Auditing resources on Windows 2000 Professional, part 3

This last installment of our three-part Daily Feature series on auditing using Windows 2000 Pro deals with setting up best practices for viewing your results. Tom Shinder explains how to analyze the data.

In part one of my series on auditing with Windows 2000 Professional, I showed you how to set the audit policy. Part two focused on enabling and configuring the audit of files, folders, and printers on your computer. This final lesson will deal with auditing best practices to ensure you get the desired results from your audit policy.

Auditing best practices
Consider your motivations for enabling auditing before implementing it. Do not enable auditing just because you can. The auditing process takes processor cycles and disk time and therefore can have a negative impact on overall system performance.

Consider auditing sensitive files and folders that contain material users may need to answer for in the future. Such files may include personnel files or payroll records. All companies have a rich store of sensitive memos and reports that contain proprietary information. You might want to audit all users that have permission to access these files so that you have a chronological account of when they were accessed and by whom.

Printer auditing is done more for accounting purposes than for security reasons. While you might find yourself in a situation where you wish to audit print jobs for users suspected of mass printings of their resumes or protected material, auditing is typically done to charge departments based on usage. Some printers have a very high per-page printing cost. The audit log provides a method to charge the department based on usage.

Table A includes some examples of security considerations and audit events you might want to implement for them.

Table A
Security consideration Type of event to audit
Possible virus infection Object Access: Success/Failure: Program Files (.exe & .dll) Process Tracking: Success/Failure
Illegitimate access to confidential files Object Access: Success/Failure (on sensitive files) Object Access: Success/Failure (on printers that suspicious users may use to print sensitive material)
Dictionary password attack Logon/Logoff: Failure
Casual snooping or stolen passwords Logon/Logoff: Success/Failure
Suggested audit schemes for different security scenarios

Using the Security log
To view the results of auditing, you must use the Security log in the Event Viewer. To view the Security log entries, perform the following steps:
  1. From the Start menu, open the Administrative Tools menu and click on Event Viewer.
  2. In the Event Viewer window, click on the Security Log node in the left pane (see Figure A).

Figure A
The Security log seen in the Event Viewer

Note in Figure A that there are a number of Success Audit entries. These entries indicate that an audited event was performed successfully. In the Category column, you can see that the success event was generated by an Object Access audit policy.

Double-click on one of these entries; you will see something like the dialog box that appears in Figure B.

Figure B
Viewing the details of an audited event

The Event Properties dialog box makes it easy to see some characteristics of the audited event. However, you must scroll through the Description section to see the full details. The Copy button (the button just under the down arrow) will copy the contents of the Description section to the clipboard. The full description for this event looks like this:

Full description of event
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/27/2001
Time: 4:42:17 PM
User: TACTEAM\tshinder
Computer: EXETER
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\Documents and Settings\tshinder\Desktop\Audit Me\~$dit Me.doc
New Handle ID: 808
Operation ID: {0,839900}
Process ID: 476
Primary User Name: tshinder
Primary Domain: TACTEAM
Primary Logon ID: (0x0,0x11764)
Client User Name: -
Client Domain: -
Client Logon ID: -
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
Privileges -

Saving Security log data for further analysis
You will amass a large amount of data in the Security log over time. The Event Viewer is not very functional when you need to collect and analyze the data gathered from your audit policies. You can get around this limitation by saving the Security log data as a delimited text file. These delimited text files can be either comma delimited or tab delimited. It becomes easy to import the data into a database or spreadsheet program after saving the Security log as a delimited text file. Data analysis using database and spreadsheet tools makes it much easier to view patterns and trends in your data.

Perform the following steps to save the Security log data as a delimited text file:
  1. Right-click on the Security Log node in the left pane of the Event Viewer and click on the Save Log File As command.
  2. In the Save Security Log As dialog box, click the down arrow in the Save As Type drop-down list box. Select either the Text (Tab Delimited) (*.txt) or CSV (Comma Delimited) (*.csv) option. Type in a file name and then click Save.

Importing log files into Excel
If you plan to use Microsoft Excel to analyze your data, export the data as Tab Delimited. The File Conversion Wizard brings the Tab Delimited text files into Excel in a more usable format. The Wizard converts .csv files into Excel in a way that puts a single event on multiple rows, which makes analysis using Excel tools difficult.

In this Daily Feature series, you’ve learned about the auditing features included with Windows 2000 Professional. You learned how to audit resources on Windows 2000 Professional computers by creating local audit policies. Some audit policies will allow auditing of events to take place immediately, without any other configuration. Object auditing requires that you configure a specific auditing parameter on a particular file, folder, or printer object. After you have configured your audit policies and object configuration, you can view the results of your auditing activities in the Security log in the Event Viewer. Large Security logs are difficult to use if you wish to analyze a large amount of data. To simplify data analysis, save the Security log as a delimited text file and import the file into a database or spreadsheet program.

Editor's Picks