The following excerpt is from Chapter 6 of the MCSE Exam Cram 2 book "Designing security for
a Microsoft Windows Server 2003 network" written by Ed Tittel, courtesy of Sams Publishing. Click
check out the complete book
excerpt series or go straight to the practice
exam if you think you're ready to be tested.
Analyzing auditing requirements
As mentioned previously, you are responsible for controlling access to all data on your network. Some data is not confidential or sensitive and is simply the information that is exchanged in day-to-day business in an organization. Other data might be more private or even confidential, as we discussed in Chapter 1, "Creating the conceptual design for network infrastructure security." You need to prevent unauthorized access to confidential and private data by assigning permissions only to the appropriate individuals. We discuss strategies for assigning permissions in the section titled "Designing an access control strategy for files and folders" later in this chapter. In addition, you need to create an audit policy to ensure that you know and can prove who has accessed the servers, folders and files that contain the confidential or private data.
Your audit policy can contain entries to record the success and/or failure of gaining access to any file, folder, or server on your network. Although auditing successes might be helpful to prove that a user has breached your security, auditing failures is actually more proactive because you might discover attempts to breach your security before a security breach has actually occurred. All audit results are recorded in the security log of Event Viewer. You need to understand that you cannot audit everything because it isn't practical from a resource standpoint. Auditing consumes resources, such as processor and memory, and reviewing audit logs takes time. Therefore, you need to set your audit policy based on your own experience and understanding of the security needs of your own network.
You can set the audit policy for a computer through the local security policy settings on that computer, or you can control multiple computers on your network using Group Policy. You need to be familiar with the following audit policy settings that relate to directory services:
- Account logon events
- Account management
- Directory service access
- Logon events
- Policy change
- Privilege use
Account logon events
This setting only applies to domain controllers. It audits the computer's validation of a user account that was logging on from another computer. You need to apply this setting on domain controllers if you suspect that individuals other than valid users are gaining access or attempting to gain access to your network.
Account management audits each event in which a user account or group is created, renamed, disabled, enabled, deleted or changed. In addition, it audits user password changes. You can apply this setting to an individual computer or to a group of computers using Group Policy. You need to apply this setting if you suspect that invalid accounts are being created or accounts are being tampered with on your network.
Directory service access
This setting combines with the individual setting on an Active Directory object. If you select this setting, the system will examine each object's system access control list (SACL) to determine what auditing is required. You need to use this setting for specific auditing of a particular object or group of objects.
Logon events apply to the local logon on the computer to which the policy is applied. You need to apply this setting if you feel that a user is inappropriately logging on to a computer and gaining access to data and information.
This setting determines whether you will audit any changes to user rights assignment policies, audit policies, or trust policies. You need to apply this setting if you feel that a delegated administrator is attempting to change or is changing the policies that you have created.
Privilege use applies to a user exercising a user right. You only need to audit this setting if you feel that a user is exceeding his given rights. In that case, you might want to apply the setting to a specific container using Group Policy or to a specific suspected user. This setting generates a large amount of data because the users are given many rights on a typical network.
Click for the next excerpt in this series: Designing an appropriate group strategy for accessing resources
This was first published in October 2004