Auditing Windows Events: Secrets of Windows
The number of audit requirements for access continues to rise. The questions surrounding access to corporate information, such as:
These questions, and others, are now as common in IT discussions as server capacities or software deployment.
Audit requirements can be difficult to ignore. However, it is possible to find the right approach for your particular requirements. Every organization is different in terms of network configuration, firewalls, applications, and other details. Many share the same fundamental components, including Microsoft Active Directory (and its related Windows file system).
Windows and Active Directory are staples in almost every enterprise. Auditing security events across these platforms can be a daunting task for almost all IT managers. The obvious solutions are not always the best.
Microsoft Windows Servers, which include Active Directory servers, come with built-in event-logging capabilities. These event logs can be configured to capture security events such user account creations and security group membership changes. It can be difficult to capture the right information so that you can take action. To configure Windows event logging, there are several steps. Even so, the results may not be satisfactory.
Configure Windows Event Logging
The conventional wisdom in audit response is to capture everything that happens from each system. Turn up logging and create a process to convert logs into a long-term storage format that is searchable, accessible for reporting, and convenient for archiving.
This is the common approach of Security Information and Event Management (SIEM), and Log Management solutions. This allows them to monitor hundreds of solutions, from network hardware to software applications, with a single approach. Implementing this approach is not difficult, but it is not easy.
These are the steps to follow when configuring Windows and Active Directory Events Logging. This is for integration with SIEM solutions or for capturing for future auditing.
1. Decide the Events You Need
First, you must understand the events you need. You will also need to collect the event identifiers (IDs) associated with each event. This task is complicated by the fact that event ID numbers can be different between Windows versions. Windows Server 2008, for example, uses four-digit event numbers along with audit subcategories to each of the main audit categories.
Many events can look very similar, so it is important to ensure that you are logging the correct event. It is common for a single action to generate multiple events in the log. Therefore, it is important to understand the interrelationship of the event IDs.
Windows Server 2008 subcategories can be very useful as you can enable auditing for certain events but not others. This is a good step forward in Microsoft auditing. Instead of treating all Account Management events as the same, you can disable audit on Distribution group management and enable auditing on Security group manager.
To apply audit settings to subcategories, you will need to use a command line tool. Advanced filtering capabilities such as alerts about changes to high-risk groups and actions taken by subsets of users will not be available.
There are also Audit Management audit events and Directory Service Access auditor events that overlap. This further complicates matters. This can lead to more duplicate events. The “Before” value and the “After” value are different for different events. To answer basic questions, you will often need to correlate multiple events.
2. Allow Auditing of Desired Objects
Once you have identified the events you need,
