Keep track of what your system is doing -- it is one of the most important, but tedious, processes of good IT security management. Auditing, a process by which certain events that match some specified criteria trigger a log entry to the machine's event log, helps you take care of this critical management task. In this tip, I'll look at auditing and the event log and show you how to fine-tune each.
The many choices in Audit settings
Auditing controls and properties are modified through Group Policy Objects (GPOs) in Windows 2000, Windows XP and Windows Server 2003. Assuming your computer is participating in an Active Directory domain, you can find the domain auditing policy inside the Default Domain Policy in the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policies tree. Otherwise, you can view the Local Security Policy through the Administrative Tools applet in the Control Panel.
The settings for each GPO indicate what type of events and the type of results a log entry will be written into the event log. Here are the options for auditing policies:
- Audit account logon events: Writes an entry when domain users log on to the system
- Audit account management: Indicates when user accounts are added, modified or deleted
- Audit directory service access: Audits when queries and other communications with Active Directory are made
- Audit logon events: Writes an entry when local users log on to the system
- Audit object access: Indicates when certain files, folders and other system objects are opened, closed or otherwise "touched"
- Audit policy change: Audits when local policies (such as the Local Security Policy) and their associated objects are changed
- Audit privilege use: Writes an entry when users exercise privileges assigned to them (such as "Take Ownership")
- Audit process tracking: Tracks program activation -- when programs close and other events that programs cause
- Audit system events: Audits when a user restarts a computer or when events are written to the security log or otherwise affect system security
You can ...
To continue reading for free, register below or login
To read more you must become a member of SearchEnterpriseDesktop.com
configure individual objects to be audited by editing the system access control list (SACL) for any given object, which is much like assigning permissions, except it is indicating to Windows on what type of access an event log entry should be written. You can access the SACL for an object by clicking the Advanced button on the Security tab of the object's properties sheet. On the Auditing tab, you can click Add to include new auditing events for an object or click View/Edit to modify an existing auditing event. (Note: You can't audit objects on a FAT file system.)
Recommended items to audit
First a few things you should be aware of. One, too much auditing consumes large amounts of resources. Entries will be written every time a user moves a mouse (OK, that's an exaggeration, but not much of one). Two, too much auditing tends to be overwhelming. Generally, since auditing provides no benefits if you don't view the audit entries, you're wasting resources without gaining any security advantage from overdoing the amount of events you audit. Be aware of and selective about what you choose to audit.
Here are a few events you'll want to take note of in particular:
- Logon and logoff events, tracked by the Audit account logon events and the Audit logon events setting, can indicate repeated logon failures and point to a particular user account that is being used for an attack.
- Account management, tracked by the Audit account management setting, indicates users who have used or tried to use their user and computer administration power.
- Startup and shutdown events, tracked by the Audit system event setting, shows that a user has tried to shut down a system as well as what services might not have started up properly upon reboot.
- Policy changes, tracked by the Audit policy change setting, can indicate users tampering with security settings.
- Privilege use events, tracked by the Audit privilege use setting, can show attempts to change permissions to certain objects.
Configuring event log policies
Similar to auditing policies, you'll find policies for configuring the event logs inside the Default Domain Policy in the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Event Log tree. Here are the options for event log policies:
- Maximum application log size: Sets the maximum size the log is allowed to reach before the oldest events in the log will be purged.
- Maximum security log size: Does the same as the previous item but pertains to the security log.
- Maximum system log size: Does the same as the previous two items but pertains to the system log.
- Restrict guest access to application log: Disallows access to the application log from users logged onto the Guest account.
- Restrict guest access to security log: Disallows access to the security log from users logged onto the Guest account.
- Restrict guess access to system log: Disallows access to the system log from users logged onto the Guest account.
- Retain application log: Specifies whether to overwrite events or save them when the application log file reaches the maximum size.
- Retain security log: Specifies whether to overwrite events or save them when the security log file reaches the maximum size.
- Retain system log: Specifies whether to overwrite events or save them when the system log file reaches the maximum size.
- Retention method for application log: Specifies whether Windows should overwrite old application log events as it sees fit or only those older than seven days; you also can choose to simply not overwrite files and clear the logs manually.
- Retention method for security log: Specifies whether Windows should overwrite old security log events as it sees fit or only those older than seven days; you also can choose to simply not overwrite files and clear the logs manually.
- Retention method for system log: Specifies whether Windows should overwrite old system log events as it sees fit or only those older than seven days; you also can choose to simply not overwrite files and clear the logs manually.
- Shut down the computer when the security audit log is full: Shuts off the computer until an administrator can clear the security log and new events can be written.
To configure the event logs locally on a computer that does not participate in a domain, load the Event Viewer console (which is within the Control Panel and Administrative Tools) and then right-click each log in the left pane. You can set the log size options on this screen, including the maximum size and the actions Windows should take when that limit is reached.
About the author: Jonathan Hassell is author of Hardening Windows (Apress LP), and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book RADIUS (O'Reilly & Associates), is a guide to the RADIUS authentication protocol and offers suggestions for implementing RADIUS and overall network security. Ask Hassell a hardening Windows question today.
More information from SearchWindowsSecurity.com
Checklist: How to configure the audit policy
Tip: Configure Group Policy to prevent attacks
ATE: How do I set audit permissions to a folder by command prompt in NT 4.0?
