Question

Let's look at the auditing system in Windows Server 2008. What are the characteristics? How do you set it up?

Answer 1

Let's start with what is Auditing.

Auditing keeps a record of things that have been modified in active directory.

Characteristics of Auditing System :

Windows Server 2008 makes auditing  easier and more comprehensive with following characteristics :

• Global Object Access Auditing
• Reason for access auditing
• Advanced Audit Policy Configuration

1. Global Object Access Auditing : - By configuring Global Object Access Auditing policy settings, administrators can define computer system access control lists (SACLs) for various object types on computers for registry or file system. After configuring, SACL will be applied to all the objects of that type.

2. Reason for access auditing :- Access to objects are allowed or denied according to the ‘reason for access’ list—a list of Access Control Entries (ACE). Access. So administrators can easily identify the access controls that allowed or denied access to a particular object.

3. Advanced Audit Policy Configuration :- AD administrators can configure 53 audit policy settings using the domain Group Policy to perform more effective and simpler auditing. Broadly, administrators can audit events related to:

• Account logon events
• Account management events
• Detailed tracking events
• DS access events
• Logon/logoff events
• Object access events
• Policy change events
• Privilege use events
• System events

Setting Up Auditing System in Windows Server

To implement Auditing System, we can implement controls in following places :

• Global Audit Policy
• System Access Control List
• Schema

1. Global Audit Policy : In Server 2008 the Global Audit Policy is not on by default and must be enabled.

Step 1. Go to Start, Administrative Tools, and then click on Group Policy Management.

Step 2.

Navigate down through your Forest, to the Domains, then Domain Controllers and left click on Default Domain Controllers Policy.

You will get a warning that changes here will impact all other locations that the GPO is linked to. Click Ok.

Step 3. Right click on Default Domain Controllers Policy and then left click on Edit…

Step 4. Navigate under Computer Configurations → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy

Step 5. Right click on Audit Directory Service Access, and then click Properties.

Step 6. Select Define these policy settings and then select Success. Click on Apply and then Ok.

That's it. Auditing has been set-up using Graphical User Interface (GUI).

To enable using command prompt, Enter following command in command prompt :

auditpol /set /subcategory:"directory service changes" /success:enable

2. System Access Control List (SACL) : The SACLs do most of the work in determining what gets auditing and what doesn't.

Step 1. Open Active Directory Computers and Users.

Step 2. Click on View and make sure that Advanced Features is enabled. If not left click on it to place a check next to it.

Step 3. Right click on any of the Organizational Units you want to audit; in our example I am going to audit Users. Then click

on Properties.

Step 4. In the Properties window click on Security.

Step 5. Next click on Advanced.

Step 6. Click the Auditing tab, then click Add.

Step 7. Under Enter the object name to select:, type in Authenticated Users and click Ok.

Step 8. In the next window under Apply onto:, select Descendant User Objects and under Access check the box for Successful next to Write all properties and click Ok.

Step 9. Click Ok until you are out of any dialog boxes.

Now that we have enabled auditing in a SACL.