Setup Auditing on Windows Servers

Posted on 2005-03-22
Medium Priority
Last Modified: 2013-12-04
Hello Experts,

I am new to the usage of Auditing and I hoped you could help me setting up a proper Auditing System.  Auditing is enabled on my domain, however I believe I have to overwrite my local policy first of all - (GPO?)

Then I have 1 domain user I want to monitor;
- Logon / Logoff;
- File access (which files);
- File Changes (which files);
- When possible I would like to monitor SQL actions also, however this is not possible the normal way, is there an alternative way to do so?
I did try some stuff but ended up with lots of data in my auditing eventlog.  How can I do the above without all unwanted info?

When possible (e.g. using third party tool) I would like to know what the changes were.  I do not want to use any spyware or keyloggers but proper software for the Enterprise, however if costs are associated, at an acceptable level.

If it's relevant; the user access the servers via a Citrix Metaframe XP Console (using a published RDP session).

Help is highly appreciated.
Question by:DaGo21
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
LVL 18

Assisted Solution

luv2smile earned 600 total points
ID: 13602155
"however I believe I have to overwrite my local policy first of all - (GPO?)"

BIG rule for group policy...domain policy overrides local policy. So if you have the same policy set on the domain and then set locally on a computer...the domain policy will be the one that is applied.

You use policy to turn auditing on or off and decide what type of "events" to monitor....so for example, you set how you want to audit log/loff offs by the following policy:

computer config- window settings- security settings- local policies- audit policy

But if you want to setup auditing to see when a user accesses or changes a file...the built in way in windows is to set the policy and then you have to actually go to the specific folder that you want to aduit and turn on auditing.


Bit of a warning though.....auditing every time a file is accesses will VERY QUICLY fill up your event logs and make it very hard if not impossible to sort through all the events and make any kind of sense out of them. So you may want to think about what you need to audit or if you need a different option such as a 3rd party tool to handle auditing. Like for instance, I don't care when users access files....I have security setup so I know they can only access what they are suppossed to....I do like to have a log of when changes are made....so I log those, but not read access to the file.

To be able to see exactly what the changes are to a file....my guess is this is highly dependent on what kind of file it is. This would defniately require a 3rd party tool (or multiple tools) if you wanted to do this for various file types.

Of course if it is a word document or access database, you can use tracking features in the program to track all the changes that have been made. Just a thought....
LVL 18

Expert Comment

ID: 13602256
"How can I do the above without all unwanted info?"

You either have to not audit each time a file is accessed (this in itself will create like 5 entries in the event log) or use a 3rd party tool that can either parse the event log for you or keep its own type of event log.
LVL 12

Expert Comment

ID: 13606171
I've used several packages for exactly what you are asking, but the software that took the least overhead, logged, alerted, and just worked based on your needs is GFI SELM:

Unless you're big, MS MOM may also be a better choice for a large-scale security monitoring package.

We have honeypots setup on certain "sweet" files that NO ONE should access.  In this way, an alarm triggered indicates someone that is snooping the file system for value info.  We've fired an admin based on the event alert and subsequent monitoring of activities.  The honypot tipped us off that they were wandering the secured areas without permission and with Domain Admin access.

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.


Author Comment

ID: 13619395
Hello Phil, Luv2smile,

Thanks for your feedback.I will look into the GFI package later today or next week as I currently are very limited in time today.  We do have Microsoft MOM running on a few servers already and thinking about deploying it global.  I certainly will check with the project leads on this.

Luv2smile, what kind of 3rd party tools do you mean?
LVL 12

Expert Comment

ID: 13622883
If you're team is ready, here are the Microsoft MOM security guides:

Guidance on managing security in MOM-http://www.microsoft.com/technet/prodtechnol/mom/mom2000/maintain/operate/opsguide/momops5.mspx

MOM 2005 Security Best Practices Guide-

Author Comment

ID: 13650760
Hi Phil,

Thanks for your answer however Chapter 5 talks about security of the MOM application (database, servers, reports, users, etc), however not about the to monitoring server(s). My understanding from MOM is that it is an great extended Event Viewer.

Could you extend on your answer how I could set-up monitoring (see initial question) using MOM 2000?  I spoke internally and so far I was not able to find out the details about this, however people seem to say the same as you.

Please let me know

LVL 12

Accepted Solution

Phil_Agcaoili earned 900 total points
ID: 13654526
No problem.

You are right about MOM being a management umbrella, an extension of Event Viewer.  MOM has various management packs and Monitoring snap-ins that provide additional capabilities beyond standalone server hardening configurations.

This is the link to the MOM 2005 Management Pack, if you review the security section, these are the Event Viewer management add-ons:
• Legacy Client connections refused
• Large number of legacy connections refused
• Inability to bind to TCP or UDP ports
• Agents failing authentication
• Port floods and unauthorized access attempts
• Connection negotiations failing
• Manual agent connections refused
Also, there are Management Packs for other MS technologies:
MBSA Management Pack
DNS Server Management Pack
IIS Management Pack

All of which include monitoring scenarios for security and performance management's sake.

If your team enables fundamental server security practices and monitoring, MOM will be the top-level management platform to monitor all of these server security settings. The Server Security guides below outline fundamental server security practices that can be monitored through MOM:

Does this all make sense?

Bottom line, there's a lot to learn and do before taking MOM 2005's discs out of shrink wrap. This is part of the reason that I also pointed at GFI Languard becausethis software has more canned/templated security functions to make it easier for your team to configure, detect, log, and perform specific tasks focused on forensics, monitoring, and intruder detection using the various Event logs from different Windows servers.  It's meant specifically for security, while MOM is a jack-of-all-trades tool.

Let me know if you have more questions.

Author Comment

ID: 13724585
Hi Phil,

I've studied both products however is there no monitoring tool, rahter then an evenlog parser?  something like you install a client on the server and configure what you want to monitor and it's actions?

LVL 12

Expert Comment

ID: 13806430
SELM and MOM can use a service account to poll the end system for central collection.

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
OfficeMate Freezes on login or does not load after login credentials are input.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses
Course of the Month11 days, 5 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question