Feb 19 2008

Auditing in Windows Server 2008

New granular controls make auditing more useful and manageable.

Auditing capability in Microsoft Windows Server has always been a somewhat unsophisticated affair: either filling up event logs so quickly that they truncate or spiralling out of control. Extraneous logging also made it difficult to find relevant information. In Windows Server 2008, Microsoft provides new granular controls, making auditing more useful and manageable. Here’s a look at how to configure basic auditing in Server 2008, highlighting the improvements over earlier versions of Windows Server, including monitoring changes to Active Directory (AD) configuration.


Defining an Audit Policy 

Windows Auditing monitors what’s been changed or accessed on a system — when and by whom — and records the details in the event log. For example, “user account management” events are audited by default in Server 2008. This includes actions such as creating a user account. Recording changes is important for integrity and troubleshooting. Computers don’t just stop working; they stop working for a reason. If server security is breached, you need to know how the machine was compromised.

Whether the default configuration provides a sufficient level of auditing depends on your organization’s needs. The standard settings don’t audit every event, and that wouldn’t be a good idea anyway. Before deciding how to configure auditing, you should define an audit policy for your company. Ask yourself the following:

• Do you need to audit for regulatory compliance, such as Sarbanes-Oakley?

• Do you want to audit for intrusion or malware detection?

• Would auditing help in the change-control or troubleshooting processes?

• Should you monitor attempts at unauthorized access to sensitive data by your own employees?

• Would it be useful to check the file system for deletion events?

• Do you have the resources to review the information collected in the logs?

• Will excessive logging create a trade off in server performance?

• Do you need to store event logs? If so, for how long?

There is no one-size-fits-all answer as to what should be audited. Microsoft offers some useful advice online. [http://technet2.microsoft.com/WindowsServer/en/library/5658fae8-985f-48cc-b1bf-bd47dc2109161033.mspx?mfr=true]

Global Audit Policy 

Windows Server 2008’s Default Domain and Domain Controllers Group Policy Objects (GPOs) leave all global audit policies undefined initially (Figure 1). Nevertheless, if these default GPOs are applied to a server in your domain, auditing is left enabled, unless otherwise configured locally.

Figure 1

Microsoft has divided each global policy, such as Audit Directory ServiceAccess, into subcategories. If you enable a global policy in a GPO, this turns on all the corresponding subcategories. You can use the auditpol.exe command line tool to list a global policy’s subcategories. The example below shows how to list subcategories for the Directory Service Access global policy.

If you use:

auditpol /list /subcategory:"ds access"

The output will return the following four subcategories:

 Directory Service Access
 Directory Service Changes
 Directory Service Replication
 Detailed Directory Service Replication

To determine how auditing is configured for the four subcategories, use:

auditpol /get /category:"ds access"

By default, only Directory Service Access is defined, as shown in the output below:

Directory Service Changes

No auditing

Directory Service Replication

No auditing

Detailed Directory Service Replication 

No auditing

Directory Service Access


To see the status of all categories, replace “ds access” with *: auditpol /get /category:* .

Auditing Directory Service Changes

Directory Service (DS) Access is more interesting than some of the other audit categories because of the Directory Service Changes subcategory. Many of the categories simply record that a change has been made, along with information about the date, time and security principal under which the operation was performed. The Directory Service Changes subcategory logs the current and previous value of a modified attribute. This can be useful for troubleshooting and rolling back unwanted changes.

With an appropriate System Access Control List (SACL) and standard Directory Service Access auditing, if you rename an AD site, an entry will be made in the security log stating that “An operation was performed on an object.” The event-log entry includes only the new value of the modified attribute. But if Directory Service Changes success-auditing is enabled, two entries are written to the log: one giving details of the deleted attribute value and another with details of the new. If an object is moved to a different location in the same domain, the new and old locations are logged. All of the configuration examples in this article should be carried out on a domain controller in a test environment. Here’s how to enable success auditing of Directory Service Changes using auditpol:

auditpol /set /subcategory:"directory service changes" /success:enable

When you enable a subcategory such as Directory Service Changes, it doesn’t necessarily mean that every event will be logged. DS objects have auditing configured as part of their default SACLs, but don’t cover every eventuality.

To demonstrate this, open Active Directory Sites and Services from Administrative Tools on the Start menu. Expand Sites in the left-hand pane and right-click Default-First-Site-Name and select Rename from the menu. Assign a new name and then open Event Viewer, also under Administrative Tools, and in the left-hand pane expand Windows Logs and click Security. If you check through the security event log, you won’t find any specific entry to indicate that the name of the default first site was changed. Activating the Directory Service Changes subcategory doesn’t necessarily enable comprehensive auditing of Active Directory.

For contrast, create a new AD site. Return to Active Directory Sites and Services, right-click Sites and select New Site from the menu. Name the new site, select any site link and click OK. Go back to Event Viewer, right-click on Security under Windows Logs and select Refresh from the menu. You should find event 5137: “A directory service object was created.”One of the event-log entries will give details of the new site. So why does DS auditing log some changes but not others? Simply because default SACLs, either on existing or new site objects, audit for deletion and creation but not for renaming.

To audit for a name change of an AD site, you need to add an SACL to the site object. In AD Sites and Services, right-click a site and select Properties from the menu. In the Properties dialog, select the Security tab and click Advanced. Select the Auditing tab and click Add. Type “Everyone” in the Enter the Object name to Select Box, click Check Names and then click OK. In the Audit Entry dialog, check Successful for Write all properties (as shown in Figure 2) and click OK three times.

Figure 2

Rename the site for which you’ve just modified the SACL, and then refresh the security log in Event Viewer. This time you should see two 5136 events showing that “A directory service object was modified.”One event shows the old name attribute for the site, and the second shows the new. Figure 3 shows the two events, one giving the site’s original name, Manchester, and the second showing the site’s new name, Glasgow. Switch off success auditing for Directory Service Changes by issuing the following command:

auditpol /set /subcategory:"directory service changes" /success:disable

Figure 3

Perform a rename operation on the same site object again, refresh the security event log, and you’ll notice only one entry, Event 4662, recording the new name attribute, but not its previous value. The Object Name parameter is not the previous value of the attribute. Object Name shows the CN that was given when the object was first created.

Excluding Attributes From Auditing

It’s possible to configure auditing on a more granular level by modifying Active Directory’s schema. Using the ADSI MMC snap-in, attributes can be excluded from auditing. This might be useful if you want to monitor only a single attribute of a given object, although you will have to manually exclude all of the object’s other attributes from auditing in the schema.

Figure 4

Open ADSI Edit from Administrative Tools on the Start menu. Right-click ADSI Edit in the left-hand pane and select Connect to from the menu. Check Select a Well Known Naming Context under Connection Point, choose Schema from the drop down menu (Figure 4) and click OK. Double-click Schema under ADSI Edit in the left-hand pane and then select the string beginning with CN (Common Name) under Schema. In the central pane, highlight an attribute to exclude from auditing, right-click and select Properties from the menu. Scroll down the properties dialog, find the searchFlags attribute and click Edit. Enter a value of “256” (Figure 5) and click OK. You’ll notice that the attribute value changes to NEVER_AUDIT_VALUE. Click OK again. A value of 256 sets bit nine of the searchFlags property, which prevents changes from being audited. This will apply to all objects that contain the given attribute.

Figure 5

Russell Smith is an independent consultant based in the United Kingdom who specializes in Microsoft systems management.

IT Takeaway
  • The ability to define auditing on a granular level in Microsoft Windows Server 2008 allows the collection of useful data for different scenarios.
  • Because of issues with backward compatibility, the new controls cannot be configured using Group Policy. It is possible, however, to deploy a script to configure auditing across multiple servers.
  • If you need to audit many servers, event-log subscriptions let you store logs in a central location. But analyzing logs manually isn’t realistic if you have many servers to manage.
  • If you need a complete auditing solution, consider third-party products, such as NetPro’s ChangeAuditor or Active Administrator from ScriptLogic, which take auditing to the next level, storing data centrally in a database with reporting. But Window’s built-in auditing features may be enough for many small companies.