Add to collection(s) Add to saved
  1. No category

How to enable the Security Auditing of Active

advertisement 
How to enable the Security Auditing of
Active Directory
Lepide Software
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Millions of organizations from all parts of the world use Windows Server 2008 R2. It is
quite necessary to audit the Active Directory from both security point of view and
meeting the requirements of different compliances. In this post, we will discuss the
methods to enable the security audit and to verify the enabled audit policies for Active
Directory in Windows Server 2008 R2.
Enabling the Security Auditing
For security auditing, it is required to modify the existing default Domain’s policy,
which is setup while creating a domain. You have to, in fact, deal with Advanced Audit
Policy Configuration for this. Follow the steps below for enabling the security auditing
of Active Directory in Windows 2008 R2.
1. Go to “Start Menu”  “Administrative Tools”  “Group Policy Management”.
2. In the console tree in the left pane, go to “Forest”  “Domains”  Domain
Name. Expand it.
3. Right click on “Default Domain Policy” and click “Edit”. It will show “Group
Policy Management Editor”.
4. Go to “Computer Configuration”  “Windows Settings”  “Security Settings”
 “Advanced Audit Policy Configuration”  “Audit Policies”. This will list all
available audit policies.
5. Here, you can enable the following policies for following purposes:
Type of Auditing
Domain Logon/Logoff Auditing
Path
In “Logon/Logoff”, enable
File System Auditing
1. Audit Logon
2. Audit Logoff
In “Object Access”, enable
Handle Manipulation Auditing
1. Audit Detailed File Share
2. Audit File Share
3. Audit File System
In “Object Access”, enable
1. Audit Handle Manipulation
Table 1: Tables of required auditing values
6. Double-click any of the events listed in the above table to access its properties.
7. Check the box “Configure the following audit events” and then enable the
required “Success” and “Failure” events.
8. Click “Apply” and “OK” to enable the monitoring for the selected events.
Lepide Software
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Similarly, you can configure the advanced auditing
options as well.
policies for other available
Enabling the Global Object Access Auditing
Perform the below mentioned steps to audit the access of any object globally in the
server.
1. Go to “Start Menu”  “Administrative Tools”  “Group Policy Management”.
2. In the console tree in the left pane, go to “Forest”  “Domains”  Domain
Name.
3. Right click on “Default Domain Policy” and click “Edit”. It will show “Group
Policy Management Editor”.
4. Go to “Computer Configuration”  “Windows Settings”  “Security Settings”
 “Advanced Audit Policy Configuration”  “Audit Policies”.
5. Go to “Object Access”. This will show the audit policies of object access in the
right panel.
6. Double-click “Audit Registry” to show its properties box.
7. Check the box “Configure the following audit events” and check the both
events.
8. Click “Apply” and “OK”.
9. Now, go to “Global Object Access Auditing” node under “Audit Policies” of
advanced configuration.
10. Double-click “Registry” entry in the right details pane.
11. Check the box “Define this policy”. This will enable the subsequent button.
Lepide Software
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Figure 1: Properties of Registry policy
12. Click “Configure” to access the “Advanced Settings for Global Registry SACL”.
Figure 2: Advanced Security Settings
13. Click the “Add” button to add the users which access you want to audit.
14. Type the name of any user to be audited.
15. Click “Check Names” to validate them.
Lepide Software
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
16. Click “OK” for adding the users. This will show the auditing entries for that
user.
Figure 3: Select Audit Entries
17. Select the audit entries for both success and failure, which you want to
monitor and click the “OK” button. It is advised to select Full Control for both
of them.
18. Click “OK” once the required entries are selected. This will take you back to the
“Advanced Security Settings”.
19. You can follow the same steps to configure security auditing for other users.
20. Once done, click “Apply” and “OK”. You will be returned to “Registry
Properties”.
21. Click “Apply” and “OK” once again.
Lepide Software
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Thus, you can follow the above mentioned steps to configure the advanced file system
auditing by using the “File System” policy in “Global Object Access Auditing”.
Managing the Integrity of Advanced Auditing
The advanced auditing entries are often overwritten by that of basic auditing. Follow the
steps below to ensure that the advanced auditing entries do not get overwritten.
1. Go to “Start Menu”  “Administrative Tools”  “Group Policy Management”.
2. In the console tree left pane, go to “Forest”  “Domains”  Domain Name.
3. Right-click on “Default Domain Policy” and click “Edit”. It will show “Group Policy
Management Editor”.
4. In the left tree pane, go to “Computer Configuration”  “Policies”  “Windows
Settings”  “Security Settings”  “Security Options”.
5. Double-click “Audit: Force audit policy subcategory settings (Windows Vista or
later) to override audit policy category settings”.
6. Click “Define this policy setting” and click “Enabled”.
7. Click “Apply” and “OK” to close the dialog box.
This will apply the modified security auditing policies on the server. Alternatively, you can
logoff and logon the Administrator. It is required to update the modified Group Policies
on the server after enabling the security auditing policies.
Lepide Software
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Verifying the Auditing Policies
It is recommended to verify whether the modified auditing policies have been applied
or not. Run the following command on the Command Prompt.
auditpol.exe /get /category:*
Figure 4: Listing the status of all policies
This will list the status of all auditing policies – both basic and advanced on the server.
Please verify both “Success” and “Failure” events for the policies, which you have
enabled.
Lepide Software
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Summary
Thus, you can follow the above stated steps to enable security auditing for the Active
Directory. You can also enable the auditing for specific files and folders. After verifying
the update status, you can see the recorded events in the Security logs of Event Viewer
as security auditing has been enabled. Also, you can make use of LepideAuditor Suite,
which has a number of added features and it also lets you keep a live check on the
changes being made in the Active Directory environment. Real-time alerts, live
updates, and automatic reports let you audit the AD and Group Policy Objects without
any issue. You also have the freedom to restore unwanted changes in the AD objects
and restore the objects from Tombstone folder as well.
Lepide Software
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Related documents
COVER LETTER SAMPLE
COVER LETTER SAMPLE
CIS 349 – Information Technology Audit and Control
CIS 349 – Information Technology Audit and Control
The Antecedents of Internal Auditors* Adoption of
The Antecedents of Internal Auditors* Adoption of
Job Title: IT Audit Senior
Job Title: IT Audit Senior
Hungary - Internal Audit Manual -_NE201106
Hungary - Internal Audit Manual -_NE201106
Continuous Auditing - Global Institute of Internal Auditors
Continuous Auditing - Global Institute of Internal Auditors
Download
advertisement