Auditing 101: What?s happening on your network?

Do you know what's happening on your network when you're not around? Fortunately, you can enable auditing to track many different network events. Eddie Tolle outlines auditing resources on your Windows NT network.

If you’re like most Windows NT administrators, security is always on your mind and you’re constantly working to improve the environment your users are working in. If you’re attempting to fill some of the possible security breaches inside your network, you may want to consider implementing an auditing policy. Auditing enables you to keep track of certain predefined activities by users and devices on your network. In this Article, I’ll explain some of the ways you can use auditing and show you how to easily include auditing in your network environment.

What is auditing?
Auditing simply allows you to track events and user actions on your network. Some of the possible events you might keep track of include:
  • Logins
  • Mapping drives
  • Resources used
  • Identification of the users
  • Dates and times of events
  • Accessing sensitive material
  • System tasks
  • Application launches
  • Storing files on a hard drive
  • Modifications of user accounts

Of course, there are many other items or actions you might consider auditing, but beware of tracking too much. You can easily overwhelm your system’s resources and your own ability to use the log files if you’re tracking too many items. Each item you decide to track requires some part of each system’s resources. If you do too much auditing, users can’t access the resources they need to complete their work; not enough, and anyone may be accessing your network with less than good intent. Each network requires a different level of auditing to maintain a secure working environment that functions properly. Your job is to walk the line between protection, resource planning, and user demand when balancing your network’s resources.

Installing and setting up auditing
Auditing can and should be run on both your NT servers and workstations. Regardless of which version of the operating system you’re running, you must have NTFS installed on your drives to enable file and folder auditing. You must also have Administrator rights, or belong to a group that has Manage Auditing And Security Log rights for the system you’re working with. Basically, you can set two distinct levels of auditing, depending on the nature of the system. On stand-alone servers or workstations, any policies you establish are only effective on that particular system. On the other hand, when you create auditing policies on domain controllers, your policies replicate across each domain controller on your network.

Piece by piece
This means that for the most part, you need to define auditing policies on your network’s machines on a computer-by-computer basis. So, you should have a plan of attack before starting out. I suggest starting with your Primary Domain Controllers (PDCs) and Backup Domain Controllers (BDCs). You can then take an instant snapshot of your network’s security concerns by simply tracking login events on these servers. When you later review the log files on each domain server, you can easily see if any unauthorized attempts to access your network are being made. Once you’ve configured your domain controllers for the proper level of auditing you require, you should install auditing policies on any other servers and your individual workstations. To define your system’s auditing policies, you need to first launch the User Manager For Domains. You’ll find it available under the Common Administrative Tools on the Start menu. Once you launch the utility, you’ll receive a screen similar to the one shown in Figure A.

Figure A
You create and define each system’s auditing policies in the User Manager For Domains utility.

Now, from the main menu of the User Manager For Domains utility, click Policies. This displays a drop-down menu for you to select which type of policy you intend to modify. Your choices include:
  • Account
  • User Rights
  • Audit
  • Trust Relationships

Of course, for the purpose of this article, you should select Audit to display the Audit Policy dialog box. As you can see in Figure B, you can specifically track the success or failure of these events by simply selecting them with your mouse.

Figure B
You can define your audit policy to meet your network’s requirements.

Looking at rights and wrongs
With most of the events you decide to audit, you’ll need to decide whether to track the success or failure of said event or action. You may even want to collect information for both events when you first start implementing auditing on your network. By tracking event failures, you can quickly become aware of any attempted security breaches. This usually makes good sense when first implementing auditing in order to expose possible security holes in your network.

For managing network resources and the demands placed upon them by users, you’ll probably want to track success events to stay informed of which network resources are in use most often and by whom. You’ll need to fine-tune your network’s event auditing to meet your information requirements and the ongoing demands from users.

Watching your network’s resources
After you’ve created and defined your audit policies, you’ll need to specify the resources to which they apply. A good example is a network printer. You can audit the printer itself and the users or group with access. To do so, launch NT Windows Explorer and browse your network to the location of the printer. Right-click the printer icon, and then select Properties to display the Properties page. Next, click the Security tab to access the Printer Auditing dialog box.

Now, select the events you want to audit for this printer. You also need to define success or failure tracking for each event according to the type of information you’re attempting to gather. Finally, you need to include the usernames or group names you want to audit on this printer. Simply click the Add button and select the appropriate members from your network as shown in Figure C.

Figure C
You must specify the users or groups you wish to audit on your printer.

Editor’s Note:
In a preliminary rollout, you may want to specify the Everyone group because it includes all users—remote and attached—who attempt to access the printer.

If you’re running NTFS on your hard drives, you can also specify auditing for files and folders. You simply need to browse to the specific folder or file, right-click, and then select Properties from the menu. Once the Property page opens, select the Security tab and click the Auditing button. This opens the Directory Auditing dialog box.

You should first decide if you want the auditing to apply to any folders within this folder. By default, any changes you make to the folder are only applied to that specific folder. Next, define the events (and their success or failure) you wish to track. Finally, click the Add button to specify the users or groups that access the folder and its contents. Once you’ve specified the names you want to track, click OK and you should receive a display similar to the one in Figure D. When you click OK, you’ll receive a warning that you’re about to replace the security information for the directory folder you specified.

Figure D
Select the names of user or groups you wish to track.

As you can see, auditing provides an easy method for tracking resources and user behavior on your network. If you’re running Windows NT workstation or server, you can easily include auditing within the scope of your network’s environment.

Editor's Picks

Free Newsletters, In your Inbox