musheer
asked on
Windows 2000
hi.... my question is that
what is the auditing option in windows2000 used for? What utility does it utilize? and what are the default auditing policies?
what is the auditing option in windows2000 used for? What utility does it utilize? and what are the default auditing policies?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Auditing, or the ability to track security events in the Windows NT security log, is a valuable tool for helping you maintain the security of your systems. Microsoft has improved on NT's auditing features with Windows 2000, which offers significant enhancements. In addition to NT’s seven categories of audit events, Win2K provides two new categories to track additional areas of activity
Like NT, Win2K’s default audit policy disables each audit category, so the security log is empty on a freshly installed system. Unlike NT, you don't use User Manager to enable auditing in Win2K. In fact, User Manager doesn’t work in Win2K domains. Instead, you use the Active Directory (AD) Group Policy to enable auditing
To view Win2K's nine audit categories, go to Active Directory Users and Computers, open a Group Policy Object (GPO), and maneuver to Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, as Figure 1 shows. As in NT, you can configure each category to record successful and unsuccessful events. Remember that whenever you modify a GPO, your configuration changes will apply to all computers in the organizational units (OUs), domain, or sites that you've linked to that GPO. For instance, if you change audit policy in the Default Domain Policy GPO, which links to the root of the domain, Win2K will apply that same audit policy to every computer in the domain unless a higher priority GPO or a GPO linked to a lower OU has a conflicting audit policy. Remember, the last policy applied wins.
In addition to the seven updated NT audit categories, Win2K includes two new categories. The first of these, Audit account logon events, fills an important hole in NT's logon monitoring coverage. Tracking logon and logoff activity for domain accounts is problematic with NT because the Logon and Logoff audit category applies more to workstations and member servers than to domain controllers. When you log on at your workstation with a domain account, you are not logging on to the domain controller—the domain controller is just authenticating you. The logon event occurs on your workstation, and NT records the event in your workstation’s security log. Likewise, when you map a drive to a server, you’re logging on to the server, so NT records a logon event in the server's security log. This type of monitoring led to a fractious record of logon activity scattered among all the systems in the domain. To solve this problem, Win2K provides another category of audit events, Audit account logon events, to catch logon activity at a more centralized point—the domain controllers. Using this category, the system traps the domain controller authentication, as opposed to the logon that occurs at the workstation or server. This category watches the domain controllers and records any time a user authenticates or fails to authenticate because of a bad password. With this new category, you can get a complete picture of domain account logon activity by simply looking at the security logs for your domain controllers.
Win2K's other new audit category, Audit directory service access, is similar to Audit object access, only it applies to AD objects instead. Remember that in Win2K, user accounts and groups are objects in AD. As such, they have security descriptors (including an owner, access control list—ACL, and system audit control list) like any object. If you look at the Advanced Security dialog box for a user object in Active Directory Users and Computers, you’ll see an Auditing tab just as you would for any file or directory. With the system audit control list, you can specify exactly which properties and actions you want to audit on that object. For instance, you can specify that you want to audit whenever someone changes the dial-in settings for a user account. This information is valuable because it lets you track exactly what has changed on a user or group. In addition, the information is much more granular than what the Audit account management category gives you (the Audit account management category simply reports that a user or group changed—not what properties of the object changed). With Audit directory service access, you can find out exactly which properties changed. For instance, when an administrator edits Jill’s user account, you’ll know whether the administrator changed her job title or reset her password.
Win2K preserves all of NT's auditing functionality and offers some exciting new capabilities. Don’t forget that Group Policy now controls audit policy. Try out the new Audit account logon category so that you can track logon activity in a more centralized manner.
From http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/9633/WindowsSecurity_9633.html
Pete
Like NT, Win2K’s default audit policy disables each audit category, so the security log is empty on a freshly installed system. Unlike NT, you don't use User Manager to enable auditing in Win2K. In fact, User Manager doesn’t work in Win2K domains. Instead, you use the Active Directory (AD) Group Policy to enable auditing
To view Win2K's nine audit categories, go to Active Directory Users and Computers, open a Group Policy Object (GPO), and maneuver to Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, as Figure 1 shows. As in NT, you can configure each category to record successful and unsuccessful events. Remember that whenever you modify a GPO, your configuration changes will apply to all computers in the organizational units (OUs), domain, or sites that you've linked to that GPO. For instance, if you change audit policy in the Default Domain Policy GPO, which links to the root of the domain, Win2K will apply that same audit policy to every computer in the domain unless a higher priority GPO or a GPO linked to a lower OU has a conflicting audit policy. Remember, the last policy applied wins.
In addition to the seven updated NT audit categories, Win2K includes two new categories. The first of these, Audit account logon events, fills an important hole in NT's logon monitoring coverage. Tracking logon and logoff activity for domain accounts is problematic with NT because the Logon and Logoff audit category applies more to workstations and member servers than to domain controllers. When you log on at your workstation with a domain account, you are not logging on to the domain controller—the domain controller is just authenticating you. The logon event occurs on your workstation, and NT records the event in your workstation’s security log. Likewise, when you map a drive to a server, you’re logging on to the server, so NT records a logon event in the server's security log. This type of monitoring led to a fractious record of logon activity scattered among all the systems in the domain. To solve this problem, Win2K provides another category of audit events, Audit account logon events, to catch logon activity at a more centralized point—the domain controllers. Using this category, the system traps the domain controller authentication, as opposed to the logon that occurs at the workstation or server. This category watches the domain controllers and records any time a user authenticates or fails to authenticate because of a bad password. With this new category, you can get a complete picture of domain account logon activity by simply looking at the security logs for your domain controllers.
Win2K's other new audit category, Audit directory service access, is similar to Audit object access, only it applies to AD objects instead. Remember that in Win2K, user accounts and groups are objects in AD. As such, they have security descriptors (including an owner, access control list—ACL, and system audit control list) like any object. If you look at the Advanced Security dialog box for a user object in Active Directory Users and Computers, you’ll see an Auditing tab just as you would for any file or directory. With the system audit control list, you can specify exactly which properties and actions you want to audit on that object. For instance, you can specify that you want to audit whenever someone changes the dial-in settings for a user account. This information is valuable because it lets you track exactly what has changed on a user or group. In addition, the information is much more granular than what the Audit account management category gives you (the Audit account management category simply reports that a user or group changed—not what properties of the object changed). With Audit directory service access, you can find out exactly which properties changed. For instance, when an administrator edits Jill’s user account, you’ll know whether the administrator changed her job title or reset her password.
Win2K preserves all of NT's auditing functionality and offers some exciting new capabilities. Don’t forget that Group Policy now controls audit policy. Try out the new Audit account logon category so that you can track logon activity in a more centralized manner.
From http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/9633/WindowsSecurity_9633.html
Pete
Hello this question has been open a while please take the time to come back and clean it up.
Closing Questions
https://www.experts-exchange.com/help.jsp#hs5
Best Wishes
Pete
www.petenetlive.com
Closing Questions
https://www.experts-exchange.com/help.jsp#hs5
Best Wishes
Pete
www.petenetlive.com
HOW TO: Enable and Apply Security Auditing in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549
HOW TO: Set, View, Change, or Remove Auditing for a File or Folder in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q301640