Authentication Auditing in Windows 2000
Authentication is central to Windows security, and Windows 2000 Server provides a comprehensive set of authentication services. By logging and examining authentication-related events, you can detect many of the most common security problems, such as attempted intrusions and account misuse.
If you're concerned about intrusion attempts, the areas that should get the closest scrutiny are Logon events and Account Logon events. Other authentication event categories that can indicate an attempted intrusion include Directory Service access events and privilege use events. Here it's usually enough to log failed attempts.
Weeding Through Endless Possibilities
Auditing in Windows 2000 Server involves two functions. The first is logging—having the system notice the kinds of events that interest you. The other is auditing the events—examining the logged events and analyzing them to determine potential problems. The good news is that Windows will automatically log dozens of different kinds of events in a number of categories. The bad news about the good news is the potential for information overload. Even if you're just interested in authentication events, if you try to log everything you'll quickly fill tens of megabytes of disk space with data, most of which is just noise. Remember that something like an object access under Windows involves several events, each of which can be logged separately. You need to decide which classes of events (and which events in those classes) you want to log for later study. Even when you're selective, you need to make sure that you allow enough disk space for logs.
The Windows auditing and event logging system is fairly complex:
- You can log events at any level from the individual workstation or user to the entire enterprise.
- You can choose among a number of event categories, making the system report and log as many or as few of these categories as you want.
- The logging system lets you log both successful and failed attempts to use a service. For most categories, such as account management and policy change events, it's enough to log failed attempts most of the time. However, for authentication-related categories, it's best to log both successful and failed attempts.
By logging and examining authentication-related events, you can detect attempted intrusions, account misuse, and other irregularities. Windows automatically notes many authentication-related events and allows you to log them for later analysis; for example, it's a good idea to look at Logon events and Account Logon events. Other authentication event categories that can indicate an attempted intrusion include Directory Service access events and privilege use events. Here it's usually enough to log failed attempts.