Windows Server 2003 Auditing

Auditing is a general tool that has been around since the days of Windows NT. Auditing is very similar to Performance Monitor, in that it waits for a specific event to occur, and then reports on it within the Event Viewer. Instead of waiting for system performance events, auditing usually tracks the success or failure of system and security events. Traditionally, auditing was most frequently performed for user logon/logoff (to track tardy employees) and sensitive file access (to see who and how often file access occurred). More recent enhancements to auditing allow the system to automatically report changes to user accounts and permissions, as well as changes to group policies, trusts, domains, and every AD-based object in the system. This is a tremendous step forward, because it essentially allows for auditing for nearly every system and domain-critical object that’s out there.

Auditing with Windows Server 2003 and XP is configured in several different ways, all depending upon what needs to be audited, and where that object resides. Generally, the first step is to enable the specific type of auditing through the audit policy, which will usually begin the audit process at that point. Auditing is generally turned on through a security policy, which is another part of Group Policy. These security policies are generally accessed through Administrative Tools.

• Audit Account Logon Events: Tracks user logon and logoff events.

• Audit Account Management: Reports changes to user accounts.
• Audit Directory Service Access: Reports access and changes to the directory service. If the system is a member server or XP system, directory service is NTLM-based, and consists of user accounts and group policies.
• Audit Logon Events: Reports success/failure of any local or remote access-based logon.
• Audit Object Access: Reports file and folder access. Must be implemented here, and then the individual file/folder must be configured for auditing within its properties in order to fully enable this feature.
• Audit Policy Change: Reports changes to group policies.
• Audit Privilege Use: Related to Audit Object Access: reports when permissions are utilized such as read, or full control.
• Audit Process Tracking: Reports process and program failures. Not security related.
• Audit System Events: Reports standard system events. Not security related.

If it becomes necessary to audit file or folder access, the audit policy must be changed, and then the file or folder must be flagged for auditing. From that point, items will appear in the Event Viewer. How the file or folder is accessed is also subject to auditing, and must be decided once auditing of the object is enabled. Every type of permission listed earlier in this chapter is available as a type of access, with each type of access capable of being audited if successful or failed.