Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2008-04-29) Auditing In Windows Server 2008

Posted by Jorge on 2008-04-29


To audit stuff in Windows Server you first need to configure a main event category to be enabled for "Successes" and/or "Failures". This must be done through a local GPO on the server or through a GPO in AD which then is linked to an OU containing the servers that should inherit those settings. Which main event category is needed depends on what you want to audit. This part of the configuration just turns auditing ON. It is not enough however. In addition to that you need to configure a "System Access Control List" (SACL) on the object that needs to be audited for WHAT action(s) and by WHOM.

For more information about this part, please see:

This post will focus more on the auditing features in Windows Server 2008 and the differences between it and Windows Server 2000/2003.

Looking inside the "Default Domain Controllers" GPO of a W2K/W2K3 AD domain you will see the following default settings for the main event categories

image

Looking inside the "Default Domain Controllers" GPO of a W2K8 AD domain you will see the following default settings for the main event categories

image

As you can see the configuration of the main event categories is different, which might give you the idea that the end result is also different. No, the end result is not different. Let’s do a deep dive so you understand what’s going on.

What you see in the pictures above are the main event categories within a GPO that can be used to configure auditing in Windows Server (W2K, W2K3, W2K8). These are also the "Global Audit Policies". In W2K8 each main event category also contains its own set of sub event categories. In the picture below you will see the command lines to retrieve the settings of both main and sub event categories on a specific Windows Server 2008 server. The yellow text is the main event category on the local server that corresponds with the main event category in the GPO(s). The white text below that are the sub event categories of each main event categories. Event categories are independed of each other!

image

image

When a main event category is configured with some setting, all of the sub event categories are also configured with the same setting. So, as expected the auditing configurations in GPOs take precedence over auditing configuration locally. That behavior can be changed if you want to so that the configuration of the local auditing configuration takes precedence over the auditing configurations in GPOs. To prevent the auditing configuration in a GPO from overwriting the audit policy locally, you must enable the Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting. This prevents domain-based audit policy from overwriting the more detailed audit policy settings on Windows Vista-based or Windows Server 2008-based computers. To do this, follow these steps:

  1. On a computer that is joined to the domain, open the Default Domain Policy.
  2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
  3. Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
  4. Click Enabled, and then click OK.

As you might already have guessed or a question you might have is: "How do I configure the sub event categories through a GPO?" The answer is easy. You just don’t. ;-(

Main event categories can be configured through a GPO or locally through the AUDITPOL.EXE utility (see picture below). Sub event categories can only be configured through the AUDITPOL.EXE utility locally! So if you want to configure multiple sub event categories on a set of servers without using the GPOs (as that might configure unnecessary sub event categories), you can create a batch file that leverages either WinRM/WinRS (by default within the Windows Server 2008 and Windows Vista OS) or PSEXEC (by default not available within OS) to connect remotely to multiple systems to configure the needed sub event categories. Using some TXT file containing the server names you can use a FOR-NEXT loop to iterate through each server.

clip_image001

clip_image002

One thing to be aware is that the configuration of the main event categories through a GPO are sticky. This means that when the GPO is removed from its scope of management the settings of the main event categories remain on the server. This is nothing new for W2K8 and was already "a feature"đŸ˜‰ within W2K and W2K3 also.

To audit access and changes in the directory the following possibilities exist:

Auditing for "Account Management" (W2K/W2K3/ W2K8)

  • Audit policy by default enabled
  • Audits everything related to security principals (users, group, etc.)

Auditing for "Directory Service Access" (W2K/W2K3/W2K8)

  • Audit policy by default enabled
  • In addition –> SACLs are needed that specify "what object(s) need to be audited?", "what action(s) need to be audited?" and "for whom should action(s) be audited"
  • SACLs are ALREADY in place for important AD objects within each partition (domain, configuration, schema) (for more info see Microsoft Windows Security Guide)
  • The event ID in the security log specifies WHO changed WHAT in WHICH object

Event IDs for auditing "Directory Service Access" & "Account Management" in W2K/W2K3

  • Event IDs –> 56x, 62x, 63x, 64x, 65x and 66x ranges
  • First 8 rows of event IDs are used for the Account Management event category
  • 9th row of event IDs are used for the Directory Service Access event category


Object

Event ID "created"

Event ID "changed"

Event ID "deleted"

User

ID 624

ID 642

ID 630

Computer

ID 645

ID 646

ID 647

Local Group (sec.)

ID 635

ID 639

ID 638

Local Group (dist.)

ID 648

ID 649

ID 652

Global Group (sec.)

ID 631

ID 641

ID 634

Global Group (dist.)

ID 653

ID 654

ID 657

Universal Group (sec.)

ID 658

ID 659

ID 662

Universal Group (dist.)

ID 663

ID 664

ID 667

OUs, GPOs, etc.

ID 566

ID 566

ID 566

Event IDs for auditing "Directory Service Access" & "Account Management" in W2K8

  • Event IDs –> 466x, 472x, 473x, 474x, 475x and 476x ranges
  • First 8 rows of event IDs are used for the Account Management event category
  • 9th row of event IDs are used for the Directory Service Access event category


Object

Event ID "created"

Event ID "changed"

Event ID "deleted"

User

ID 4720

ID 4738

ID 4726

Computer

ID 4741

ID 4742

ID 4743

Local Group (sec.)

ID 4731

ID 4735

ID 4734

Local Group (dist.)

ID 4744

ID 4745

ID 4748

Global Group (sec.)

ID 4727

ID 4737

ID 4730

Global Group (dist.)

ID 4749

ID 4750

ID 4753

Universal Group (sec.)

ID 4754

ID 4755

ID 4758

Universal Group (dist.)

ID 4759

ID 4760

ID 4763

OUs, GPOs, etc.

ID 4662

ID 4662

ID 4662

Auditing for "Directory Service Changes" in W2K8

  • Audits object/attribute "changes" in AD
  • OLD and NEW values are specified
    • If the attribute is empty and does not contain a value, only an event ID with the new value is registered
    • If the attribute contains binary values an event ID is registered, but it does not specify old/new values.
  • NOT enabled by default!
    • Enable "main event category" called "Directory Service Access" (which enables ALL sub event categories including "Directory Service Changes" sub event category) OR
    • Enable sub event category called "Directory Service Changes"
      • AUDITPOL /set /subcategory:"directory service changes" /success:enable
      • AUDITPOL /set /subcategory:"directory service changes" /failure:enable
      • AUDITPOL /set /subcategory:"directory service changes" /success:enable /failure:enable
  • SACLs still needed!
  • By default ALL attributes are audited for changes
  • When an event ID is registered for a directory service change, the "lDAPDisplayName" of the attribute as specified in the schema is shown in the event ID. For example, changing the Office attribute in "Active Directory Users and Computers" would specify the "physicalDeliveryOfficeName" attribute in the event ID!
  • New Event IDs for auditing CHANGES
    • Modification of objects: event ID 5136
      • Explicit SACL on object or inheriting SACL on parent container auditing <sec. princ.> for "Successes/Failures" of "<whatever action>" on "<whatever scope>"
    • Creation of objects: event ID 5137
      • Explicit/Inheriting SACL on parent container auditing <sec. princ.> for "Successes/Failures" of "Create specific object-Class" or "Create All Childs" on "This Object and All Descendant Objects"
    • Undelete/reanimation of objects: event ID 5138
      • Explicit SACL on NC head auditing <sec. princ.> for "Successes/Failures" of "Reanimate Tombstone" on "This Object Only"
      • Explicit/Inheriting SACL on target OU auditing <sec. princ.> for "Successes/Failures" of "Create specific object-Class" or "Create All Childs" on "This Object and All Descendant Objects"
    • Moving objects: event ID 5139
      • Explicit/Inheriting SACL on source OU auditing <sec. princ.> for "Successes/Failures" of "Delete specific object-Class" or "Delete All Childs" on "This Object and All Descendant Objects"
      • Explicit/Inheriting SACL on target OU auditing <sec. princ.> for "Successes/Failures" of "Create specific object-Class" or "Create All Childs" on "This Object and All Descendant Objects"
  • On a per attribute basis auditing can be disabled and this applies to all objects using that specific attribute
    • "searchFlags" property of an attribute –> 9th bit or bit 8: 2^8 = 256

image

image

More information about all the possible event IDs that are used by the different sub event categories:

More information about how to deploy and configure the main and sub event categories:

Auditing in Common:

When auditing stuff on Windows Servers all the event IDs are generated into the Security event log of the server where the action took place. Depending on what you want to audit and the distribution of the services throughout the environment you may need to check multiple event logs or first you may need to determine where something was audited (e.g. object access/changes in AD –> REPADMIN /SHOWOBJMETA <DC> <DN of object> to find out the WHERE. The event ID will tell you the WHO and WHAT). Besides that, if you audit a lot of information (high volume) for whatever reason (e.g. compliance) you need to make sure the event IDs on a certain server a not overwritten by other event IDs. A solution is to consolidate the event IDs of multiple servers in one place. You can either using the Forwarding functionality of the Windows Server or you could implement third party tooling.

Examples of third-party tooling:

REMARK: I’m sure there are more vendors providing such solutions….

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

One Response to “(2008-04-29) Auditing In Windows Server 2008”

  1. […] by Jorge on 2010-07-30 Auditing In Windows Server 2008 also provided granular audit policies, but those were only configurable locally on each server […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: