active directory auditing

A C T I V E D I R E C T O R Y

A U D I T I N G

Willa Reyes

Introduction

When talking about effective access control to

Active Directory objects and resources

AUDITING is another important aspect of

controlling access and improving

security, which requires organize planning of

what to audit and where to configure such

audit services on policies and permissions.

Also when auditing a network, an

administrator has to consider how to collect

the analyze data, and determine the storage

of the collected data that can affect the

systems performance.

What is Auditing?

Auditing is a process of recording deviations

from a security policy and is extremely

important for any business network, because

audit logs provide not only an indication of

occurrences of security breach through

recording changes on file

permissions, installation of programs, and

escalation of privileges.

How auditing works?Whenever a user perform certain action made on the computer, an

event is being generated which is log in the Event Viewer.

Where to find event viewer?

Importance of Auditing

Establishing audit policy is an important feature of security.

Monitoring the creation or modification of objects gives you

a way to track potential security problems, helps to ensure

user accountability, and provides evidence in the event of a

security breach.

Advantages

Disadvantages

o Allows you to target specific activities

o Reducing the auditing options to just what you need will reduce

the load on the computer, allowing it to provide more resources

to other activities

o auditing data can accumulate quickly and can fill up available

disk space

o Difficult to determine what occurred events during security

incident was made if audit settings are not configured properly

Audit Policy Settings

Success. An audit event is generated when the requested action succeeds.

Failure. An audit event is generated when the requested action fails.

Not defined. No audit event is generated for the associated action.

Start Menu > Administrative Tools > GPME> Computer Configuration >

Windows Settings>Security Settings> Local Policies> Audit Policy

Where to Find Audit Policy

Audit Events

Audit Policy SettingSetting Description WinSrv 2008 R2

Settings/ XP or

Vista

1. Account Logon (username/password)Authentication/validation success

2. Account

Management

Changes to accounts/password resets success

3. Directory

Service Access

Changes to active directory accounts success

4. Logon events login or connections are made success

5. Object Access non-active directory objects(files/folders) none

6. Policy Change user-rights assignment, auditing,

account and trust policies

success

7. Privilege Use taking ownership none

8. Process tracking process creation, termination none

9. System Events Boot-up, shutdown, time changes success

Audit Events

Directory service access: through SACL

Audit Events

Audit Policy SettingSetting Description WinSrv 2008 R2

Settings/ XP or

Vista

1. Account Logon (username/password)Authentication/validation success

2. Account

Management

Changes to accounts/password resets success

3. Directory

Service Access

Changes to active directory accounts success

4. Logon events login or connections are made success

5. Object Access non-active directory objects(files/folders) none

6. Policy Change user-rights assignment, auditing,

account and trust policies

success

7. Privilege Use taking ownership none

8. Process tracking process creation, termination none

9. System Events Boot-up, shutdown, time changes success

Audit Events

Sample policy Object Access : files /folders

Enable setting: success or failure or both

Audit Events

Audit Policy SettingSetting Description WinSrv 2008 R2

Settings/ XP or

Vista

1. Account Logon (username/password)Authentication/validation success

2. Account

Management

Changes to accounts/password resets success

3. Directory

Service Access

Changes to active directory accounts success

4. Logon events login or connections are made success

5. Object Access non-active directory objects(files/folders) none

6. Policy Change user-rights assignment, auditing,

account and trust policies

success

7. Privilege Use taking ownership none

8. Process tracking process creation, termination none

9. System Events Boot-up, shutdown, time changes success

Audit Events

Sample log for User privileges

Audit Events

Audit Policy SettingSetting Description WinSrv 2008 R2

Settings/ XP or

Vista

1. Account Logon (username/password)Authentication/validation success

2. Account

Management

Changes to accounts/password resets success

3. Directory

Service Access

Changes to active directory accounts success

4. Logon events login or connections are made success

5. Object Access non-active directory objects(files/folders) none

6. Policy Change user-rights assignment, auditing,

account and trust policies

success

7. Privilege Use taking ownership none

8. Process tracking process creation, termination none

9. System Events Boot-up, shutdown, time changes success

Conclusion

(Say in front)