Active Directory 2008: Group Policy Auditing Facts…

In Windows, auditing is the recording of system events and other system changes. When you enable auditing, the system automatically makes a record when events of interest occur. Auditing is enabled by configuring audit policies, either on a local system or through Group Policy. An audit policy is either enabled or disabled. When it is enabled, you must specify what type of events to log.

  • Audit      Success to identify who has gained access or who was able to      exercise a right or privilege.
  • Audit      Failure to identify patterns of attempted access.

The following table describes the nine audit policies configurable through Group Policy.

Audit Category Trigger Event(s)
Account logon Account logon auditing tracks when   a user account is used to authenticate to a computer. For account logon   auditing, an audit event is generated on the system where the user account   exists.

  • When a local user account is        used, the local computer records the logon event.
  • When a domain user account is        used, the domain controller records the logon event.

For example, when a user   authenticates to a domain, an account logon event is recorded on the domain   controller but not on the local computer. If a user logs on using a local   computer account, an account logon event is recorded on the local computer.

Account management Account management auditing tracks   changes to user accounts, including:

  • Create
  • Rename
  • Disable/enable
  • Delete
  • Change the password
Directory service access Directory service access auditing   tracks changes to Active Directory objects. The audit directory service   access policy is divided into four subcategories:

  • Directory Service Access
  • Directory Service Changes
  • Directory Service Replication
  • Detailed Directory Service        Replication

Note: In addition to enabling auditing in the audit policy, you   must configure auditing on the specific objects you want to track.

Logon Logon auditing tracks logon or log   off on the local system, or when a network connection is made to a system.   For logon auditing, an audit event is recorded in the audit log of the local   system, regardless of the type of user account used. For example, when a user   logs on to a computer using a domain account, a logon event is recorded on   the local workstation, while an account logon event is recorded on the domain   controller.
Object access Object access auditing tracks   access to files, folders, or printers. It can also be used to audit actions   taken by a certificate authority or access to specific registry or IIS   metabase settings. For file auditing to occur, the files must be on NTFS   partitions.

Note: In   addition to enabling auditing in the audit policy, you must configure   auditing on the specific objects you want to track.

Policy change Policy change auditing tracks   changes to user rights, trust relationships, IPsec and Kerberos policies, or   audit policies.
Privilege use Privilege use auditing tracks the   following actions:

  • A user exercises a user        right.
  • An administrator takes        ownership of an object.
Process tracking Process tracking auditing records   actions taken by applications. Process tracking auditing is used mainly for   program debugging and tracking.
System System events auditing tracks   system shutdown, restart, or the starting of system services. It also tracks   events that affect security or the security log.

Be aware of the following when configuring auditing:

  • With      both Directory Service Access and Object Access auditing, configuring      auditing requires two steps:
    1. Enable auditing in the local security policy or Group       Policy.
    2. Configure auditing on the specific objects. For       example, you might edit the System Access Control List (SACL) of the       Active Directory object or the NTFS file or folder to identify the users       or groups and the actions to track. For CA auditing, identify the       specific CA actions to track in the CA properties.
  • New      with Windows Server 2008, Directory Service Access auditing uses four      subcategories. Audit Directory Service Access to record when changes occur      to an object; audit Directory Service Changes to record the old and new      values when a change is made to an object.
  • When      you enable Directory Service Access auditing, auditing for all four      subcategories is enabled. To enable auditing for individual categories,      use the Auditpol /set /subcategory command. (Note: In      Windows Server 2008 R2 and Windows 7, all auditing capabilities have been      integrated with Group Policy.)
  • View      audit entries in the Event Viewer Security log.
  • When      using Directory Service access with directory service changes, when a      change is made to an Active Directory object, the following event IDs are      recorded.
Event ID Event Action Description
5136 Modify Logged when a successful   modification is made to an attribute in the directory
5137 Create Logged when a new object is   created in the directory
5138 Undelete Logged when an object is undeleted   in the directory
5139 Move Logged when an object is moved   within the domain

 

Advertisements

2 thoughts on “Active Directory 2008: Group Policy Auditing Facts…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s