active directory auditing
TRANSCRIPT
A C T I V E D I R E C T O R Y
A U D I T I N G
Willa Reyes
Introduction
When talking about effective access control to
Active Directory objects and resources
AUDITING is another important aspect of
controlling access and improving
security, which requires organize planning of
what to audit and where to configure such
audit services on policies and permissions.
Also when auditing a network, an
administrator has to consider how to collect
the analyze data, and determine the storage
of the collected data that can affect the
systems performance.
What is Auditing?
Auditing is a process of recording deviations
from a security policy and is extremely
important for any business network, because
audit logs provide not only an indication of
occurrences of security breach through
recording changes on file
permissions, installation of programs, and
escalation of privileges.
How auditing works?Whenever a user perform certain action made on the computer, an
event is being generated which is log in the Event Viewer.
Where to find event viewer?
Importance of Auditing
Establishing audit policy is an important feature of security.
Monitoring the creation or modification of objects gives you
a way to track potential security problems, helps to ensure
user accountability, and provides evidence in the event of a
security breach.
Advantages
Disadvantages
o Allows you to target specific activities
o Reducing the auditing options to just what you need will reduce
the load on the computer, allowing it to provide more resources
to other activities
o auditing data can accumulate quickly and can fill up available
disk space
o Difficult to determine what occurred events during security
incident was made if audit settings are not configured properly
Audit Policy Settings
Success. An audit event is generated when the requested action succeeds.
Failure. An audit event is generated when the requested action fails.
Not defined. No audit event is generated for the associated action.
Start Menu > Administrative Tools > GPME> Computer Configuration >
Windows Settings>Security Settings> Local Policies> Audit Policy
Where to Find Audit Policy
Audit Events
Audit Policy SettingSetting Description WinSrv 2008 R2
Settings/ XP or
Vista
1. Account Logon (username/password)Authentication/validation success
2. Account
Management
Changes to accounts/password resets success
3. Directory
Service Access
Changes to active directory accounts success
4. Logon events login or connections are made success
5. Object Access non-active directory objects(files/folders) none
6. Policy Change user-rights assignment, auditing,
account and trust policies
success
7. Privilege Use taking ownership none
8. Process tracking process creation, termination none
9. System Events Boot-up, shutdown, time changes success
Audit Events
Directory service access: through SACL
Audit Events
Audit Policy SettingSetting Description WinSrv 2008 R2
Settings/ XP or
Vista
1. Account Logon (username/password)Authentication/validation success
2. Account
Management
Changes to accounts/password resets success
3. Directory
Service Access
Changes to active directory accounts success
4. Logon events login or connections are made success
5. Object Access non-active directory objects(files/folders) none
6. Policy Change user-rights assignment, auditing,
account and trust policies
success
7. Privilege Use taking ownership none
8. Process tracking process creation, termination none
9. System Events Boot-up, shutdown, time changes success
Audit Events
Sample policy Object Access : files /folders
Enable setting: success or failure or both
Audit Events
Audit Policy SettingSetting Description WinSrv 2008 R2
Settings/ XP or
Vista
1. Account Logon (username/password)Authentication/validation success
2. Account
Management
Changes to accounts/password resets success
3. Directory
Service Access
Changes to active directory accounts success
4. Logon events login or connections are made success
5. Object Access non-active directory objects(files/folders) none
6. Policy Change user-rights assignment, auditing,
account and trust policies
success
7. Privilege Use taking ownership none
8. Process tracking process creation, termination none
9. System Events Boot-up, shutdown, time changes success
Audit Events
Sample log for User privileges
Audit Events
Audit Policy SettingSetting Description WinSrv 2008 R2
Settings/ XP or
Vista
1. Account Logon (username/password)Authentication/validation success
2. Account
Management
Changes to accounts/password resets success
3. Directory
Service Access
Changes to active directory accounts success
4. Logon events login or connections are made success
5. Object Access non-active directory objects(files/folders) none
6. Policy Change user-rights assignment, auditing,
account and trust policies
success
7. Privilege Use taking ownership none
8. Process tracking process creation, termination none
9. System Events Boot-up, shutdown, time changes success
Conclusion
(Say in front)
