NetVision Audit Monthly
Vol. 3, Issue 3: March 2011
Switch on Auditing? Think again.
There is no magic switch for Windows auditing. There is a series of complex steps that involve significant up-front and ongoing effort to maintain.
Welcome to the March edition of AuditMonthly.
In this edition, we'll discuss the complexity and laboriousness of Windows auditing and how NetVision's approach simplifies that effort.
During a recent research project, I was compiling information on Windows event logging.
Specifically, I was working through the tasks that would be considered prerequisites to
implementing any SIEM, log management, or other event management solution for Active
Directory and Windows that would be based on native Windows event logging. What I found
is that there is a tremendous effort required to enable logging across an environment.
Determine Which Events You Need
First, you need to understand which events you need to keep track of, and the associated
event IDs. Complicating this task is that the event ID numbering is different between versions
of Windows. For example, in Server 2008, four digit event IDs are introduced along with
audit subcategories on the main audit categories. There are many events that look similar
to each other, so you really need to know what you're looking at, and often a single act
will generate numerous events in the log.
The subcategories can be useful because you can enable auditing on some events but not
others, which is a step in the right direction for Microsoft auditing, albeit a baby step.
For example, instead of treating all Account Management events the same, you can enable
audit on Security group management but disable audit on Distribution group management.
You have to use a command line tool to apply audit settings via subcategories and you don't
get advanced filtering such as the ability to alert on changes to high-risk groups
(something NetVision can easily do), but it's better than the Server 2003 capabilities.
Complicating matters further is that there are Account Management audit events and
Directory Service Access audit events which overlap. So, if both are enabled, you may see
even more duplicate events with some confusion about where to find the best event data.
And "before" and "after" values are written to different events. So,
in some cases, you'll need to correlate multiple events in order to get the answers you seek.
Enable Auditing on Desired Objects
Once you have the set of events that you want enabled, you also have to enable auditing
on the objects themselves. In other words, if you enable auditing on security groups, you
still need to ensure that auditing is enabled on those security groups. Typically, enabling
audit on directory objects is as simple as enabling "Audit Account Management" in the
appropriate GPO but keep in mind that audit settings differ slightly in various versions
of Windows, so if you have a mixed environment, be sure to consult each versions'
documentation for appropriate audit settings. And be sure that the GPO is configured
appropriately on each Active Directory Domain Controller.
Additionally, you can utilize ADSIEdit to apply a "don't audit" flag on attributes that
you'd like to have filtered out of auditing. Note that this removes ALL auditing of that
attribute for ALL objects. You cannot distinguish, for example, between administrative
user accounts and other accounts (again, something that's easy for NetVision).
Configure Event Log Settings
The third step is to configure log settings. You need to set appropriate access permissions
so that advanced users looking to cover their tracks cannot clear logs which may hold vital
evidence. If the log security policy is not enabled, all authenticated users would have
access to write & clear application logs. System and Security logs can be cleared by system
software or administrators.
You also need to set maximum log size and retention rules. These settings enable you to
control how large the log files will grow and what happens when they reach their maximum.
This is critical because logs need to be efficiently handled by log collection systems.
I'm working on putting more details into a paper on this topic. Let me know if you'd like
a copy and I'll send you one when it's ready. The bottom line is that there is no ON switch
for Windows auditing, there is a series of steps and numerous methods by which to implement
auditing. There is even a TechNet article on the complexity of determining the effective
audit policy in Windows 2008. The author makes the point that "you should not trust any of
the Group Policy reporting tools when it comes to audit settings."
If you love Windows event logs and have a complete mastery of how they work, that's great.
If not, I would think twice before making a decision to rely on Windows event logging. I
certainly wouldn't go down that path with the expectation that it's the easy way.
It's clearly not.
Let us know
if you'd like more information about how NetVision simplifies Windows event management with near zero effort.
Take Back Control by Managing Windows Access Rights
NetVision's solution for Windows Access Rights was recently featured in Microsoft's TechNet Magazine.
What is your Windows Access Rights IQ?
Read the article here.
When Compliance Is at Odds with Security
NetVision CEO David Rowe wrote in Sys-Con Security Journal that compliance is sometimes
the enemy of good security. A better goal is to create a culture of compliance where security becomes the primary driver.
Read the article here.
Answers, Not Data: The Key to Access Security
NetVision CEO David Rowe was recently featured in SC Magazine. His article provides unique
insight into the next generation of audit and compliance solutions.
Read the article here.
Coming Clean: Getting a Handle on Permissions and Group Memberships
NetVision was recently featured in Enterprise Systems Journal. The article discusses the process of
sorting through legacy permissions and offers suggestions that help you get through the project.
Read the article here.
Did You Know?
NetVision reporting enables you to send automated reports to business content owners identifying who has rights to their files,
who is changing their security groups, and who has actually opened or modified critical files. These can be configured to recur so that
business managers can approve access rights and activity on a scheduled basis. This enables IT to share attestation responsibility with
the business owners who really know the most about who should have access.
If you need to improve your understanding of access rights and administrative changes across your network,
please let us know.
We'd love to share more about how we make that a reality for organizations across the globe every day.
We look forward to hearing from you!
Achieve Zero Effort with
NetVision's Managed Service
Reporting & Monitoring
Since 1995, NetVision has provided access rights reporting & monitoring of both network user accounts and file systems.
NetVision's flexible, web-based reporting console, real-time alerts, remediation capabilities, and extensibility enable dramatically reduced audit costs,
improved security over critical network resources, and complete visibility into user and administrative activity.
© 2011 NetVision, Inc., American Fork, UT 84003, 877.828.9180