Solved

Windows 2000 Auditing

Posted on 2003-12-11
15
663 Views
Last Modified: 2010-04-14
I've been searching the web for an explanation of what exactly security auditing is and all I could find was how to setup auditing for a specific situation. So my question is, what is security auditing?

I've noticed inside of my event viewer that under the "Security Log," I am seeing a number of successful audits and failure audits and I am just not sure what exactly they are doing.

If you need more information please don't hesitate to ask.

Thanks!
Anthony
0
Comment
Question by:AWarrenM
  • 10
  • 5
15 Comments
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921298
Auditing is turned on in Group Policy, usually on a Domain Controller.  There are numerous things you can audit, such as Object Access - Success/Failure.  This is a way to audit Who is accessing certain files and folders.

Once it is turned on in GP, you then go to the actual folder you want to audit, and specify Auditing.  From here, you can now look at the Event Viewer to see the audited events.

Does this help?  I can send you a link to further explain it if you want.

FE
0
 

Author Comment

by:AWarrenM
ID: 9921353
Hey FE,

The thing is, I can find postings on how to set up auditing, I just don't understand what the hell it does. I guess I'm looking for more of a definition of the auditing concept and an explaination behind the security implications. If you have a link to something that explains this that'd be great!

Thanks,
Anthony
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921359
This MS KBA focuses on W2K auditing.  It explains exactly how to enable it on both server and workstation.

http://support.microsoft.com/default.aspx?kbid=300549

FE
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921414
OK...  Security Auditing means exactly that.  Say you have a folder that has files in it.  You notice that some of the files have been changed and you want to know WHO has been accessing these files.  You then enable Object Access Auditing on the Folder and viola, you can now use the event viewer to see who was into the files.

Like I mentioned before, there are various types of audits you can do.  Special Access audit will tell you who has been deleting files, for example.  

Any help?

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921502
Also, I may use it just to see which user is trying to poke around the network.  By enabling a Failure Audit, whenever that user tries to get into a 'protected' area of my server, I know who they were and where he was trying to get to.  I can then have a little talk to him in private and explain that there are some places that he should not be trying to access.  Places like Payroll, for instance.  Or anything in the way realm of the Dept of Human Resources where confidential information is placed (SSN's for instance).

Am sure you understand the need for this.

Getting any clearer?

FE
0
 

Author Comment

by:AWarrenM
ID: 9921515
FE,

So in a sense, auditing essentially logs access to the specific objects that you have it enabled for and makes these logs available for viewing through the event viewer? please correct me if I'm wrong.

So, when browsing the security logs in event viewer I've noticed that other users other than the one I'm currently logged in as are listed in the logs. Is this normal? Does the auditing span across all users who are listed as valid users to the current system?

Thanks
Anthony
0
 

Author Comment

by:AWarrenM
ID: 9921582
Oh I see.

The bases for my inquiry is that inside of my security logs I was noticing a number of different auditing events that occurred frequently. The ones that concern me are the ones not listed as my user name.

There are two other user names I am seeing, System and Anonymous. Is this normal?
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921613
Yes, your first comment is right on target.

As to the second, it depends on how you have set it up.  If you have enabled it for the Users group, it will include all users in your domain.  So yes, it would be normal.

One thing of note here though.  You have to be careful when enabling Auditing.  Usually, the best practice is to be specific in what you want to audit.  The reason behind this is that your security logs will grow to the point that they get to be fairly useless.  You will get to the point that you are wading through an endless log trying to find the the right event.

Check out your GP (gpedit.msc) and see what you have turned on.  This can be found in:  Conputer Config > Windows Settings > Security Settings > Local Policies > Audit Policy.  Then go to the folder you are auditing (or want to audit) and ck the properties > Security tab > Advanced > Auditing tab and see if your Users group is enabled.  If so, auditing for the entire group will show in the event viewer.

Again, be careful of auditing Success events.  Authorized user access can generate a large amount of data.

How am I doing?  :)

FE  
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921639
:)  System events tell you that the System is accessing that data.  All is well.

Anonymous depends....  I would have to know much more about your network setup to help you here.  If you have a hacker accessing your network with a NULL session, this can be VERY bad.  There is a registry fix for this, but I would have to do a little research to help you here.

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921662
If you want you can send me the event ID.  Perhaps I could tell you more.

FE
0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 350 total points
ID: 9921670
Here is a great link that will help you with Anon Events:

http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/23067/23067.html

0
 

Author Comment

by:AWarrenM
ID: 9921675
Doing great man...

Here's the anonymous loging info:

1.
User Logoff:
       User Name:      ANONYMOUS LOGON
       Domain:            NT AUTHORITY
       Logon ID:            (0x0,0x1062D2)
       Logon Type:      3
2.
Special privileges assigned to new logon:
       User Name:      
       Domain:            
       Logon ID:            (0x0,0x1062D2)
       Assigned:            SeChangeNotifyPrivilege

The two descriptions for events labeled 1 and 2 are the only two anonymous security log audit events and are reoccuring. Are these alright?

Thanks,
Anthony
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921689
Yep.... Look at my previous link and that will describe EXACTLY what you are seeing.  I recommend you look at the GP fix on this too.

FE
0
 

Author Comment

by:AWarrenM
ID: 9921705
haha nice, you answered my next question of "is there an index of all the event logs so that I have a reference."

Appreciate all your help, happy holidays.

Anthony
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 9921714
Glad to be of service.  Enjoyed it.

Happy Holidays back to ya.  :)

FE
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
IT certifications are a concrete representation of continual learning on the part of the candidate.  Continual learning is necessary for the long term success of an IT professional, but are IT certifications the right path for you?
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question