2. Introduction
When talking about effective access control to
Active Directory objects and resources
AUDITING is another important aspect of
controlling
access
and
improving
security, which requires organize planning of
what to audit and where to configure such
audit services on policies and permissions.
Also
when
auditing
a
network,
an
administrator has to consider how to collect
the analyze data, and determine the storage
of the collected data that can affect the
systems performance.
3. What is Auditing?
Auditing is a process of recording deviations
from a security policy and is extremely
important for any business network, because
audit logs provide not only an indication of
occurrences of security breach through
recording
changes
on
file
permissions, installation of programs, and
escalation of privileges.
4. How auditing works?
Whenever a user perform certain action made on the computer, an
event is being generated which is log in the Event Viewer.
6. Importance of Auditing
Establishing audit policy is an important feature of security.
Monitoring the creation or modification of objects gives you
a way to track potential security problems, helps to ensure
user accountability, and provides evidence in the event of a
security breach.
Advantages
o Allows you to target specific activities
o Reducing the auditing options to just what you need will reduce
the load on the computer, allowing it to provide more resources
to other activities
Disadvantages
o auditing data can accumulate quickly and can fill up available
disk space
o Difficult to determine what occurred events during security
incident was made if audit settings are not configured properly
7. Audit Policy Settings
Success. An audit event is generated when the requested action succeeds.
Failure. An audit event is generated when the requested action fails.
Not defined. No audit event is generated for the associated action.
Where to Find Audit Policy
Start Menu > Administrative Tools > GPME> Computer Configuration >
Windows Settings>Security Settings> Local Policies> Audit Policy
8. Audit Events
Audit Policy Setting
Setting
1.
Description
Account Logon
(username/password)Authentication/validation
WinSrv 2008 R2
Settings/ XP or
Vista
success
2. Account
Management
3. Directory
Service Access
4. Logon events
Changes to accounts/password resets
success
Changes to active directory accounts
success
login or connections are made
success
5. Object Access
non-active directory objects(files/folders)
6. Policy Change
user-rights assignment, auditing,
account and trust policies
7. Privilege Use
taking ownership
none
8. Process tracking
process creation, termination
none
9. System Events
Boot-up, shutdown, time changes
none
success
success