banner



How To Enable Auditing In Windows Server 2008 R2

If you take been supporting servers for any amount of time, y'all have no doubt come across requests from manager for security audits, if you lot don't already have them in place yourself to keep an center on things.

Auditing is exactly what information technology sounds similar -- it keeps a record of things that have been modified in Agile Directory. In previous versions of Windows Server at that place was not a lot of granular control in what you were auditing. Let's explore some of the new auditing features in Server 2008.

Auditing Changes in Windows Server 2008

One of the most significant changes over the Server 2000 and Server 2003 versions of auditing is that now y'all tin not just audit who and what aspect was inverse only likewise what the new and old value was. This is meaning because you can now tell why it was inverse and if something doesn't await right you're able to easily find what information technology should be restored to.

Another pregnant change is that in the past you were only able to plough auditing policy on or off for the entire Active Directory structure. In Windows Server 2008 the auditing policy is configurable for four subcategories:

  • Directory Service Admission
  • Directory Service Changes
  • Directory Service Replication
  • Detailed Directory Service Replication

This article will focus on enabling auditing on Directory Service Changes which will show us the ability to inspect changes to Active Directory Domain Services.

Implementing Auditing on Windows Server 2008

In Server 2008 when setting upward auditing in that location are 3 places yous can alter to implement controls:

  • Global Audit Policy – In Server 2008 the Global Audit Policy is not on by default and must be enabled.
  • System Admission Control List (SACL) – Is the ultimate potency if an admission bank check gets audited or non.

    The SACL is part of the security descriptor for an agile directory object and specifies which operations should be audited. These are set past the security administrators who have been assigned Manage Auditing and Security Log privileges. It is assigned automatically to the Administrators Group.

  • Schema – To protect administrators from generating besides many auditing events in that location is an override that tin be set in the schema to exclude any events that accept an aspect set.

    We will non be covering the Schema modification in this commodity, just this is important for you lot to know.

How to Enable Global Inspect Policy on Windows Server 2008

The first step is to enable the inspect policy. I will walk you lot through both doing information technology through the GUI and and so through the control line:

i. Become to Start, Administrative Tools, and and then click on Group Policy Direction.

Server 2008: Auditing Active Directory - 1

2. Navigate down through your Woods, to the Domains, then Domain Controllers and left click on Default Domain Controllers Policy.

Yous volition go a warning that changes here will impact all other locations that the GPO is linked to. Click Ok.

Server 2008: Auditing Active Directory - 2

3. Right click on Default Domain Controllers Policy and then left click on Edit…

Server 2008: Auditing Active Directory - 3

4. Navigate nether Estimator Configurations → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy

Server 2008: Auditing Active Directory - 4

5. Right click on Audit Directory Service Access, and so click Properties.

Server 2008: Auditing Active Directory - 5

6. Select Ascertain these policy settings and so select Success. Click on Utilise so Ok.

Server 2008: Auditing Active Directory - 6

That's it! Y'all now have configured auditing via GUI.

Let'south take a wait at the command line method (much faster):

one. Start Command Prompt with elevated rights.

Server 2008: Auditing Active Directory - 7

two. Type in the following control and hit Enter:

auditpol /ready /subcategory:"directory service changes" /success:enable

Server 2008: Auditing Active Directory - 8

I told you it was much faster! You should see The command was successfully executed. Now allow's motion on to the next step.

How to Setup Auditing in Organisation Access Command List (SACL)

As was mentioned earlier, the SACLs do about of the work in determining what gets auditing and what doesn't. Please notation that at that place are many different types of SACLs that can be setup; we are only using one equally an instance.

1. Open Agile Directory Computers and Users.

Server 2008: Auditing Active Directory - 9

ii. Click on View and brand sure that Avant-garde Features is enabled. If not left click on it to place a check next to it.

Server 2008: Auditing Active Directory - 10

3. Right click on any of the Organizational Units yous want to inspect; in our instance I am going to audit Users. And then click on Properties.

Server 2008: Auditing Active Directory - 11

4. In the Backdrop window click on Security.

Server 2008: Auditing Active Directory - 12

five. Next click on Advanced.

Server 2008: Auditing Active Directory - 13

6. Click the Auditing tab, and so click Add together.

Server 2008: Auditing Active Directory - 14

7. Under Enter the object name to select:, blazon in Authenticated Users and click Ok.

Server 2008: Auditing Active Directory - 15

viii. In the next window under Employ onto:, select Descendant User Objects and under Access check the box for Successful next to Write all properties and click Ok.

Server 2008: Auditing Active Directory - 16

9. Click Ok until you are out of whatsoever dialog boxes.

At present that we accept enabled auditing in a SACL let'southward go alee and give it a test.

Example: Security Events with Auditing Enabled

With auditing enabled, all events will be logged under the Security Event Viewer. Permit'due south see what happens when you modify a value on an object.

For brevity sake, I am going to create a user chosen audittest, change his name from Audit Test to Test Audit and then nosotros will accept a await in the security log to come across what was shown.

There are two images that bear witness the change that corresponds with Event 5136, here is the beginning one which shows the value beingness deleted, which in this example is Inspect Test:

Server 2008: Auditing Active Directory - 17

The next image shows the changed object's new value which in our instance is Test Audit:

Server 2008: Auditing Active Directory - 18

So you can see that information technology is very helpful if you are watching these types of things to know what the erstwhile value was compared to the new value, in case you need to apace and easily reset the attribute without having to go to a backup.

There are a ton of things y'all can audit depending on the situation and your need.

Ready to test your skills in Active Directory? Run into how they stack up with this assessment from Smarterer. Outset this Active Directory test now

Source: https://www.pluralsight.com/blog/it-ops/windows-server-2008-auditing-active-directory

Posted by: branchcouchisem.blogspot.com

0 Response to "How To Enable Auditing In Windows Server 2008 R2"

Post a Comment

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel