NetVision Audit Monthly
Vol. 3, Issue 3: March 2011

Switch on Auditing? Think again.

There is no magic switch for Windows auditing. There is a series of complex steps that involve significant up-front and ongoing effort to maintain.

Dear Guest,

Welcome to the March edition of AuditMonthly.

In this edition, we'll discuss the complexity and laboriousness of Windows auditing and how NetVision's approach simplifies that effort.

During a recent research project, I was compiling information on Windows event logging. Specifically, I was working through the tasks that would be considered prerequisites to implementing any SIEM, log management, or other event management solution for Active Directory and Windows that would be based on native Windows event logging. What I found is that there is a tremendous effort required to enable logging across an environment.

Determine Which Events You Need

First, you need to understand which events you need to keep track of, and the associated event IDs. Complicating this task is that the event ID numbering is different between versions of Windows. For example, in Server 2008, four digit event IDs are introduced along with audit subcategories on the main audit categories. There are many events that look similar to each other, so you really need to know what you're looking at, and often a single act will generate numerous events in the log.

The subcategories can be useful because you can enable auditing on some events but not others, which is a step in the right direction for Microsoft auditing, albeit a baby step. For example, instead of treating all Account Management events the same, you can enable audit on Security group management but disable audit on Distribution group management. You have to use a command line tool to apply audit settings via subcategories and you don't get advanced filtering such as the ability to alert on changes to high-risk groups (something NetVision can easily do), but it's better than the Server 2003 capabilities.

Complicating matters further is that there are Account Management audit events and Directory Service Access audit events which overlap. So, if both are enabled, you may see even more duplicate events with some confusion about where to find the best event data. And "before" and "after" values are written to different events. So, in some cases, you'll need to correlate multiple events in order to get the answers you seek.

Enable Auditing on Desired Objects

Once you have the set of events that you want enabled, you also have to enable auditing on the objects themselves. In other words, if you enable auditing on security groups, you still need to ensure that auditing is enabled on those security groups. Typically, enabling audit on directory objects is as simple as enabling "Audit Account Management" in the appropriate GPO but keep in mind that audit settings differ slightly in various versions of Windows, so if you have a mixed environment, be sure to consult each versions' documentation for appropriate audit settings. And be sure that the GPO is configured appropriately on each Active Directory Domain Controller.

Additionally, you can utilize ADSIEdit to apply a "don't audit" flag on attributes that you'd like to have filtered out of auditing. Note that this removes ALL auditing of that attribute for ALL objects. You cannot distinguish, for example, between administrative user accounts and other accounts (again, something that's easy for NetVision).

Configure Event Log Settings

The third step is to configure log settings. You need to set appropriate access permissions so that advanced users looking to cover their tracks cannot clear logs which may hold vital evidence. If the log security policy is not enabled, all authenticated users would have access to write & clear application logs. System and Security logs can be cleared by system software or administrators.

You also need to set maximum log size and retention rules. These settings enable you to control how large the log files will grow and what happens when they reach their maximum. This is critical because logs need to be efficiently handled by log collection systems.


I'm working on putting more details into a paper on this topic. Let me know if you'd like a copy and I'll send you one when it's ready. The bottom line is that there is no ON switch for Windows auditing, there is a series of steps and numerous methods by which to implement auditing. There is even a TechNet article on the complexity of determining the effective audit policy in Windows 2008. The author makes the point that "you should not trust any of the Group Policy reporting tools when it comes to audit settings."

If you love Windows event logs and have a complete mastery of how they work, that's great. If not, I would think twice before making a decision to rely on Windows event logging. I certainly wouldn't go down that path with the expectation that it's the easy way. It's clearly not.

Let us know if you'd like more information about how NetVision simplifies Windows event management with near zero effort.

Take Back Control by Managing Windows Access Rights

NetVision's solution for Windows Access Rights was recently featured in Microsoft's TechNet Magazine. What is your Windows Access Rights IQ?

Read the article here.

When Compliance Is at Odds with Security

NetVision CEO David Rowe wrote in Sys-Con Security Journal that compliance is sometimes the enemy of good security. A better goal is to create a culture of compliance where security becomes the primary driver.

Read the article here.

Answers, Not Data: The Key to Access Security

NetVision CEO David Rowe was recently featured in SC Magazine. His article provides unique insight into the next generation of audit and compliance solutions.

Read the article here.

Coming Clean: Getting a Handle on Permissions and Group Memberships

NetVision was recently featured in Enterprise Systems Journal. The article discusses the process of sorting through legacy permissions and offers suggestions that help you get through the project.

Read the article here.

Did You Know?

NetVision reporting enables you to send automated reports to business content owners identifying who has rights to their files, who is changing their security groups, and who has actually opened or modified critical files. These can be configured to recur so that business managers can approve access rights and activity on a scheduled basis. This enables IT to share attestation responsibility with the business owners who really know the most about who should have access.

If you need to improve your understanding of access rights and administrative changes across your network, please let us know. We'd love to share more about how we make that a reality for organizations across the globe every day.

We look forward to hearing from you!

Matt Flynn

Achieve Zero Effort with
NetVision's Managed Service
Access Rights
Reporting & Monitoring


About NetVision Since 1995, NetVision has provided access rights reporting & monitoring of both network user accounts and file systems. NetVision's flexible, web-based reporting console, real-time alerts, remediation capabilities, and extensibility enable dramatically reduced audit costs, improved security over critical network resources, and complete visibility into user and administrative activity.

© 2011 NetVision, Inc., American Fork, UT 84003, 877.828.9180