Tài liệu Auditing Windows 2000 pptx

Auditing Windows 2000 Auditing provides a means of tracking all events in Windows 2000 to monitor system access and ensure system security.. More specifi-cally, auditing enables you to t

Auditing Windows 2000

Auditing provides a means of tracking all events in

Windows 2000 to monitor system access and ensure system security

Auditing Overview

In Windows 2000, auditing provides a means of tracking events

and is an important facet of security for individual computers

as well as the enterprise As described in other chapters (notably Chapter 6, which covers the Event Viewer), Microsoft

defines an event as any significant occurrence in the operating

system or an application that requires users (particularly

administrators) to be notified Events are recorded in event logs that you can manage with the Event Viewer console

snap-in

Auditing enables you to track specific events More specifi-cally, auditing enables you to track the success or failure of

specific events For example, you might audit logon attempts, tracking who succeeds in logging on (and when) and who fails

at logging on Or, you might audit object access on a given folder or file, tracking who uses it and the tasks they perform

on it You can track an overwhelming variety of events in Windows 2000, as you’ll learn a little later in the chapter

Windows 2000 provides several categories of events you can audit The following list describes these event categories:

✦ Account Logon Events: Track user logon and logoff via a

user account

✦ Account Management: Track when a user account or

group is created, changed, or deleted; a user account is renamed, enabled, or disabled; or a password is set or changed

In This Chapter

Auditing Overview Configuring Auditing Examining the Audit Reports Enabling Auditing — Some Case Studies

✦ Directory Service Access: Track access to the Active Directory.

✦ Logon Events: Track non-local authentication events such as network use of a

resource or a remote service logging on using the local System account

✦ Object Access: Track when objects are accessed and the type of access

per-formed For example, track use of a folder, file, printer, and so on Configure auditing of specific events through the object’s properties (such as the Security tab for a folder or file)

✦ Policy Change: Track changes to user rights or audit policies.

✦ Privilege Use: Track when a user exercises a right other than those

associ-ated with logon and logoff

✦ Process Tracking: Track events related to process execution such as program

execution

✦ System Events: Track such system events as restart, startup, shutdown, or

events that affect system security or the security log

Within each category, you’ll find several different types of events — some common and some specific to the objects or events being edited For example, when you audit registry access, the events are very specific to the registry So rather than cover every possible event that can be audited, this chapter explains how to enable and configure auditing, and looks at specific cases and how auditing improves secu-rity and monitoring in those cases

Configuring Auditing

Configuring auditing can be either a one- or two-step process, depending on the type of events for which you’re configuring auditing For all but object access, enabling auditing simply requires that you define the audit policy for the given audit category You have an additional step for object access auditing, however, that is configuring auditing of specific objects For example, enabling auditing for

the policy Audit object access doesn’t actually cause any folders or files to be

audited Instead, you have to configure each folder or file individually for auditing

Enabling Audit Policies

Before you begin auditing specific events, you need to enable auditing of that event’s category You configure auditing through the computer’s local security pol-icy, group polpol-icy, or both If domain audit policies are defined, they override local audit policies This chapter assumes you’re configuring auditing through the local security policy If you need to configure auditing through group policies, use the Domain Security Policy console to enable auditing

To configure auditing through the local security policy, open the Security Policy console snap-in by choosing Start ➪ Programs ➪ Administrative Tools ➪ Local Security Policy Open the Security Settings/Local Policies/Audit Policy branch As Figure 19-1 illustrates, each audit policy category appears with its local setting and effective setting The effective setting reflects the application of group policies,

if any

Figure 19-1: Use either the local security policy or domain policy

to enable auditing

Double-click a policy to display its settings (Figure 19-2) You can enable auditing of both success and failure of events in the selected category Using the logon exam-ple given previously, for examexam-ple, you might audit successful logon to track who

is using a given system and when You might track unsuccessful logon to track attempts at unauthorized use of a system Select Success, Failure, or both, as desired, and then click OK

Figure 19-2: Select the types of events

(success or failure) for which you want to enable auditing

After you configure each category as desired, close the Security Policy console See the next section if you’re configuring auditing of object access Otherwise, audit events will begin appearing in the Security log Make sure you configure the Security log’s size and overflow behavior to accommodate the audit events

Auditing Object Access

The second step in configuring object access auditing is to enable auditing on the individual objects you want to monitor, such as folders, files, registry keys, and so

on You typically configure the objects where you find them in the UI, such as Explorer for folders and files, the Printers folder for printers, and Regedt32 for the registry keys The types of events you can audit for a given object depend on the object itself Events for file access, for example, are different to events for registry key access

See Chapter 23 for more information on controlling and monitoring printer access

To configure auditing for a folder or file, open Explorer and locate the object Right-click the object and choose Properties to view its property sheet Click Security ➪ Advanced to open the Access Control Settings dialog box Click the Auditing tab to show the Auditing page, then click Add Select a user, computer, or group that you want to audit, and click OK Windows 2000 displays an object dialog box that lists the events you can audit for the selected object (Figure 19-3)

Figure 19-3: Select Successful or Failed as

desired to configure auditing for each event type

Note

Select Successful for a given event if you want to record successful completion of the event Select Failed to monitor failed attempts The option “Apply these audit-ing entries to objects and/or containers within this container only” applies auditaudit-ing

to only the contents of the selected container (such as the files in the selected folder) The contents of subfolders are audited unless this option is selected

As you’re defining the audit policy for a selected object, keep in mind that you could potentially generate a huge number of events in the Security log Unless you have a specific reason to audit success on a given event, you should consider only auditing failure to reduce traffic to the log and load on the computer Auditing failed access is typically most useful for tracking attempts at unauthorized access

After you’re satisfied with the audit event selections, click OK Repeat the process

to add other users, groups, or computers to the list On the Access Control Settings dialog box (Figure 19-4), you’ll find two options that control how auditing entries are affected by the parent object and affect child objects:

Figure 19-4: Use the Auditing

page of the Access Control Settings dialog box to configure auditing for a selected object

✦ Allow inheritable auditing entries from parent to propagate to this object.

Select this option if you want auditing properties to be inherited by the cur-rent object from its pacur-rent object Deselect this option to prevent audit prop-erties from being inherited

✦ Reset auditing entries on all child objects and enable propagation of

inheritable auditing entries Select this option to clear and audit properties

configured within child objects (such as subfolders) and to allow the audit properties for the current object to propagate to child objects

Caution

Close the object’s property sheets when you’ve finished defining the audit policy for the object Auditing will begin immediately

Examining the Audit Reports

As explained previously, Windows 2000 records audited events to the Windows

2000 Security log You can use the Event Viewer console snap-in to view the event logs, save logs as log files for future viewing, and save the logs in either tab- or comma-delimited formats

Using the Event Viewer

You can use the Event Viewer console snap-in to view and manage the event logs

In addition to the Security log, you can manage the Application and System logs, as well as any additional logs created by Windows 2000 services or applications By default, the Event Viewer displays the logs dynamically, meaning new events are added to a log as you’re viewing it You also can save a log to disk to use as a bench-mark or simply to archive a log before clearing it Figure 19-5 shows the Security log

in the Event Viewer

Figure 19-5: You can browse the Security log (and others) using the

Event Viewer

For detailed information on the Event Viewer console snap-in, including how to save logs and configure log behavior, see Chapter 5

Cross-Reference

Using Other Tools

The Event Viewer provides the means through which you configure the event logs

as well as view them Because you can save a log to a text file, however, you can use other applications to view a log For example, you might save a log to a comma-delimited file so you can import the file into Microsoft Access or other database application to create a database you can easily organize by event ID, source, and so

on Or, you might export the data to a text file, and import it into a word processor

to create a report Just make sure you pick an application that can import tab- or comma-delimited files and export the log files in the appropriate format See also Chapter 20 for information on using the Alert services of the Performance Logs and Alerts console

A handful of other third-party tools exist for viewing a system’s log files One in particular worth considering is RippleTech’s LogCaster Providing a mechanism to manage the event logs is just a small part of what LogCaster does It not only pro-vides a unified interface for viewing the event logs, but it also serves as an excellent warning system for administrators LogCaster provides real-time monitoring of the event logs, services, TCP/IP devices, performance counters, and ASCII logs It pro-vides automatic delivery of alerts through a variety of mechanisms including pag-ing, e-mail, ODBC, SNMP, and others When a given event occurs, you can have LogCaster automatically notify you regardless of where you are Whether you’re tracking system performance, want to be notified of audit events, or want to be warned of a possible system intrusion, you’ll find LogCaster an excellent resource

You can locate RippleTech on the Internet at www.rippletech.com

Enabling Auditing

Although you could audit every event, doing so wouldn’t be practical because you’d place an undue load on the system and either end up with an enormous log file or spend all your time worrying about archiving the logs The following sections examine some specific situations and how you might employ auditing

Leaving Auditing Off

The first option is to leave auditing off altogether, and this is not a bad option in some situations If you’re not concerned with security, there’s no real reason to enable or perform auditing Turning off auditing reduces system overhead and helps simplify log management However, most organizations will or should be concerned with security at least to some degree, so this option might not fit your needs

Turning All Auditing On

At the other end of the auditing spectrum is complete auditing If you’re very con-cerned about security or shooting for C2 security certification, this might be an option However, bear in mind that your system will probably generate a huge num-ber of events requiring very active management of the security log As an alterna-tive to full logging, consider logging only failure events and not success events

Auditing Problem Users

Certain users, for one reason or another, can become an administrator’s worst nightmare In some cases, it’s through no fault of the user, but is instead due to problems with the user’s profile, account, and so on In other cases, the user can be

at fault, frequently using the wrong password, incorrectly typing the account name, trying to log on during periods when they are not allowed to, or even trying to access resources for which they have no permissions (or need) In these situations, you’ll want to monitor events associated with the given user and might even need

to retain the information for counseling or termination purposes

Which types of events you audit for a given user or group depends on the problem area For example, audit account logon events if the user has trouble logging on or attempts to log on during unauthorized hours Track object access to determine when a user or group is attempting to access a given resource such as a folder

or file Tailor other auditing to specific tasks and events generated by the user

or group

Auditing Administrators

Auditing administrators is a good idea, not only to keep track of what administra-tors are doing, but also to detect unauthorized use of administrative privileges Keep in mind, however, that auditing impacts system performance In particular, you should consider auditing account logon events, account management, policy change, and privilege use of an administrator only if you suspect an individual Rather, control administrators by delegating through the wise use of groups and organizational units

Auditing Critical Files and Folders

One very common use for auditing is to track access to important folders and files

In addition to tracking simple access, you probably will want to track when users make or attempt to make specific types of changes to the object such as Change Permissions and Take Ownership This helps you monitor changes to a folder or file that could affect security

Auditing enables you to monitor events associated with specific users, groups, ser-vices, and so on These events are recorded to the Security log The ability to moni-tor these events is not only useful for troubleshooting, but also is an important tool for monitoring and managing security You can keep tabs on the actions of specific users or groups and monitor attempts at unauthorized access to the system or its resources

Configuring auditing for most types of events is a one-step process You configure the policy for Success, Failure, or both in the local or group security policy under Security Settings\Local Policies\Audit Policy Configuring auditing of object access, such as monitoring access to folders/files, printers, or the registry, requires the additional step of configuring auditing on each object to be monitored