Solved

Audit changes to network settings on Server 2008 R2

Posted on 2013-01-29
2
1,711 Views
Last Modified: 2013-02-06
I'm running 2008 R2 Standard server as part of a domain with 2008 R2 DFL and FFL.  I'd like to audit changes to any type of network settings that someone might change on the server.

Can this be done natively with the OS?  If so, how would I set this up?
0
Comment
Question by:sedberg1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 38832055
Network settings are stored in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces

You would have to enable "audit object access" on the system, then create an audit policy for the registry.  http://searchwinit.techtarget.com/tip/Auditing-changes-to-the-registry

Each network interface has a unique GUID subkey, so you may only wish to monitor one interface.  You will have to open each one until you find the one with the correct IP address/network settings, such as a teamed NIC, or back up NIC.  In the ADVANCED properties of the key is where you'll find the auditing option.
0
 
LVL 3

Expert Comment

by:jeorge
ID: 38834865
Hi, You can enable the Directory Service Changes feature, which was introduced in Windows 2008. This has the added benefit of recording both the current and previous values of an attribute when a modification occurs.

Warning: If you configure this setting in Group Policy, this is covered in the new auditing section as "DS Access". You should use either the new auditing settings or the older auditing section, but not both. When settings in the new auditing section are used, any settings in the old section may be ignored.

New location:

Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration

Old Location:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.

It is possible to configure this using the auditpol.exe command, however if that method is used, it should be performed as a Computer startup script to ensure that the settings are in effect when the computer restarts. This is the command:

auditpol /set /subcategory:"directory service changes" /success:enable
You also need to enable auditing in AD Users and Computers:

Run Active Directory Users and Computers.

Right-click the organizational unit (OU) (or any object) for which you want to enable auditing, and then click Properties.

Click the Security tab, click Advanced, and then click the Auditing tab.

Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal), and then click OK.

In Apply onto, click Descendant User objects (or any other objects).

Under Access, select the Successful check box for Write all properties.

Click OK until you exit the property sheet for the OU or other object.

More information:

AD DS Auditing Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx

Which Versions of Windows Support Advanced Audit Policy Configuration?
http://technet.microsoft.com/en-us/library/dd692792(WS.10).aspx

" Using both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should not be combined. If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored."
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question