Solved

Windows 2000 Auditing

Posted on 2003-12-11
15
659 Views
Last Modified: 2010-04-14
I've been searching the web for an explanation of what exactly security auditing is and all I could find was how to setup auditing for a specific situation. So my question is, what is security auditing?

I've noticed inside of my event viewer that under the "Security Log," I am seeing a number of successful audits and failure audits and I am just not sure what exactly they are doing.

If you need more information please don't hesitate to ask.

Thanks!
Anthony
0
Comment
Question by:AWarrenM
  • 10
  • 5
15 Comments
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921298
Auditing is turned on in Group Policy, usually on a Domain Controller.  There are numerous things you can audit, such as Object Access - Success/Failure.  This is a way to audit Who is accessing certain files and folders.

Once it is turned on in GP, you then go to the actual folder you want to audit, and specify Auditing.  From here, you can now look at the Event Viewer to see the audited events.

Does this help?  I can send you a link to further explain it if you want.

FE
0
 

Author Comment

by:AWarrenM
ID: 9921353
Hey FE,

The thing is, I can find postings on how to set up auditing, I just don't understand what the hell it does. I guess I'm looking for more of a definition of the auditing concept and an explaination behind the security implications. If you have a link to something that explains this that'd be great!

Thanks,
Anthony
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921359
This MS KBA focuses on W2K auditing.  It explains exactly how to enable it on both server and workstation.

http://support.microsoft.com/default.aspx?kbid=300549

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921414
OK...  Security Auditing means exactly that.  Say you have a folder that has files in it.  You notice that some of the files have been changed and you want to know WHO has been accessing these files.  You then enable Object Access Auditing on the Folder and viola, you can now use the event viewer to see who was into the files.

Like I mentioned before, there are various types of audits you can do.  Special Access audit will tell you who has been deleting files, for example.  

Any help?

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921502
Also, I may use it just to see which user is trying to poke around the network.  By enabling a Failure Audit, whenever that user tries to get into a 'protected' area of my server, I know who they were and where he was trying to get to.  I can then have a little talk to him in private and explain that there are some places that he should not be trying to access.  Places like Payroll, for instance.  Or anything in the way realm of the Dept of Human Resources where confidential information is placed (SSN's for instance).

Am sure you understand the need for this.

Getting any clearer?

FE
0
 

Author Comment

by:AWarrenM
ID: 9921515
FE,

So in a sense, auditing essentially logs access to the specific objects that you have it enabled for and makes these logs available for viewing through the event viewer? please correct me if I'm wrong.

So, when browsing the security logs in event viewer I've noticed that other users other than the one I'm currently logged in as are listed in the logs. Is this normal? Does the auditing span across all users who are listed as valid users to the current system?

Thanks
Anthony
0
 

Author Comment

by:AWarrenM
ID: 9921582
Oh I see.

The bases for my inquiry is that inside of my security logs I was noticing a number of different auditing events that occurred frequently. The ones that concern me are the ones not listed as my user name.

There are two other user names I am seeing, System and Anonymous. Is this normal?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921613
Yes, your first comment is right on target.

As to the second, it depends on how you have set it up.  If you have enabled it for the Users group, it will include all users in your domain.  So yes, it would be normal.

One thing of note here though.  You have to be careful when enabling Auditing.  Usually, the best practice is to be specific in what you want to audit.  The reason behind this is that your security logs will grow to the point that they get to be fairly useless.  You will get to the point that you are wading through an endless log trying to find the the right event.

Check out your GP (gpedit.msc) and see what you have turned on.  This can be found in:  Conputer Config > Windows Settings > Security Settings > Local Policies > Audit Policy.  Then go to the folder you are auditing (or want to audit) and ck the properties > Security tab > Advanced > Auditing tab and see if your Users group is enabled.  If so, auditing for the entire group will show in the event viewer.

Again, be careful of auditing Success events.  Authorized user access can generate a large amount of data.

How am I doing?  :)

FE  
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921639
:)  System events tell you that the System is accessing that data.  All is well.

Anonymous depends....  I would have to know much more about your network setup to help you here.  If you have a hacker accessing your network with a NULL session, this can be VERY bad.  There is a registry fix for this, but I would have to do a little research to help you here.

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921662
If you want you can send me the event ID.  Perhaps I could tell you more.

FE
0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 350 total points
ID: 9921670
Here is a great link that will help you with Anon Events:

http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/23067/23067.html

0
 

Author Comment

by:AWarrenM
ID: 9921675
Doing great man...

Here's the anonymous loging info:

1.
User Logoff:
       User Name:      ANONYMOUS LOGON
       Domain:            NT AUTHORITY
       Logon ID:            (0x0,0x1062D2)
       Logon Type:      3
2.
Special privileges assigned to new logon:
       User Name:      
       Domain:            
       Logon ID:            (0x0,0x1062D2)
       Assigned:            SeChangeNotifyPrivilege

The two descriptions for events labeled 1 and 2 are the only two anonymous security log audit events and are reoccuring. Are these alright?

Thanks,
Anthony
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921689
Yep.... Look at my previous link and that will describe EXACTLY what you are seeing.  I recommend you look at the GP fix on this too.

FE
0
 

Author Comment

by:AWarrenM
ID: 9921705
haha nice, you answered my next question of "is there an index of all the event logs so that I have a reference."

Appreciate all your help, happy holidays.

Anthony
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921714
Glad to be of service.  Enjoyed it.

Happy Holidays back to ya.  :)

FE
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now