit Policies 1. From Ecora Auditor s main interface, choose Edit Fact-Finding Report Definitions. 2. Click New. Ecora Software Corp. 2004 Propriety Information 23
3. In the left pane, expand to tree to locate Servers Custom WMI OS Event Log Win32NTLogEvent. 4. Select (by either drag and drop or double clicking) the following attributes (from the Available Settings box) in this order Domain Computer, EventCode, TimeGenerated, CategoryString, User, and Message. 5. Click Edit next to Default table in the lower section. This is where you can get very creative. You can sort and set criteria. For example, you can specify the report for only a single computer, group of computers, or all computers. You can report on specific Event codes and by specific users. You can even produce a report based on a particular text string in the message column. Ecora Software Corp. 2004 Propriety Information 24
6. The report that shows Audit Policy changes involve Event Code 612 (Audit Policy Change). You can hide columns in a report by deleting the value in the Output Column. In this report, the Event Code column will be hidden (by deleting the 2 ); however, criteria can still be set for it. 7. After saving the report definition and running the report, you will see results similar to the following sample data. This report shows that both Success and Failure auditing for Account Management was turned off. Note that Account Management has (+ +) before it (auditing was enabled for both success and failure) in the first box, but (- -) in the second box (auditing was disabled for both success and failure). Ecora Software Corp. 2004 Propriety Information 25
Clearing Audit Logs 1. From Ecora Auditor s main interface, choose Edit Fact-Finding Report Definitions. 2. Click New. Ecora Software Corp. 2004 Propriety Information 26
3. In the left pane, expand the tree to locate Servers Custom WMI OS Event Log Win32NTLogEvent. 4. Select (by either drag and drop or double clicking) the following attributes (from the Available Settings box) in this order Domain Computer, EventCode, TimeGenerated, CategoryString, User Message. 5. Click Edit next to Default table in the lower section. This is where you can get very creative. You can sort and set criteria. For example, you can specify the report for only a single computer, group of computers, or all computers. You can report on specific Event codes and by specific users. You can even produce a report based on a particular text string in the message column. Ecora Software Corp. 2004 Propriety Information 27
6. The report that shows cleared Audit Logs involve Event Code 517 (Audit log was cleared). You can hide columns in a report by deleting the value in the Output Column. In this report, the Event Code column will be hidden (by deleting the 2 ); however, criteria can still be set for it. 7. After saving the report definition and running the report, you will see results similar to the following sample data. This report shows that the audit log was cleared by the user swlight at 5:08pm on October 14th. Ecora Software Corp. 2004 Propriety Information 28
Security for an Active Directory Organization Unit 1. From Ecora Auditor s main interface, choose Edit Fact-Finding Report Definitions. 2. Click New. Ecora Software Corp. 2004 Propriety Information 29
3. In the left pane, expand the tree to locate Servers Custom WMI OS Event Log Win32NTLogEvent. 4. Select (by either drag and drop or double clicking) the following attributes (from the Available Settings box) in this order Domain Computer, EventCode, TimeGenerated, CategoryString, User, and Message. 5. Click Edit next to Default table in the lower section. This is where you can get very creative. You can sort and set criteria. For example, you can specify the report for only a single computer, group of computers, or all computers. You can report on specific Event codes and by specific users. You can even produce a report based on a particular text string in the message column. Ecora Software Corp. 2004 Propriety Information 30
6. The report that shows access to Active Directory objects involves Event Code 565 (Directory Service Access - Object Open). You can hide columns in a report by deleting the value in the Output Column. In this report, the Event Code column will be hidden (by deleting the 2 ); however, criteria can still be set for it. 7. After saving the report definition and running the report, you will see results similar to the following sample data. Starting at the bottom of the report, it shows: a. The creation of an OU called OU-1A by the user swlight b. The creation of a user called Aroce Jones in OU-1A by the user swlight c. OU write permission given to Aroce Jones by the user swlight d. OU delete permission given to Aroce Jone by the user swlight. Ecora Software Corp. 2004 Propriety Information 31
Appendix A: Common 2000 and 2003 Auditing Event Codes Category Description Event Code Account Management User Account Created 624 Account Management User Account Changed 642 Account Management User Account Deleted 630 Account Management User Account Disabled 629 Account Management Change Password 627 Account Management User Account Password set 628 Account Management Security Enabled Local Group created 635 Account Management Security Enabled Local Group deleted 638 Account Management Security Enabled Local Group changed 639 Account Management Security Enabled Local Group Member added 636 Account Management Security Enabled Local Group Member removed 637 Account Management Security Enabled Global Group Member added 632 Account Management Security Enabled Global Group Member removed 633 Account Management Security Enabled Universal Group Member added 660 Account Management Security Enabled Universal Group Member removed 661 Account Management User account locked out 644 Account Management Group Type changed 668 Logon Event Successful logon 528 Logon Event Logon failure Unknown user or bad password 529 Logon Event Logon failure Logon time restriction violation 530 Logon Event Logon failure Account currently disabled 531 Logon Event User account expired 532 Logon Event User not allowed to logon on this computer 533 Logon Event Password Expired 535 Object Access Object Access Attempt 567 Object Access Object Open 560 Object Access Object Deleted 564 Object Access Handle Closed 562 Policy Change Policy Changed 612 Policy Change Trusted Domain added 610 Policy Change Trusted Domain removed 611 Policy Change IPSEC Policy agent started 613 Policy Change IPSEC Policy agent disabled 614 Policy Change Kerberos Policy changed 617 Policy Change Encrypted Data recovery policy changed 618 System Events Computer Shutdown/Restarted 513 System Events Previous shutdown was clean 6006 System Events Restart was unexpected 6008 System Events Restart due to blue screen 1001 System Events Audit log was cleared 517 More information about Windows security events codes can be found in Microsoft s Knowledge base articles: 299475 and 301677. Please review: http://support.microsoft.com/default.aspx?scid=kb;en-us;299475 http://support.microsoft.com/default.aspx?scid=kb;en-us;301677 Ecora Software Corp. 2004 Propriety Information 32