Security Audit in Windows 2000

Steve Riley

Do you know what happens on your server-who is accessing them, what are your users doing, and what are their purposes? Like most administrators, you may not know. Do you want to know? Windows 2000 provides a security audit function that records several security-related events. You can use the information to generate a summary file of a regular activity, discover and track suspicious events, and leave legal evidence of a specific activity.

Audit Events are recorded in the security log in the event viewer. The audit feature is disabled by default-you need to enable it; To enable audit, you must enable audit on the computer (if you want to enable audit on a specific computer) or the domain (if you want to enable audit in the entire domain) has administrator access permissions. The Active Directory group policy helps you configure custom audit parameters for different types of computers.

Review a single computer

ToStart | program | management toolAnd selectLocal Security Policy. In this way, an MMC (Microsoft Management Console) view is opened, and the local security settings of the computer are displayed. GoLocal policy | Audit PolicyTo configure audit events.

There are nine types of events that can be audited. For each type, you can specify whether the audit is successful, failed, or both.

• Account logon events.Verify (account validity) access to the local computer over the network. These events are generated at the account location.
• Account Management.Create, modify, or delete users and groups; change passwords.
• Directory Service Access.Record access to active directory. It must be enabled to allow audit of specific directory objects. Only on the domain controller.
• Logon event.Interactive Logon or network connection to the local computer. These events are generated at the logon location.
• Object Access.It must be enabled to allow review of specific objects.
• Policy change.Security policy changes, including privilege assignment, Audit Policy Modification, and trust relationship modification.
• Privileged use.Use of a specific permission; assign a special privilege.
• Process tracing.Trace process invocation, duplicate process handle, and Process Termination in detail.
• System events.Events related to security (such as system shutdown and restart) and events that affect security logs.

Configuration audit will require some disk space on your computer. You can configure the maximum size (in KB) of security logs and the operations you should take when the log size reaches this limit. In Event Viewer, right-clickSecurity LogAnd selectAttribute. You will see:

• Rewrite events as needed. When a new event is written, the oldest event is cleared from the log. In this way, the most information can be retained and the maximum log size can be kept.
• The rewriting time exceedsXDay event.Log cleanup has exceededXDay event. If the log is full but the oldest event has not expired, the new event cannot be written. This settingXIt is very useful when you archive an object once every day, but if you do not archive the object, this setting is useless-it will make you lose the latest event.
• Do not rewrite events.Once the log is fully written, record review events are stopped. You will need to manually clear logs.

Archive Security Logs

In many aspects, archiving logs is very important. If logs are stored in offline storage media, there is no need to keep a large amount of log data on the production server. The information contained in the saved logs can be used to understand the regular behavior of a computer. Offline logs are also considered legal evidence in investigation and evidence collection; the legal information they contain helps to track and determine the actions of intruders.

To archive security logs, open event viewer, right-clickSecurity Log, SelectSave another log fileAnd enter the file path and file name. Ideally, this is the network path to an internal server dedicated to log archiving. Be sure to save the file as. EVT (Event Log) format-this way you can retain the binary information in the log details.

Stop the server when logs are full

You can configure the server to crash (to a blue screen) when the log is full ). This is a good idea for highly secure servers-in some cases, it is better to stop this service if logs cannot be recorded when a service is provided. To disable System Configuration:

1. InLocal Security PolicyMMC, goLocal policy | Security Options.
2. ScrollImmediately shut down the system if security audit cannot be recorded.
3. Double-click it and selectEnable.

If this setting is configured, perform the following steps to recover a system crash:

1. Log on to the local administrator account of the system.
2. Archive logs.
3. Clear the log.
4. Re-enable this option-this option will disable itself when it crashes.

Other review control

You can configure two other audit events, but not fromAudit PolicyPage configuration. If you want to review the use of backup and Restoration:

1. InLocal Security PolicyMMC, goLocal policy | Security Options.
2. ScrollAudits the use of backup and restoration Permissions
3. Double-click it and selectEnable.

Only EnabledAudit privilege usageTo make this option take effect.

To audit access to Global System Objects (Multi-User Terminals running programs, traffic lights, and DOS devices:

1. InLocal Security PolicyMMC, goLocal policy | Security Options.
2. ScrollAudit Access to Global System Objects
3. Double-click it and selectEnable.

Only EnabledAudit Object AccessTo make this option take effect. In most environments, there may be no need to review global system objects.

Audit Object Access

If you need to audit access to a specific object, you must first enable the appropriate general settings in the audit policy-for Active Directory objectsDirectory Service AccessPolicy enabled. For files, folders, drives, printers, and registry entriesObject AccessPolicy. After the policy is enabled, you can enable the audit of a specific object (usually enabled on the property page of the object ).

Review files, folders, and drives.In Windows Explorer, browse the file, folder, or drive you want to review. Right-click the object and selectAttribute | Security | advanced | Review. ClickAddTo select a specific user or group that you want to audit its access status. The audit items dialog box displays the various access items that you can audit. For folders and drives, you can also specify the audit scope-this folder, subfolders, files, or combinations of these items.

Review the printer.OpenPrinterFolder and right-click the printer you want to review. SelectAttribute | Security | advanced | Review. ClickAddTo select a specific user or group that you want to audit its access status. As with files and folders, the audit items dialog box displays various accesses that can be reviewed for success or failure.

Review the registry.UseRegedt32Open the registry and browse the registry key you want to review. SelectSecurity | permissionAnd then selectAdvanced | Review. ClickAddTo select a specific user or group that you want to audit its access status. As with files and folders, the audit items dialog box displays various accesses that can be reviewed for success or failure.

Review Active Directory.This option is only applicable to domain controllers. OpenActive Directory users and computers. Browse to the specific directory object you want to review. Right-click the object and selectAttribute | Security | advanced | Review. ClickAddTo select a specific user or group that you want to audit its access status. The audit items dialog box displays the various access items that you can audit. AvailableApplyField to set the application scope.

Review the entire domain

You can apply an audit policy to the entire domain. On any domain controller, goStart | program | management toolAnd selectDomain Security Policy. In this way, an MMC view is opened, showing the security settings for this domain.

InLocal policy | Audit PolicyYou will see some identical settings on the local settings page of a computer. You will alsoLocal policy | Security OptionsYou can see the same additional audit settings (Global System Objects, backups and restores, and shutdown when logs are full ). The settings configured here will be applied to each computer in the domain. Domain members cannot immediately receive new settings because these settings are computer-level policy elements that will take effect at the next startup of the Domain Member computer.

Another additional page in the domain security policy needs to be set. InEvent Log | Event Log SettingsYou can set the Security Log Size globally, allow or deny access to the log guests, configure log processing, and shut down when the log is full.

Custom domain Logging

You may want to configure different audit methods for the server and workstation respectively. In this case, do not useDomain Security PolicyMMC for configuration audit, instead of using the Group Policy in Active Directory to create custom audit configurations for your computers of various categories.

Organization Unit (OU) is the basis of this configuration method. InActive Directory users and computers. Then, for each ou, create a group policy object to include specific audit events corresponding to such computers. The procedure is as follows:

1. Right-click an ou.
2. SelectGroup Policy.
3. ClickNew, Get a name for the new group policy object, and then clickEdit.
4. BrowseComputer Configuration | Windows Settings | Security Settings.
5. InLocal policy | Audit Policy,Local policy | Security OptionsAndEvent Log | Event Log SettingsConfigure various audit events.

Finally, move your computer into ou. At the next startup, the computers will receive the settings defined in the ou to which they belong.

Local policies and effective policies

Audit Event settings comply with the application rules of standard group policies. The application sequence is:

1. Local policy settings
2. Site policy settings
3. Domain Policy Settings
4. Organizational Unit policy settings

By default, the site, domain, and ou policies are undefined. Local Policies (if any) on each computer will be effective. However, if a policy element is defined at a higher level in the hierarchy and the Group Policy is configured as not allowed to be replaced locally, this definition replaces a lower-level definition. This means that although you can configure more or fewer local audit events based on your own intent, if a Domain Policy (for example) if a specific audit event is enabled or disabled, no matter how you define local settings, this setting takes precedence over your local settings.

Review Plan

Identifying what should be reviewed may be difficult at the beginning. The following table lists some potential threats and audit settings that help indicate whether the system is under such attacks.

Potential threats	Audit Event
Random Password Test	Logon/logout events that fail to be reviewed
Password theft	Successful Logon/logout events
Misuse of privilege	Approved user permissions, user and group management, security policy changes, restart, shutdown, and system events.
Improper access to sensitive files	Audit successful and failed file access and object access events. Reviews the successful and failed read/write access events of suspicious users or groups on sensitive files.
Improper access to printers	Review successful and failed file access events to the printer, and successful and failed object access events. Review the successful and failed print access of suspicious users or groups to the printer.
Virus attack	Write Access to program files (. EXE and. dll extensions) and documents that may contain macros is reviewed successfully and failed. Audit successful and failed process tracking.

For any feedback or questions about the content of this topic, please contact us.