Auditing and security logging of network activity are important safeguards. Windows 2000 enables you to monitor a wide variety of events that can be used to track the activities of an intruder. The log file entries can serve as legal evidence after the intruder has been identified.

How Auditing Works

You can specify that an audit entry is to be written to the security event log whenever certain actions are performed or files are accessed. The audit entry shows the action performed, the user who performed it, and the date and time of the action. You can audit both successful and failed attempts at actions, so the audit trail can show who performed actions on the network and who tried to perform actions that are not permitted. You can view the security log in the Event Viewer.

If the security log is examined regularly, it makes it possible to detect some types of attacks before they succeed, such as password attacks. After a break-in, the security log can help you determine how the intruder entered and what they did.

Audit logging is a policy in its own right. Recording security events is a form of intrusion detection.

Prerequisites for Implementing the Audit Function

There is nothing to install or purchase. You do have to configure your Group Policy settings to enable auditing. You also must enable auditing for the general areas or specific items you want to track.

How to Implement the Audit Function

Security auditing is not enabled by default. You have to activate the types of auditing you require by using the Group Policy snap-in to MMC.

Group Policy object
 — Computer Configuration
 — Windows Settings
  — Local Policies
  — Auditing Policies

Categories of auditable events include: account logon events, account management, directory service access, logon events, object access, policy change, privilege use, process tracking, and system events. Note that auditing policies are subject to policy inheritance, and the policies you set on your local computer could be overshadowed by policies set for the domain as a whole.

Once you have set up your auditing policies, you can descend to a fine degree of granularity by enabling specific types of auditing messages for individual objects. For example, to enable auditing for a file directory, right-click the appropriate folder in Windows Explorer. Point to Properties , and click the Security tab. Click Advanced , and then select the Auditing tab in the Advanced Properties dialog box. This displays the list of auditable events available for the folder. In the case of file directories, auditing settings could be optionally applied to contained files and subdirectories.

View the audit messages in the Security Log node of the Event Viewer .

For more information about auditing security events, see Windows 2000 Help.

Considerations About Auditing

Generating a security log has implications for disk space on your server. You can set the Event Viewer to overwrite log entries that are more than "n" days old, or you can configure the server to stop running when the security log is full. For more information about halting the computer when the security log is full, see Windows 2000 Help.

Note that the auditing features for directories and files described here require an NTFS file system.

Monitor firewall servers and critical servers that are internal to the firewall to detect suspicious activity. You also need to monitor servers that are external to the firewall even though they are considered nonsecure, because they provide a doorway into your enterprise.

Table 11.3 lists various events that you need to audit, as well as the specific security threat that the audit event monitors.

Table   11.3 Security Audit Threat Detection Policies

Audit Event

Threat Detected

Failure audit for logon/logoff.

Random password hack

Success audit for logon/logoff.

Stolen password break-in

Success audit for user rights, user and group management, security change policies, restart, shutdown, and system events.

Misuse of privileges

Success and failure audit for file-access and object-access events. File Manager success and failure audit of read/write access by suspect users or groups for the sensitive files.

Improper access to sensitive files

Success and failure audit for file-access printers and object-access events. Print Manager success and failure audit of print access by suspect users or groups for the printers.

Improper access to printers

Success and failure write access auditing for program files (.exe and .dll extensions). Success and failure auditing for process tracking. Run suspect programs; examine security log for unexpected attempts to modify program files or create unexpected processes. Run only when actively monitoring the system log.

Virus outbreak