Auditing as a Line of Defense
The Windows 2000 audit trail is invaluable to the system administrator. For example, it can determine how a system crashed, how security was compromised, or how much disk space a user is consuming. Windows 2000 provides highly granular control over the events logged and the objects and services allowed to record events.
Using Security Auditing
The Windows 2000 auditing properties are viewed and modified through GPOs. The Audit policies found in the Default Domain snap-in under Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policies determine which events are recorded in the Security Log.
The group policies found in the Default Domain snap-in under Computer Configuration, Windows Settings, Security Settings, Event Log, Settings for Event Logs provide control over a number of properties. This control includes how much disk space is dedicated to the logs, who can access them, how long they are retained, and the method for retaining them.
Event Log Retention
The retention method for a security log configures how the log is updated once it is full. If an overwrite option is not selected, the system will halt when the log is full, whereupon the administrator must take the following steps to enable the system:
From the Start menu, select Programs, Administrative Tools, Event Viewer, and save the current logs (if desired). Clear All Events from each.
Change the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\crashonauditfail to 1.
Restart the system.
Offline Auditing Policies
Reviewing audit reports while offline may prove convenient in some administrative circumstances. Auditing policies for offline folders can be found in the Default Domain snap-in under User Configuration, Administrative Templates, Network, Offline Files.
Event Viewer Use
The Event Viewer gives the administrator access to six event logs. The Security Log displays successes and failures, and classifies them into Object Access, Account Logon, Policy Change, Privilege Use, Directory Service Access, and Account Management categories.
The other logs have three types of records: Errors, Informative, and Warnings. The Application Log contains events logged from programs running on the system, including all exceptions raised. The System Log records events raised by the Windows 2000 operating system. All users can view the System and Application Logs, but only administrators can view the Security Log.
File, folder, printer, Active Directory, group policy, and other system objects have associated Access Control Lists (ACLs). Each ACL is composed of a Discretionary Access Control List (DACL) and a System Access Control List (SACL). The DACL details user and group access rights to an object; the SACL determines the users and groups that will be audited when attempting or performing access rights on the object.
General Auditing Procedures
The following steps should generally be observed when using Windows 2000 auditing:
Set the SACL on objects of interest to identify the group and user access events to monitor.
Set auditing policies to record the desired events.
Periodically view the logs and clear them out.
As you establish your auditing strategy, remember that only NTFS files and folders may be audited.
Audit Events that Need the Most Careful Review
No system administrator can track and review all event items, but must restrict her attention to those of greatest potential importance. As a general rule, the following audit events are particularly helpful when tracking possible security threats:
Logon/LogoffProvides information on logon failures, and may indicate whether a certain user account is under attack.
Account ManagementProvides information on users who have sought rights to use administrative tools.
Startup/ShutdownShows who has attempted to invoke a shutdown command, and also lists services that were not properly initiated during startup.
Policy ChangesIndicates what policy changes were attempted.
Privilege UseLists attempts to change permissions to objects.
As a final note, if a cracker breaks into the system, he will most certainly try to cover his tracks and erase the logs. To guard against this action and retain logs, provide remote logging of the above events to a secure log server that is in a safe place with only local logins, and have critical events printed out to a printer. This will keep the log files intact and help trace security problems.
In the next article in this series, we will examine network services-related security issues.