- Exploring audit policies
- Enabling auditing
- Viewing audit information
- Managing security logs
- Auditing a network with MBSA
Auditing: tracking/recording something. Could be activies or vulnerabilities.
Three As of Security (AAA): Authentication, authorization, and accounting
Reliable accountability provides non-repudiation: prevents someone from denying they took an action.
Auditing can be enabled for both Success and Failure events.
These audit settings are the default for all servers
|Audit Policy Setting||Default Behaviour||Comments|
|Object Access||No events recorded||Records access to objects such as NTFS files, printers. Auditing must also be enabled on object|
|Logon||Successful events recorded||User logs in locally or access a resource over network|
|Account Management||Successful events recorded||Records creation, modification, deletion of user accounts and groups|
|System Events||Successful if a domain controller||Records when user restarts or shuts down a system, also any action that affects system security such as audit log|
|Privilege Use||No events recorded||Records the use of specific user rights eg. user takes ownership of a file|
|Policy Change||Successful if a domain controller||Records changes to User Rights Assignment, Audit or Trust policies|
|Process Tracking||No events recorded||Records events such as program activation, process exit etc.|
|Audit Policy Setting||Default Behaviour||Comments|
|Account Logon||Successful events recorded||Authenticates to Active Directory|
|Directory Service Access||Successful events recorded||Records access to any Active Directory object (only works if auditing is also enabled on object)|
Logon IS NOT THE SAME AS Account Logon. Account Logon is Active Directory Authentication only. Logon is local and any network logons
Object access auditing has to be enabled in two places to work:
- Audit Policy
- System Access Control List (SACL) for the object
Cant use auditing on FAT based filesystem
Directory Service Access Auditing allows for audit logging when any active directory object is accessed. Setting is
only available on domain controllers or Active Directory hosts as they contain these databases.
This auditing, similar to Object Access auditing must be turned on in two places. First in audit policy setting, then
on specific object to be audited.
Windows Server 2008 introduced feature to log events in easier to interpret ways such as listing accounts by name
not by GUID etc.
Account management auditing tracks account modifications on a local system by monitoring the SAM account database.
If enabled on an active directory domain controller it tracks changes to accounts in active directory.
Account management auditing can track changes to User Accounts, Groups and Computer Accounts (not in AD, local only to SAM file)
System events such as shutdowns, reboots etc can be logged for audit. Many attackers will attempt to clear logs to
erase tracks. The clearing of the log will be entered as an event so an admin will at least know if log has been tampered with.
Logs should be regularly archived and cleared so an attacker cannot clear out all information. Event subscriptions forward events
from one server to another.
Unscheduled reboots should be investigated as an attacker could use a bootable drive etc to access information they should not have.
Priviledge Use auditing records when users exercise specific rights. Many events that do require priv are not logged for
performance reasons (log would fill up very quickly).
This type of auditing records changes to policies. Default on domain controllers is to record successful events.
Records events related to applications and processes, can be good for debugging. Not used by admins very much but
developers may find it very useful.
Enable local system auditing though local security policy. For multi system auditing use group policy.
Auditing can be enabled for any file or folder on an NTFS drive. First enable policy then enable auditing on desired object.
Inheritance works the same for auditing as it does for permissions.
If enabled need to also enable auditing on specific objects in AD and select what should be audited.
Security log can get quite large, important to filter for specific events to find relevant information. Event ID lists are online
as there are thouands of codes and difficult to remember them all.
Max sizes should be set and if logs need to be retained they should be archived. Settings such as overwrite as needed, archive when full
or do not overwrite, clear manually can define behaviour. Events can be forwarded to other systems using event subscriptions
allows monitoring at a single place vs reading logs on all computers independently.
Important logs are kept/archived and not modified. Some ways to do this:
- Create Backups
- Store on another server
- Store on WORM media (Write Once Read Many)
- Protect logs with permissions
- Enable Auditing on Archived files
Some industries may have very strict legal guidelines regarding logs.
Microsoft Baseline Secutiry Analyzer checks systems for unpatched vulnerabilities, weak passwords, administrative vulnerabilities
, SQL vulnerabilities and security updates. It can scan IP ranges etc to ensure all machines on network are tested.
What are the three As (AAA) of security?
a. Authentication, authorization and accounting
b. Authentication, accountability and accounting
c. Accountability, access control and accounting
d. Authorization, access control and auditing
True or false: If you want to auditing all access to a folder, all you have to do is enable Object Access auditing in the Audit Policy.
Which Audit Policy selection records any time a user logs onto a local system
a. Logon Events
b. Account Logon Events
c. System Events
d. Process Tracking
Which audit policy selection records modifications to Active Directory?
a. Privilege Use
b. Account Management Events
c. Directory Service Access
d. Policy Change
If you want to ensure that an audit-log entry records each time a system is shut down, you should enable successful entries for _
What tool can you use to view audited events?
Which of the following choices can be used to automatically collect events on a single server from multiple servers?
a. Process Tracking Events auditing
c. Automatic archiving
d. Event subscriptions
True or false: You can secure audit logs with WORM media.
Where can you get MBSA?
True or false: MBSA can detect weak passwords for accounts on Microsoft Systems
- System Events
- Event Viewer
- Microsoft Website
Understanding Operating System Security, Understanding Audit Policies, Understanding Server Protection,