One-Stop Shop for Auditing in Windows Server 2008 and Windows Vista
Hi, Ned here again. I am frequently asked by customers (and Microsoft employees!) where they can get to all the useful Windows Server 2008 and Windows Vista audit information. Unlike some of our other components, there’s no clear portal site on TechNet or MSDN that gives you everything in one fell swoop. Today I’ll attempt to aggregate everything so that you don’t have to sift. If you’re a regular reader of this blog, you may recognize some of these from previous posts; others may be new to you.
To begin, the above KB article lists out all of the audit events, by category, by subcategory, by ID number, and finally by message. This is a good method to see the general organization of the new entries, and can be especially useful for an administrator who is looking to determine what audit events will be useful to track. It also has the honor of being perhaps the longest KB article ever written – no 14.4 modems allowed! :-)
For even more details on the audit events, you can download an Excel spreadsheet that contains all of the information of the KB article and allows for easier sorting and filtering. It also has (on the tab ‘Complete Event Messages’) the detailed message data so you know more about what will be returned when the event is triggered.
Note: If you don't have Excel, you can also use the free Excel Viewer.
KB921469 - How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain -
The above KB explains how to deploy subcategory-based auditing to all your up-level machines. While the article specifically states Vista, it is totally applicable to Win2008 machines as well.
I recently blogged about Special Groups auditing and how it can be useful for specialty servers; the official KB is included here for the sake of completeness.
The four links above are to the Solution Accelerator series covering security within Vista and 2008. These are about far more than just auditing – they go into an overall process of making sure your attack surface is reduced across the board. They include information, recommendations, and scripts for a variety of security topics, including auditing.
Because it is so heavily changed from previous operating systems, the Directory Services auditing category was called out for special attention in a TechNet article. It covers the four new subcategories in detail:
- Directory Service Access
- Directory Service Changes
- Directory Service Replication
- Detailed Directory Service Replication
It goes through examples, setup, as well as the Attribute Syntax limitations where you can control the lengths of strings being audited for performance versus completeness.
Auditpol.exe is a command-line tool included in Vista and 2008 for controlling auditing, especially around the new subcategories. Understanding of this tool is pretty much a requirement for making auditing work in an efficient manner. This article covers all the syntax as well as provides plenty of useful examples.
I’ve said it before and I’ll say it again – if you want an authoritative answer to a Windows auditing question, this is the place to go. The link above is actually a search URL that returns everything Vista-related, but the overall site deserves immediate bookmarking in your blog viewer of choice.
Finally, if you’re not opposed to dropping a little cash, the Security Resource Kit is now available for Windows Server 2008 through all major booksellers. Chapter eight is 30 pages of audit goodness written by the guy that ran the whole show, Eric Fitzgerald.
As we add more public information I’ll come back and update this post, so feel free to bookmark in your favorite browser and feed reader. If you look through all this and find that there’s something missing, please let me know and I’ll track it down.
- Ned Pyle