• Configuring Audit Policy Settings
  • Audit Policy Subcategories
  • Configuring and Testing Object Access Audit Rules
  • Directory Service Access
  • Windows Server® 2008 Security Guide Security Compliance Management Toolkit Version 1




    Download 2.17 Mb.
    bet14/41
    Sana03.10.2020
    Hajmi2.17 Mb.
    #12000
    1   ...   10   11   12   13   14   15   16   17   ...   41

    Audit Policies and Subcategories


    An Audit policy determines which security events to report to administrators to establish a record of user or system activity based on specified event categories. Administrators can monitor security-related activity, such as who accesses an object, when users log on to or log off from computers, or if changes are made to an Audit policy setting. For all of these reasons, Microsoft recommends that you form an Audit policy for an administrator to implement in your environment.

    However, before you implement an Audit policy you must investigate which event categories to audit in your environment. The audit settings you choose within the event categories define your Audit policy. Then an administrator can create an Audit policy to meet the security needs of your organization.

    If you do not configure audit settings, it will be difficult or impossible to determine what took place during a security incident. However, if you configure audit settings so that too many authorized activities generate events, the Security event log will fill up with too much data. The information in the following sections of this appendix is designed to help you decide what to monitor to facilitate the collection of relevant audit data for your organization.

    Windows Server® 2008 includes the same nine Audit policy categories that are present in earlier versions of Windows:



    • System

    • Logon/Logoff

    • Object Access

    • Privilege Use

    • Detailed Tracking

    • Policy Change

    • Account Management

    • Directory Service Access

    • Account Logon

    However, Windows Server 2008 allows you to manage Audit policy in a more precise way by including 50 Audit policy subcategories. Although not all subcategories apply to Windows Server 2008–based computers, you can configure many of them to record specific events that provide valuable information.

    Configuring Audit Policy Settings


    In the past, you could easily configure any of the nine audit categories using Group Policy. Although the same method is possible with Windows Server 2008, you cannot individually configure the new audit subcategories using the Group Policy Management Console (GPMC) because the subcategories are not exposed in the GPMC. If you enable any of the audit category settings in Windows Server 2008 that are present in the GPMC, this action also enables subcategory settings related to each category. For this reason, enabling Audit policy settings by category will likely cause excessive audit logging that will quickly fill up your event logs.

    Microsoft recommends configuring only necessary audit subcategory settings using a command-line tool included in Windows Server 2008 called AuditPol.exe. Using a command-line tool to implement prescribed Audit policy settings across many computers is difficult. For more information about using scripts to automate detailed Audit policy settings for computers running Windows Vista or Windows Server 2008, see "How to use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain": Microsoft Knowledge Base article 921469.

    The following tables summarize the Audit policy setting recommendations for servers in the two types of secure environments discussed in this guide. Review these recommendations and adjust them as appropriate for your organization. Information about how to modify and remove the Audit policy settings that the GPOs configure appears after the Audit policy setting tables.

    Note Microsoft recommends taking extra caution in using Audit settings that can generate large volumes of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategory settings, the high volume of audit events these settings generate will make it difficult to find other types of entries in the Security event log. Such a configuration could also have a significant negative effect on performance.

    Audit Policy Subcategories


    The following sections provide a brief description of each Audit policy. The tables in each section include recommendations for domain controllers in the two types of secure environments discussed in this guide.

    Note Descriptions for each Audit policy subcategory are not provided in this appendix. For additional information on the available Audit policy subcategories and related security events, see "Description of security events in Windows Vista and in Windows Server 2008": Microsoft Knowledge Base article 947226.

    System


    The System audit category in Windows Server 2008 allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. System events include starting or shutting down computers in your environment, full event logs, or other security-related events that affect the entire system.

    The System audit category contains subcategories defined in the following table, along with configuration recommendations for each one.



    Table 2.1 System Audit Policy Subcategory Recommendations

    Audit policy subcategory

    EC domain controller

    SSLF domain controller

    EC member server

    SSLF member server

    § Security System Extension

    Success and Failure

    Success and Failure

    Success and Failure

    Success and Failure

    § System Integrity

    Success and Failure

    Success and Failure

    Success and Failure

    Success and Failure

    § IPsec Driver

    Success and Failure

    Success and Failure

    Success and Failure

    Success and Failure

    § Other System Events

    No auditing

    No auditing

    No auditing

    No auditing

    § Security State Change

    Success and Failure

    Success and Failure

    Success and Failure

    Success and Failure


    Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

    Logon/Logoff


    The Logon/Logoff audit category in Windows Server 2008 generates events that record the creation and destruction of logon sessions. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource.

    If you configure the Audit logon events setting to No auditing, it is difficult or impossible to determine which users have accessed or attempted to access your organization's computers.



    The Logon/Logoff events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.

    Table 2.2 Logon/Logoff Audit Policy Subcategory Recommendations

    Audit policy subcategory

    EC domain controller

    SSLF domain controller

    EC member server

    SSLF member server

    § Logon

    Success

    Success and Failure

    Success

    Success and Failure

    § Logoff

    Success

    Success

    Success

    Success

    § Account Lockout

    Note No events map to this category.

    No auditing

    No auditing

    No auditing

    No auditing

    § IPsec Main Mode

    No auditing

    No auditing

    No auditing

    No auditing

    § IPsec Quick Mode

    No auditing

    No auditing

    No auditing

    No auditing

    § IPsec Extended Mode

    No auditing

    No auditing

    No auditing

    No auditing

    § Special Logon

    Success

    Success

    Success

    Success

    § Other Logon/Logoff Events

    No auditing

    No auditing

    No auditing

    No auditing

    § Network Policy Server

    No auditing

    No auditing

    No auditing

    No auditing


    Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

    Object Access


    By itself, the Object Access audit category in Windows Server 2008 will not audit any events. Settings in this category determine whether to audit when a user accesses an object—for example, a file, folder, registry key, or printer—that has a specified system access control list (SACL), which effectively enables auditing to occur.

    Access control entries (ACEs) comprise a SACL. Each ACE contains three pieces of information:



    • The security principal (user, computer, or group) to be audited.

    • The specific access type to be audited, called an access mask.

    • A flag to indicate whether to audit failed access events, successful access events, or both.

    If you configure the Audit object access setting to Success, an audit entry is generated each time that a user successfully accesses an object with a specified SACL. If you configure this policy setting to Failure, an audit entry is generated each time that a user fails an attempt to access an object with a specified SACL.

    Organizations should define only the actions that they want enabled when they configure SACLs. For example, you might want to enable the Write and Append Data auditing setting on executable files to track when they are changed or replaced, because computer viruses, worms, and Trojan horses typically target executable files. Similarly, you might want to track when sensitive documents are accessed or changed.



    The Object Access events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.

    Table 2.3 Object Access Audit Policy Subcategory Recommendations

    Audit policy subcategory

    EC domain controller

    SSLF domain controller

    EC member server

    SSLF member server

    § File System

    No auditing

    Failure

    No auditing

    Failure

    § Registry

    No auditing

    Failure

    No auditing

    Failure

    § Kernel Object

    No auditing

    No auditing

    No auditing

    No auditing

    § SAM

    No auditing

    No auditing

    No auditing

    No auditing

    § Certification Services

    No auditing

    No auditing

    No auditing

    No auditing

    § Application Generated

    No auditing

    No auditing

    No auditing

    No auditing

    § Handle Manipulation

    No auditing

    No auditing

    No auditing

    No auditing

    § File Share

    No auditing

    No auditing

    No auditing

    No auditing

    § Filtering Platform Packet Drop

    No auditing

    No auditing

    No auditing

    No auditing

    § Filtering Platform Connection

    No auditing

    No auditing

    No auditing

    No auditing

    § Other Object Access Events

    No auditing

    No auditing

    No auditing

    No auditing


    Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

    Configuring and Testing Object Access Audit Rules


    The following procedures describe how to configure audit rules on a file or folder, and how to test each audit rule for each object in the specified file or folder.

    Note You must use Auditpol.exe to configure the File System subcategory to audit Success and Failure events. Then you can use the following procedure to log events in the Security event log.

    To define an audit rule for a file or folder

    1. Use Windows Explorer to locate the file or folder and then click it.

    2. On the File menu, click Properties.

    3. Click the Security tab, and then click the Advanced button.

    4. Click the Auditing tab.

    5. If prompted for administrative credentials, click Continue, type your username and password, and then press ENTER.

    6. Click the Add button to make the Select User, Computer, or Group dialog box display.

    7. Click the Object Types button, and then in the Object Types dialog box, select the object types you want to find.

    Note The User, Group, and Built-in security principal object types are selected by default.

    1. Click the Locations button, and then in the Location dialog box, select either your domain or local computer.

    2. In the Select User or Group dialog box, type the name of the group or user you want to audit. Then, in the Enter the object names to select dialog box, type Authenticated Users (to audit the access of all authenticated users) and then click OK.

    The Auditing Entry dialog box displays.

    1. Determine the type of access you want to audit on the file or folder using the Auditing Entry dialog box.

    Note Remember that each object access may generate multiple events in the event log and cause it to grow rapidly.

    1. In the Auditing Entry dialog box, next to List Folder/Read Data, select Successful and Failed, and then click OK.

    You can view the audit entries you enabled under the Auditing tab of the Advanced Security Settings dialog box.

    1. Click OK to close the Properties dialog box.

    To test an audit rule for a file or folder

    1. Open the file or folder.

    2. Close the file or folder.

    3. Start the Event Viewer. Several Object Access events with Event ID 4663 will appear in the Security event log.

    4. Double-click the events as needed to view their details.

    Privilege Use


    The Privilege Use audit category in Windows Server 2008 determines whether to audit each instance of a user exercising a user right. If you configure these setting values to Success, an audit entry is generated each time that a user right is exercised successfully. If you configure these settings values to Failure, an audit entry is generated each time that a user right is exercised unsuccessfully. These policy settings can generate a very large number of event records.

    The Privilege Use events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.



    Table 2.4 Privilege Use Audit Policy Subcategory Recommendations

    Audit policy subcategory

    EC domain controller

    SSLF domain controller

    EC member server

    SSLF member server

    § Sensitive Privilege Use

    No auditing

    Success and Failure

    No auditing

    Success and Failure

    § Non Sensitive Privilege Use

    No auditing

    No auditing

    No auditing

    No auditing

    § Other Privilege Use Events

    No auditing

    No auditing

    No auditing

    No auditing


    Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

    Detailed Tracking


    The Detailed Tracking audit category in Windows Server 2008 determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling Audit process tracking will generate a large number of events, so it is typically set to No Auditing. However, this setting can provide a great benefit during an incident response from information in the log about when processes started and when they were launched.

    The Detailed Tracking events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.



    Table 2.5 Detailed Tracking Audit Policy Subcategory Recommendations

    Audit policy subcategory

    EC domain controller

    SSLF domain controller

    EC member server

    SSLF member server

    § Process Termination

    No auditing

    No auditing

    No auditing

    No auditing

    § DPAPI Activity

    No auditing

    No auditing

    No auditing

    No auditing

    § RPC Events

    No auditing

    No auditing

    No auditing

    No auditing

    § Process Creation

    Success

    Success

    Success

    Success


    Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

    Policy Change


    The Policy Change audit category in Windows Server 2008 determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. The recommended settings would let you see any account privileges that an attacker attempts to elevate—for example, if an attacker were to attempt to turn off auditing, that change itself would be recorded.

    The Policy Change events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.



    Table 2.6 Policy Change Audit Policy Subcategory Recommendations

    Audit policy subcategory

    EC domain controller

    SSLF domain controller

    EC member server

    SSLF member server

    § Audit Policy Change

    Success and Failure

    Success and Failure

    Success and Failure

    Success and Failure

    § Authentication Policy Change

    Success

    Success

    Success

    Success

    § Authorization Policy Change

    No auditing

    No auditing

    No auditing

    No auditing

    § MPSSVC Rule-Level Policy Change

    No auditing

    No auditing

    No auditing

    No auditing

    § Filtering Platform Policy Change

    No auditing

    No auditing

    No auditing

    No auditing

    § Other Policy Change Events

    No auditing

    No auditing

    No auditing

    No auditing


    Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.
    Account Management

    The Account Management audit category in Windows Server 2008 helps you track attempts to create new users or groups, rename users or groups, enable or disable user accounts, change account passwords, and enable auditing for Account Management events. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user and group accounts.

    The Account Management events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.



    Table 2.7 Account Management System Audit Policy Subcategory Recommendations

    Audit policy subcategory

    EC domain controller

    SSLF domain controller

    EC member server

    SSLF member server

    User Account Management

    Success

    Success and Failure

    Success

    Success and Failure

    Computer Account Management

    Success

    Success and Failure

    Success

    Success and Failure

    Security Group Management

    Success

    Success and Failure

    Success

    Success and Failure

    Distribution Group Management

    No auditing

    No auditing

    No auditing

    No auditing

    Application Group Management

    No auditing

    No auditing

    No auditing

    No auditing

    Other Account Management Events

    Success

    Success and Failure

    Success

    Success and Failure


    Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

    Directory Service Access


    The Directory Service Access audit category in Windows Server 2008 applies only to domain controllers. For this reason, the Directory Service Access audit category and all related subcategories are configured to No Auditing for member servers in both environments discussed in the security guide.

    The Directory Service Access events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.



    Table 2.8 Directory Service Access Audit Policy Subcategory Recommendations

    Audit policy subcategory

    EC domain controller

    SSLF domain controller

    EC member server

    SSLF member server

    § Directory Service Access

    Success

    Success and Failure

    No auditing

    No auditing

    § Directory Service Changes

    Success

    Success and Failure

    No auditing

    No auditing

    § Directory Service Replication

    No auditing

    No auditing

    No auditing

    No auditing

    § Detailed Directory Service Replication

    No auditing

    No auditing

    No auditing

    No auditing


    Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.

    Account Logon


    The Account Logon audit category in Windows Server 2008 generates events for credential validation. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the domain controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on.

    The Account Logon events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.



    Table 2.9 Account Logon Audit Policy Subcategory Recommendations

    Audit policy subcategory

    EC domain controller

    SSLF domain controller

    EC member server

    SSLF member server

    § Kerberos Authentication Service

    No auditing

    No auditing

    No auditing

    No auditing

    § Credential Validation

    Success

    Success and Failure

    Success

    Success and Failure

    § Kerberos Service Ticket Operations

    No auditing

    No auditing

    No auditing

    No auditing

    § Other Account Logon Events

    Note No events map to this category.

    No auditing

    No auditing

    No auditing

    No auditing


    Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.


    Download 2.17 Mb.
    1   ...   10   11   12   13   14   15   16   17   ...   41




    Download 2.17 Mb.

    Bosh sahifa
    Aloqalar

        Bosh sahifa



    Windows Server® 2008 Security Guide Security Compliance Management Toolkit Version 1

    Download 2.17 Mb.