Solved

Auditing - RSOP

Posted on 2013-06-10
6
408 Views
Last Modified: 2013-06-25
We just setup a new GPO and enabled auditing on a couple of our servers.  My question really is how do I verify/test this is working properly.  We wanted to document/audit when certain changes occur on the network such as; modification of folders, who logs onto one of these servers and the normal auditing in general.  As a test, I wanted to login to each server, but don't know where I would view/verify each server log in order to make sure this auting is correct.

Lastly, even if auditing is correct, is there a way to get even more granular?  There is one 2003 server and one 2008 R2 server.
0
Comment
Question by:uppercut7141
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39235018
You would check the security event logs.   2008 R2 supports advanced audit config which can let you get more granular.

Do you have a test lab.  You can test this out in a lab and get comfortable.

Thanks

Mike
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39235033
In order to audit you need to first enable audit policy for audit object access on the OU where all PC are placed or in default Domain Policy.
 

Refer below link:
http://www.sevenforums.com/tutorials/123362-audit-log-access-shared-folders.html
http://www.intelliadmin.com/index.php/2008/03/use-auditing-to-track-who-deleted-your-files/
http://social.technet.microsoft.com/Forums/en-US/systemcentermonitoring/thread/3b7d3dfa-99e5-4aaf-a0e5-3e7dc4cb6f93/
 

I would also recommend to enable minimal audit setting on files and folder as this will create strom of events.Auditing can generate a large amount of data.Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.

You need to check event log to track the activities carried out by users.If file is deleted event id 560(Win2003) is logged in security log.

You also need to enable audit account logon events to tack the logon and account management see this for auditing:
AD DS Auditing Step-by-Step Guidehttp://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

You can set use Eventtriggers.exe to send e-mail based on Event IDs for certain critcal event ids:

Getting event log contents by email on an event log trigger
 http://blogs.technet.com/b/jhoward/archive/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger.aspx
 
You can also Set up event subscriptions in Windows 2008 to collectthe event.
 http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/f82d4872-601f-47c0-8c84-e2cac269fe00/

Hope this helps
0
 

Author Comment

by:uppercut7141
ID: 39235371
I checked the Event Viewer and received the following Event ID's when I logged/logged off the server as well as making a modication of permission on a specific folder:


4672  -- when I logged onto server

4647, 4634 - when I logged off server



When I added rights to a specific folder for a user, I received event ID:  

4673  -- A priviledged service was called
4688  -- Process creation

does this appear correct?  I was expecting more information from Event viewer.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:uppercut7141
ID: 39235702
Any thoughts on this?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39235717
Yes those are correct, this is a very hand spreadsheet to have that lists all the events

http://www.microsoft.com/en-us/download/details.aspx?id=17871

Thanks

Mike
0
 
LVL 5

Accepted Solution

by:
Pankaj_401 earned 500 total points
ID: 39237487
In Windows Server 2008 there is a possibility to audit changes in Active Directory.

Check out the Link

AD DS Auditing Step-by-Step Guide

 They are audited as events in Security event log as recommended  by mkline71 also you can go for Ad Auditing tool as well for the documentation purpose as these tool have functionality to give a regular report in your desired format for verification purpose
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question