Solved

Windows 2000 Auditing

Posted on 2003-12-11
15
666 Views
Last Modified: 2010-04-14
I've been searching the web for an explanation of what exactly security auditing is and all I could find was how to setup auditing for a specific situation. So my question is, what is security auditing?

I've noticed inside of my event viewer that under the "Security Log," I am seeing a number of successful audits and failure audits and I am just not sure what exactly they are doing.

If you need more information please don't hesitate to ask.

Thanks!
Anthony
0
Comment
Question by:AWarrenM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 5
15 Comments
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921298
Auditing is turned on in Group Policy, usually on a Domain Controller.  There are numerous things you can audit, such as Object Access - Success/Failure.  This is a way to audit Who is accessing certain files and folders.

Once it is turned on in GP, you then go to the actual folder you want to audit, and specify Auditing.  From here, you can now look at the Event Viewer to see the audited events.

Does this help?  I can send you a link to further explain it if you want.

FE
0
 

Author Comment

by:AWarrenM
ID: 9921353
Hey FE,

The thing is, I can find postings on how to set up auditing, I just don't understand what the hell it does. I guess I'm looking for more of a definition of the auditing concept and an explaination behind the security implications. If you have a link to something that explains this that'd be great!

Thanks,
Anthony
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921359
This MS KBA focuses on W2K auditing.  It explains exactly how to enable it on both server and workstation.

http://support.microsoft.com/default.aspx?kbid=300549

FE
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921414
OK...  Security Auditing means exactly that.  Say you have a folder that has files in it.  You notice that some of the files have been changed and you want to know WHO has been accessing these files.  You then enable Object Access Auditing on the Folder and viola, you can now use the event viewer to see who was into the files.

Like I mentioned before, there are various types of audits you can do.  Special Access audit will tell you who has been deleting files, for example.  

Any help?

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921502
Also, I may use it just to see which user is trying to poke around the network.  By enabling a Failure Audit, whenever that user tries to get into a 'protected' area of my server, I know who they were and where he was trying to get to.  I can then have a little talk to him in private and explain that there are some places that he should not be trying to access.  Places like Payroll, for instance.  Or anything in the way realm of the Dept of Human Resources where confidential information is placed (SSN's for instance).

Am sure you understand the need for this.

Getting any clearer?

FE
0
 

Author Comment

by:AWarrenM
ID: 9921515
FE,

So in a sense, auditing essentially logs access to the specific objects that you have it enabled for and makes these logs available for viewing through the event viewer? please correct me if I'm wrong.

So, when browsing the security logs in event viewer I've noticed that other users other than the one I'm currently logged in as are listed in the logs. Is this normal? Does the auditing span across all users who are listed as valid users to the current system?

Thanks
Anthony
0
 

Author Comment

by:AWarrenM
ID: 9921582
Oh I see.

The bases for my inquiry is that inside of my security logs I was noticing a number of different auditing events that occurred frequently. The ones that concern me are the ones not listed as my user name.

There are two other user names I am seeing, System and Anonymous. Is this normal?
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921613
Yes, your first comment is right on target.

As to the second, it depends on how you have set it up.  If you have enabled it for the Users group, it will include all users in your domain.  So yes, it would be normal.

One thing of note here though.  You have to be careful when enabling Auditing.  Usually, the best practice is to be specific in what you want to audit.  The reason behind this is that your security logs will grow to the point that they get to be fairly useless.  You will get to the point that you are wading through an endless log trying to find the the right event.

Check out your GP (gpedit.msc) and see what you have turned on.  This can be found in:  Conputer Config > Windows Settings > Security Settings > Local Policies > Audit Policy.  Then go to the folder you are auditing (or want to audit) and ck the properties > Security tab > Advanced > Auditing tab and see if your Users group is enabled.  If so, auditing for the entire group will show in the event viewer.

Again, be careful of auditing Success events.  Authorized user access can generate a large amount of data.

How am I doing?  :)

FE  
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921639
:)  System events tell you that the System is accessing that data.  All is well.

Anonymous depends....  I would have to know much more about your network setup to help you here.  If you have a hacker accessing your network with a NULL session, this can be VERY bad.  There is a registry fix for this, but I would have to do a little research to help you here.

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921662
If you want you can send me the event ID.  Perhaps I could tell you more.

FE
0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 350 total points
ID: 9921670
Here is a great link that will help you with Anon Events:

http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/23067/23067.html

0
 

Author Comment

by:AWarrenM
ID: 9921675
Doing great man...

Here's the anonymous loging info:

1.
User Logoff:
       User Name:      ANONYMOUS LOGON
       Domain:            NT AUTHORITY
       Logon ID:            (0x0,0x1062D2)
       Logon Type:      3
2.
Special privileges assigned to new logon:
       User Name:      
       Domain:            
       Logon ID:            (0x0,0x1062D2)
       Assigned:            SeChangeNotifyPrivilege

The two descriptions for events labeled 1 and 2 are the only two anonymous security log audit events and are reoccuring. Are these alright?

Thanks,
Anthony
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921689
Yep.... Look at my previous link and that will describe EXACTLY what you are seeing.  I recommend you look at the GP fix on this too.

FE
0
 

Author Comment

by:AWarrenM
ID: 9921705
haha nice, you answered my next question of "is there an index of all the event logs so that I have a reference."

Appreciate all your help, happy holidays.

Anthony
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921714
Glad to be of service.  Enjoyed it.

Happy Holidays back to ya.  :)

FE
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article outlines some of the reasons why an email message gets flagged as spam on a recipient's end.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question