Auditing can provide important data about activity on your network. You can use it to track files, help ensure expensive printing supplies aren't wasted, keep tabs on changes to registry keys, and check on access to your Active Directory. To accomplish these tasks, there are various types of auditing you can perform on your system, and within each type, there are different settings and steps to implement based on the type of information you need from the audit.
Before implementing any form of auditing, you should decide which security objects your organization needs to focus on. You will also need to decide how long you’re going to keep audit logs and where you’re going to store the audit log archives.
Auditing at the file level
File level auditing is performed on NTFS partitions. For example, you could monitor changes to files within a specific directory. Generally, this type of auditing is only used if the contents of a particular directory are extremely sensitive or if you suspect a security breach, i.e., someone tampering with the files.
You can implement auditing on the entire partition if necessary, but doing so is usually overkill and results in extremely large audit logs. You can also audit an individual file as opposed to an entire folder if your needs tend to be more specific. However, auditing on a folder-by-folder basis is the generally accepted method of file level auditing. As I demonstrate the process of auditing a folder, keep in mind that the process is pretty much the same for auditing an entire partition or a single file. The biggest difference is that you’re selecting a folder instead of a file or a drive letter.
To implement file level auditing, go to an NTFS partition and select the folder to audit. You can audit a folder by right-clicking the folder and selecting the Properties command from the context menu to view the folder’s properties sheet. Then, select the Security tab and click Advanced. At that point, you’ll see the Access Control Settings For properties sheet. Select the Auditing tab.
By default, the Auditing tab is empty. However, you can add entries to the Auditing tab by clicking the Add button. When you do, Windows searches the domain and displays a list of all users, computers, and security groups. Then, select the objects you want to audit and click OK. It’s best to audit on a group basis unless you’re trying to track the actions of a specific user or computer. I should also point out that you aren’t limited to auditing the default domain. You can also select objects to audit from other domains or from Active Directory (AD) as a whole. Once you’ve chosen which objects you want to audit, click OK.
Next, you’ll see the Auditing Entry For folder name dialog box, where folder name represents the name of the folder you’re auditing. As you can see in Figure A, you can control several settings from this dialog box.
|The Auditing Entry For folder name dialog box controls the behavior of the audit.|
At the top of this dialog box, you’ll see a list of the objects you’ve chosen to audit. Directly beneath that, you’ll see the Apply Onto drop-down list. This list controls which folders are affected by the audit. For example, by default, the audit applies to the folder, subfolders, and the files within the audited folders. However, there are many other settings you can use to customize this behavior. For example, you could audit this folder only, files only, this folder and files only, this folder and subfolders only, etc.
At the bottom of the dialog box, there's a check box labeled Apply These Auditing Entries To Objects And/Or Containers Within This Container Only. This check box basically acts as a shortcut to selecting items from the Apply Onto drop-down list.
The heart and soul of the dialog box is the Access pane, which lists all of the different events you can audit. Auditing works by building a log based on the success or on the failure of various events. Therefore, the Access pane lists all of the various events available for you to audit with Successful and Failed check boxes.
For example, if you wanted to know whether or not someone deleted a file from a folder, you’d select the Successful check box next to Delete. However, if you wanted to know if someone tried to delete a file from the folder, you’d select the Failed check box next to Delete. Of course, you could always use both check boxes.
Just as you can audit entire partitions, you can audit the activity of a printer. To do so, right-click the printer’s icon and select the Properties command from the context menu to view the properties sheet. Select the Security tab and then click the Advanced button. You’ll now see the Access Control Settings For properties sheet. Click the Auditing tab to audit printers.
Click the Add button, and you’ll see a list of all of the users and groups that you can audit. Select which users and groups you'd like to audit and click OK. When you do, you’ll see a screen similar to the one shown in Figure B.
|You can audit printers as well as files and folders.|
From there, you can perform a success or a failure audit on events such as printing, managing documents, managing printers, changing permissions, or taking ownership. Keep in mind that if you’re planning to audit a printer directly connected to a computer, you should implement the audit policy at that computer, not from a machine that simply maps to the printer from across the network.
You may be wondering why anyone would ever want to audit a printer. One reason is that some color laser or thermal printers require very expensive ink and paper. Therefore, some companies audit printer use to make sure no one wastes expensive office supplies on non-business-related printing projects.
More importantly, many companies print checks in-house. If you’re printing checks, or if you have other forms loaded into the printer, you’ll definitely want to audit the printer’s use.
Auditing the registry
You’d probably only want to audit the registry if you knew that a particular virus that had been floating around modified a registry key or if you wanted to find out whether or not users had been installing software. Of course you could also audit the registry to track changes that a hacker might make. In any of these instances, you need to know exactly which registry key to audit.
There are two different registry editors included with Windows 2000; however, you may only implement auditing through the REGEDT32 registry editor. To audit a registry key, enter the REGEDT32 command at the Run prompt to launch the Registry Editor.
When the Registry Editor loads, select the registry key you want to audit. Next, select the Permissions command from the Security menu. When you do, you’ll see the Permissions For properties sheet. Click the Advanced button to view the Access Control Settings For properties sheet. Select the Auditing tab and click the Add button to view the list of users and groups you can audit. Make your selection and click OK. When you do, you’ll see the screen shown in Figure C.
|You can enable auditing on individual registry keys.|
From this screen, you can audit events such as Query Value, Set Value, Delete, and many others.
Auditing Active Directory
AD is the heart and soul of Windows 2000, because it contains vast quantities of information about users, groups, computers, and a variety of security settings. By tampering with AD, a hacker could do just about anything to your network. Therefore, it’s important to audit AD so you will be alerted when any changes are made.
Auditing of AD is performed through a group policy. To audit AD, open the group policy for your domain. To do so, enter the MMC command at the Run prompt. When the Microsoft Management Console loads, select the Add/Remove Snap-In command from the Console menu to view the Add/Remove Snap-In properties sheet. Click the Stand Alone tab’s Add button to display a list of all available snap-ins. Select the group policy snap-in from the list and click Add. When you do, Windows will display a dialog box asking which group policy object you want to load. Unless you have some other group policy you’d prefer to audit, click the Browse button and then select the Default Domain Policy from the list of available group policy objects. Then, click OK, Finish, Close, and OK. Doing so will display the group policy snap-in.
Now, select the top level of the Default Domain Policy, right-click it, and select the Properties command to view the Default Domain Policy properties sheet. Select the Security tab and click the Advanced button to reveal the Access Control Settings For Default Domain Policy properties sheet. This operation may take a few minutes to complete.
When you see the properties sheet, select the auditing tab. On that tab, you’ll see that some level of auditing has already been established to monitor the Everyone group. You can add additional auditing by clicking the Add button, or you can view or modify the existing auditing parameters by selecting the existing auditing entry and clicking the View/Edit button. You’ll see a properties sheet much like the one shown in Figure D.
|You can audit Active Directory access.|
As you can see in the figure, auditing AD is like performing other types of audits in that you track the success or failure of various system events. What makes this auditing different is that the properties sheet consists of two tabs, the Object tab and the Properties tab. Both tabs contain auditing options. The difference between the two tabs is that the Object tab contains standard events such as reading, writing, or deleting. The Properties tab contains more specific events that pertain to an individual attribute of an object rather than to an entire object or an entire tree of objects.
Security is a major concern with network administrators. You can’t keep up with everything that’s going on simultaneously on your network. However, you can configure audit policies to help you track a variety of activities and keep your network safe.