Keeping track of what your system is doing is one of the most important, but tedious, processes of good IT security management. In this section, I'll look at the tools to audit events that happen on your system and the utilities used to view them.
Auditing controls and properties are modified through GPOs in Windows 2000, Windows XP, and Windows Server 2008. Assuming your computer is participating in an Active Directory domain, you can find the domain auditing policy inside the Default Domain Policy, in the Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policies tree. Otherwise, you can view the Local Security Policy through the Administrative Tools applet in the Control Panel.
The settings for each GPO indicate on what type of events and on what type of result a log entry will be written. Here are the options for auditing policies:
- Audit account logon events
Writes an entry when domain users authenticate against a domain controller
- Audit account management
Indicates when user accounts are added, modified, or deleted
- Audit directory service access
Audits when queries and other communications with Active Directory are made
- Audit logon events
Writes an entry when local users access a resource on a particular computer
- Audit object access
Indicates when certain files, folders, or other system objects are opened, closed, or otherwise "touched"
- Audit policy change
Audits when local policies (such as the Local Security Policy) and their associated objects are changed
- Audit privilege use
Writes an entry when users make use of privileges assigned to them (such as "Take Ownership")
- Audit process tracking
Tracks program activation, when programs close, and other events that programs cause
- Audit system events
Audits when a user restarts a computer or when events are written to the security log or otherwise affect system security
You can configure individual objects to be audited by editing the system access control list (SACL) for any given object, which is much like assigning permissions, except it is indicating to Windows on what type of access an event log entry should be writing. You can access the SACL for an object by clicking the Advanced button on the Security tab of the object's properties sheet. On the Auditing tab, after clicking Edit to make the sheet active, you can click Add to include new auditing events for an object, or click View/Edit to modify an existing auditing event. Figure 7-4 shows the SACL for an object.
Tip
Only NTFS files and folders can be audited. FAT partitions do not contain the necessary permission information to support auditing events.
You'll want to take particular note of the following items from your event logs:
Logon and logoff events are tracked by the "Audit account logon events" setting, which can indicate repeated logon failures and point to a particular user account that is being used for an attack.
Account management is tracked by the "Audit account management" setting, which indicates users who have tried to use, or used, their granted user and computer administration power.
Startup and shutdown events are tracked by the "Audit system event" setting, which shows that a user has tried to shut down a system as well as what services might not have started up properly upon reboot.
Policy changes are tracked by the "Audit policy change" setting, which can indicate users tampering with security settings.
Privilege use events are tracked by the "Audit privilege use" setting, which can show attempts to change permissions to certain objects.
You should be aware of a couple of things. First, too much auditing consumes large amounts of resources. Entries will be written every time a user moves a mouse (OK, that's an exaggeration, but not much of one). Second, too much auditing also tends to be overwhelming, and because auditing in general will do nothing for you if you don't view the audit entries ... can you see a loop forming? You don't want to look at audits because there is so much to wade through, so effectively you're wasting resources and gaining no security advantage from it. Be aware.
Similar to auditing policies, the policies for configuring the event logs are found inside the Default Domain Policy, in the Computer Configuration → Policies → Windows Settings → Security Settings → Event Log tree. Here are the options for event log policies:
- Maximum application log size
Sets the maximum size the log is allowed to reach before the oldest events in the log will be purged.
- Maximum security log size
Does the same as the previous item but pertains to the security log.
- Maximum system log size
Does the same as the previous two items but pertains to the system log.
- Prevent local guests group from accessing application log
Disallows access to the application log from users logged on to the Guest account.
- Prevent local guests group from accessing security log
Disallows access to the security log from users logged on to the Guest account.
- Prevent local guests group from accessing to system log
Disallows access to the system log from users logged on to the Guest account.
- Retain application log
Specifies whether to overwrite events or save them when the application logfile reaches the maximum size.
- Retain security log
Specifies whether to overwrite events or save them when the security logfile reaches the maximum size.
- Retain system log
Specifies whether to overwrite events or save them when the system logfile reaches the maximum size.
- Retention method for application log
Specifies whether Windows should overwrite old application log events as it sees fit or only those older than n days; you also can choose to simply not overwrite files and clear the logs manually.
- Retention method for security log
Specifies whether Windows should overwrite old security log events as it sees fit or only those older than n days; you also can choose to simply not overwrite files and clear the logs manually.
- Retention method for system log
Specifies whether Windows should overwrite old system log events as it sees fit or only those older than n days; you also can choose to simply not overwrite files and clear the logs manually.
To configure the event logs locally on a computer that does not participate in a domain, load the Event Viewer console (which is within the Control Panel and Administrative Tools) and then right-click each log in the left pane. You can set the log size options on this screen, including the maximum size and the actions Windows should take when that limit is reached.
The Event Viewer allows you to look at events in many different event logs by default. Other applications can add their own logs into the Event Viewer console. Figure 7-5 shows a typical Event Viewer console.
This Event Viewer console may look different to you over previous versions, and that's because its layout has been refined and enhanced. You can see a summary on the opening screen of a variety of administrative events that may need your attention; this is a "custom view" built by Microsoft and shipped in the box with the product and usually covers the majority of sources that would generate an error that needs your attention.
You can access all of the event logs available in the left pane. Here's a summary of what is available.
- Application Log
Logs messages, warnings, and errors generated by individual applications (programs). You'll find this log in raw format at %SystemRoot%\System32\Winevt\Logs\Application.evtx.
- Forwarded Events Log
Logs events sent to the current machine from other servers. You can find this log in raw format at %SystemRoot%\System32\Config\ForwardedEvents.evtx.
- Security Log
Logs events generated by the auditing configuration you have set up (see earlier in this chapter for more information on setting up auditing). You'll see this log in raw format at %SystemRoot%\System32\Winevt\Logs\Security.evtx.
- Setup Log
Logs events generated by Windows Server 2008 itself during installation and other setup periods; can be found in %SystemRoot%\System32\Winevt\Logs\Setup.evtx.
- System Log
Logs events generated by Windows Server 2008 during normal operation. This will normally be full of service information, such as warnings and failures. You will see this log in raw format at %SystemRoot%\System32\Winevt\Logs\System.evtx.
- DFS Replication Log
Logs replication activities through the DFS (Distributed File System) functionality; see Chapter 3 for more information on DFS.
- Directory Service Log
Logs events encountered by Active Directory Domain Services (AD DS) and its counterparts; see Chapter 5 for more information on AD DS.
- DNS Server Log
Logs DNS queries, responses, and other messages and errors encountered by the service. See Chapter 4 for more information on DNS.
- File Replication Service Log
Logs messages generated by the old, pre-Windows Server 2008 File Replication Service. In pure Windows Server 2008 environments, you can ignore this log.
- Hardware Events Log
Logs errors, information, and warnings generated by drivers for hardware elements on your system.
- Microsoft\Windows Logs
This folder and its subfolders relate to individual Windows features and services and are the place to look for errors, warnings, and informational events generated by some Windows features.
To make it easier for you to see the events you're most interested in, you may wish to create a custom view that will filter the event log to events matching certain criteria. To do so, open Event Viewer and then, from the right pane, click the Create Custom View link. The resulting screen, shown in Figure 7-6, allows you to set the criteria by which events will be filtered.
Select the properties of the events you'd like to view, and then click OK. The custom view will be saved and you can always access an updated custom view, fresh with the latest events, from the Custom Views node in the left pane of the Event Viewer console.
To clear events from your Event Viewer console, right-click on the log for which you want to delete events and choose Clear Log from the context menu.