98-367 Chapter Five

Chapter 5: Using Audit Policies and Network Auditing

Topics Covered:

  • Exploring audit policies
  • Enabling auditing
  • Viewing audit information
  • Managing security logs
  • Auditing a network with MBSA

Auditing: tracking/recording something. Could be activies or vulnerabilities.

Exploring Audit Policies

Three As of Security (AAA): Authentication, authorization, and accounting

Reliable accountability provides non-repudiation: prevents someone from denying they took an action.

Auditing can be enabled for both Success and Failure events.

Default Audit Policies

These audit settings are the default for all servers

Audit Policy Setting Default Behaviour Comments
Object Access No events recorded Records access to objects such as NTFS files, printers. Auditing must also be enabled on object
Logon Successful events recorded User logs in locally or access a resource over network
Account Management Successful events recorded Records creation, modification, deletion of user accounts and groups
System Events Successful if a domain controller Records when user restarts or shuts down a system, also any action that affects system security such as audit log
Privilege Use No events recorded Records the use of specific user rights eg. user takes ownership of a file
Policy Change Successful if a domain controller Records changes to User Rights Assignment, Audit or Trust policies
Process Tracking No events recorded Records events such as program activation, process exit etc.
Domain Controller Specific Audit Policies
Audit Policy Setting Default Behaviour Comments
Account Logon Successful events recorded Authenticates to Active Directory
Directory Service Access Successful events recorded Records access to any Active Directory object (only works if auditing is also enabled on object)
Logon vs Account Logon

Logon IS NOT THE SAME AS Account Logon. Account Logon is Active Directory Authentication only. Logon is local and any network logons

Exploring Object Access Auditing

Object access auditing has to be enabled in two places to work:

  • Audit Policy
  • System Access Control List (SACL) for the object

Cant use auditing on FAT based filesystem

Exploring Directory Service Access Auditing

Directory Service Access Auditing allows for audit logging when any active directory object is accessed. Setting is
only available on domain controllers or Active Directory hosts as they contain these databases.

This auditing, similar to Object Access auditing must be turned on in two places. First in audit policy setting, then
on specific object to be audited.

Windows Server 2008 introduced feature to log events in easier to interpret ways such as listing accounts by name
not by GUID etc.

Understanding Account Management Auditing

Account management auditing tracks account modifications on a local system by monitoring the SAM account database.
If enabled on an active directory domain controller it tracks changes to accounts in active directory.

Account management auditing can track changes to User Accounts, Groups and Computer Accounts (not in AD, local only to SAM file)

Understanding System Events Auditing

System events such as shutdowns, reboots etc can be logged for audit. Many attackers will attempt to clear logs to
erase tracks. The clearing of the log will be entered as an event so an admin will at least know if log has been tampered with.
Logs should be regularly archived and cleared so an attacker cannot clear out all information. Event subscriptions forward events
from one server to another.

Unscheduled reboots should be investigated as an attacker could use a bootable drive etc to access information they should not have.

Understanding Privilege Use Auditing

Priviledge Use auditing records when users exercise specific rights. Many events that do require priv are not logged for
performance reasons (log would fill up very quickly).

Understanding Policy Change Auditing

This type of auditing records changes to policies. Default on domain controllers is to record successful events.

Understanding Process Tracking

Records events related to applications and processes, can be good for debugging. Not used by admins very much but
developers may find it very useful.

Enabling Auditing

Enable local system auditing though local security policy. For multi system auditing use group policy.

Enabling Object Access Auditing

Auditing can be enabled for any file or folder on an NTFS drive. First enable policy then enable auditing on desired object.
Inheritance works the same for auditing as it does for permissions.

Enabling Directory Service Access Auditing

If enabled need to also enable auditing on specific objects in AD and select what should be audited.

Viewing Audit Information

Security log can get quite large, important to filter for specific events to find relevant information. Event ID lists are online
as there are thouands of codes and difficult to remember them all.

Managing Security Logs

Max sizes should be set and if logs need to be retained they should be archived. Settings such as overwrite as needed, archive when full
or do not overwrite, clear manually can define behaviour. Events can be forwarded to other systems using event subscriptions
allows monitoring at a single place vs reading logs on all computers independently.

Securing Audit Information

Important logs are kept/archived and not modified. Some ways to do this:

  • Create Backups
  • Store on another server
  • Store on WORM media (Write Once Read Many)
  • Protect logs with permissions
  • Enable Auditing on Archived files

Some industries may have very strict legal guidelines regarding logs.

Auditing a Network with MBSA

Microsoft Baseline Secutiry Analyzer checks systems for unpatched vulnerabilities, weak passwords, administrative vulnerabilities
, SQL vulnerabilities and security updates. It can scan IP ranges etc to ensure all machines on network are tested.

Chapter Review Questions:

  1. What are the three As (AAA) of security?
    a. Authentication, authorization and accounting
    b. Authentication, accountability and accounting
    c. Accountability, access control and accounting
    d. Authorization, access control and auditing

    1. True or false: If you want to auditing all access to a folder, all you have to do is enable Object Access auditing in the Audit Policy.

    2. Which Audit Policy selection records any time a user logs onto a local system
      a. Logon Events
      b. Account Logon Events
      c. System Events
      d. Process Tracking

  2. Which audit policy selection records modifications to Active Directory?
    a. Privilege Use
    b. Account Management Events
    c. Directory Service Access
    d. Policy Change

  3. If you want to ensure that an audit-log entry records each time a system is shut down, you should enable successful entries for _

  4. What tool can you use to view audited events?

  5. Which of the following choices can be used to automatically collect events on a single server from multiple servers?
    a. Process Tracking Events auditing
    b. MBSA
    c. Automatic archiving
    d. Event subscriptions

  6. True or false: You can secure audit logs with WORM media.

  7. Where can you get MBSA?

  8. True or false: MBSA can detect weak passwords for accounts on Microsoft Systems


  1. a
  2. false
  3. a
  4. c
  5. System Events
  6. Event Viewer
  7. d
  8. true
  9. Microsoft Website
  10. true

Relevant sections of Certification Exam

Understanding Operating System Security, Understanding Audit Policies, Understanding Server Protection,