Enable the Security Auditing of Active Directory

SAVE OFFLINE

How to enable the Security Auditing of Active Directory

Lepide Software B 57, Sector 57 Noida, U.P. India 201301 Phone: +91 (120) 4282353 Fax: +91 (120) 4282354 www.lepide.com

Millions of organizations from all parts of the world use Windows Server 2008 R2. It is quite necessary to audit the Active Directory from both security point of view and meeting the requirements of different compliances. In this post, we will discuss the methods to enable the security audit and to verify the enabled audit policies for Active Directory in Windows Server 2008 R2. Enabling the Security Auditing For security auditing, it is required to modify the existing default Domain’s policy, which is setup while creating a domain. You have to, in fact, deal with Advanced Audit Policy Configuration for this. Follow the steps below for enabling the security auditing of Active Directory in Windows 2008 R2.

1. Go to “Start Menu”  “Administrative Tools”  “Group Policy Management”. 2. In the console tree in the left pane, go to “Forest”  “Domains”  Domain Name. Expand it. 3. Right click on “Default Domain Policy” and click “Edit”. It will show “Group Policy Management Editor”. 4. Go to “Computer Configuration”  “Windows Settings”  “Security Settings”  “Advanced Audit Policy Configuration”  “Audit Policies”. This will list all available audit policies. 5. Here, you can enable the following policies for following purposes: Type of Auditing Domain Logon/Logoff Auditing

Path In “Logon/Logoff”, enable

File System Auditing

1. Audit Logon 2. Audit Logoff In “Object Access”, enable

Handle Manipulation Auditing

1. Audit Detailed File Share 2. Audit File Share 3. Audit File System In “Object Access”, enable 1. Audit Handle Manipulation

Table 1: Tables of required auditing values

6. Double-click any of the events listed in the above table to access its properties. 7. Check the box “Configure the following audit events” and then enable the required “Success” and “Failure” events. 8. Click “Apply” and “OK” to enable the monitoring for the selected events.

Lepide Software B 57, Sector 57 Noida, U.P. India 201301 Phone: +91 (120) 4282353 Fax: +91 (120) 4282354 www.lepide.com

Similarly, you can configure the advanced auditing options as well.

policies for other available

Enabling the Global Object Access Auditing Perform the below mentioned steps to audit the access of any object globally in the server. 1. Go to “Start Menu”  “Administrative Tools”  “Group Policy Management”. 2. In the console tree in the left pane, go to “Forest”  “Domains”  Domain Name. 3. Right click on “Default Domain Policy” and click “Edit”. It will show “Group Policy Management Editor”. 4. Go to “Computer Configuration”  “Windows Settings”  “Security Settings”  “Advanced Audit Policy Configuration”  “Audit Policies”. 5. Go to “Object Access”. This will show the audit policies of object access in the right panel. 6. Double-click “Audit Registry” to show its properties box. 7. Check the box “Configure the following audit events” and check the both events. 8. Click “Apply” and “OK”. 9. Now, go to “Global Object Access Auditing” node under “Audit Policies” of advanced configuration. 10. Double-click “Registry” entry in the right details pane. 11. Check the box “Define this policy”. This will enable the subsequent button.

Lepide Software B 57, Sector 57 Noida, U.P. India 201301 Phone: +91 (120) 4282353 Fax: +91 (120) 4282354 www.lepide.com

Figure 1: Properties of Registry policy

12. Click “Configure” to access the “Advanced Settings for Global Registry SACL”.

Figure 2: Advanced Security Settings 13. Click the “Add” button to add the users which access you want to audit. 14. Type the name of any user to be audited. 15. Click “Check Names” to validate them.

Lepide Software B 57, Sector 57 Noida, U.P. India 201301 Phone: +91 (120) 4282353 Fax: +91 (120) 4282354 www.lepide.com

16. Click “OK” for adding the users. This will show the auditing entries for that user.

Figure 3: Select Audit Entries

17. Select the audit entries for both success and failure, which you want to monitor and click the “OK” button. It is advised to select Full Control for both of them. 18. Click “OK” once the required entries are selected. This will take you back to the “Advanced Security Settings”. 19. You can follow the same steps to configure security auditing for other users. 20. Once done, click “Apply” and “OK”. You will be returned to “Registry Properties”. 21. Click “Apply” and “OK” once again.

Lepide Software B 57, Sector 57 Noida, U.P. India 201301 Phone: +91 (120) 4282353 Fax: +91 (120) 4282354 www.lepide.com

Thus, you can follow the above mentioned steps to configure the advanced file system auditing by using the “File System” policy in “Global Object Access Auditing”.

Managing the Integrity of Advanced Auditing

The advanced auditing entries are often overwritten by that of basic auditing. Follow the steps below to ensure that the advanced auditing entries do not get overwritten. 1. Go to “Start Menu”  “Administrative Tools”  “Group Policy Management”. 2. In the console tree left pane, go to “Forest”  “Domains”  Domain Name. 3. Right-click on “Default Domain Policy” and click “Edit”. It will show “Group Policy Management Editor”. 4. In the left tree pane, go to “Computer Configuration”  “Policies”  “Windows Settings”  “Security Settings”  “Security Options”. 5. Double-click “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”. 6. Click “Define this policy setting” and click “Enabled”. 7. Click “Apply” and “OK” to close the dialog box. This will apply the modified security auditing policies on the server. Alternatively, you can logoff and logon the Administrator. It is required to update the modified Group Policies on the server after enabling the security auditing policies.

Lepide Software B 57, Sector 57 Noida, U.P. India 201301 Phone: +91 (120) 4282353 Fax: +91 (120) 4282354 www.lepide.com

Verifying the Auditing Policies It is recommended to verify whether the modified auditing policies have been applied or not. Run the following command on the Command Prompt. auditpol.exe /get /category:*

Figure 4: Listing the status of all policies This will list the status of all auditing policies – both basic and advanced on the server. Please verify both “Success” and “Failure” events for the policies, which you have enabled.

Lepide Software B 57, Sector 57 Noida, U.P. India 201301 Phone: +91 (120) 4282353 Fax: +91 (120) 4282354 www.lepide.com

Summary Thus, you can follow the above stated steps to enable security auditing for the Active Directory. You can also enable the auditing for specific files and folders. After verifying the update status, you can see the recorded events in the Security logs of Event Viewer as security auditing has been enabled. Also, you can make use of LepideAuditor Suite, which has a number of added features and it also lets you keep a live check on the changes being made in the Active Directory environment. Real-time alerts, live updates, and automatic reports let you audit the AD and Group Policy Objects without any issue. You also have the freedom to restore unwanted changes in the AD objects and restore the objects from Tombstone folder as well.

Lepide Software B 57, Sector 57 Noida, U.P. India 201301 Phone: +91 (120) 4282353 Fax: +91 (120) 4282354 www.lepide.com