• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 669
  • Last Modified:

Windows 2000 Auditing

I've been searching the web for an explanation of what exactly security auditing is and all I could find was how to setup auditing for a specific situation. So my question is, what is security auditing?

I've noticed inside of my event viewer that under the "Security Log," I am seeing a number of successful audits and failure audits and I am just not sure what exactly they are doing.

If you need more information please don't hesitate to ask.

Thanks!
Anthony
0
AWarrenM
Asked:
AWarrenM
  • 10
  • 5
1 Solution
 
Fatal_ExceptionCommented:
Auditing is turned on in Group Policy, usually on a Domain Controller.  There are numerous things you can audit, such as Object Access - Success/Failure.  This is a way to audit Who is accessing certain files and folders.

Once it is turned on in GP, you then go to the actual folder you want to audit, and specify Auditing.  From here, you can now look at the Event Viewer to see the audited events.

Does this help?  I can send you a link to further explain it if you want.

FE
0
 
AWarrenMAuthor Commented:
Hey FE,

The thing is, I can find postings on how to set up auditing, I just don't understand what the hell it does. I guess I'm looking for more of a definition of the auditing concept and an explaination behind the security implications. If you have a link to something that explains this that'd be great!

Thanks,
Anthony
0
 
Fatal_ExceptionCommented:
This MS KBA focuses on W2K auditing.  It explains exactly how to enable it on both server and workstation.

http://support.microsoft.com/default.aspx?kbid=300549

FE
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Fatal_ExceptionCommented:
OK...  Security Auditing means exactly that.  Say you have a folder that has files in it.  You notice that some of the files have been changed and you want to know WHO has been accessing these files.  You then enable Object Access Auditing on the Folder and viola, you can now use the event viewer to see who was into the files.

Like I mentioned before, there are various types of audits you can do.  Special Access audit will tell you who has been deleting files, for example.  

Any help?

FE
0
 
Fatal_ExceptionCommented:
Also, I may use it just to see which user is trying to poke around the network.  By enabling a Failure Audit, whenever that user tries to get into a 'protected' area of my server, I know who they were and where he was trying to get to.  I can then have a little talk to him in private and explain that there are some places that he should not be trying to access.  Places like Payroll, for instance.  Or anything in the way realm of the Dept of Human Resources where confidential information is placed (SSN's for instance).

Am sure you understand the need for this.

Getting any clearer?

FE
0
 
AWarrenMAuthor Commented:
FE,

So in a sense, auditing essentially logs access to the specific objects that you have it enabled for and makes these logs available for viewing through the event viewer? please correct me if I'm wrong.

So, when browsing the security logs in event viewer I've noticed that other users other than the one I'm currently logged in as are listed in the logs. Is this normal? Does the auditing span across all users who are listed as valid users to the current system?

Thanks
Anthony
0
 
AWarrenMAuthor Commented:
Oh I see.

The bases for my inquiry is that inside of my security logs I was noticing a number of different auditing events that occurred frequently. The ones that concern me are the ones not listed as my user name.

There are two other user names I am seeing, System and Anonymous. Is this normal?
0
 
Fatal_ExceptionCommented:
Yes, your first comment is right on target.

As to the second, it depends on how you have set it up.  If you have enabled it for the Users group, it will include all users in your domain.  So yes, it would be normal.

One thing of note here though.  You have to be careful when enabling Auditing.  Usually, the best practice is to be specific in what you want to audit.  The reason behind this is that your security logs will grow to the point that they get to be fairly useless.  You will get to the point that you are wading through an endless log trying to find the the right event.

Check out your GP (gpedit.msc) and see what you have turned on.  This can be found in:  Conputer Config > Windows Settings > Security Settings > Local Policies > Audit Policy.  Then go to the folder you are auditing (or want to audit) and ck the properties > Security tab > Advanced > Auditing tab and see if your Users group is enabled.  If so, auditing for the entire group will show in the event viewer.

Again, be careful of auditing Success events.  Authorized user access can generate a large amount of data.

How am I doing?  :)

FE  
0
 
Fatal_ExceptionCommented:
:)  System events tell you that the System is accessing that data.  All is well.

Anonymous depends....  I would have to know much more about your network setup to help you here.  If you have a hacker accessing your network with a NULL session, this can be VERY bad.  There is a registry fix for this, but I would have to do a little research to help you here.

FE
0
 
Fatal_ExceptionCommented:
If you want you can send me the event ID.  Perhaps I could tell you more.

FE
0
 
Fatal_ExceptionCommented:
Here is a great link that will help you with Anon Events:

http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/23067/23067.html

0
 
AWarrenMAuthor Commented:
Doing great man...

Here's the anonymous loging info:

1.
User Logoff:
       User Name:      ANONYMOUS LOGON
       Domain:            NT AUTHORITY
       Logon ID:            (0x0,0x1062D2)
       Logon Type:      3
2.
Special privileges assigned to new logon:
       User Name:      
       Domain:            
       Logon ID:            (0x0,0x1062D2)
       Assigned:            SeChangeNotifyPrivilege

The two descriptions for events labeled 1 and 2 are the only two anonymous security log audit events and are reoccuring. Are these alright?

Thanks,
Anthony
0
 
Fatal_ExceptionCommented:
Yep.... Look at my previous link and that will describe EXACTLY what you are seeing.  I recommend you look at the GP fix on this too.

FE
0
 
AWarrenMAuthor Commented:
haha nice, you answered my next question of "is there an index of all the event logs so that I have a reference."

Appreciate all your help, happy holidays.

Anthony
0
 
Fatal_ExceptionCommented:
Glad to be of service.  Enjoyed it.

Happy Holidays back to ya.  :)

FE
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 10
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now