How to enable and apply security auditing in Windows 2000

This step-by-step instruction guide describes how to enable and apply Windows security auditing.

Enabling Windows Security Auditing

It is important that you protect your information and service resources from people who should not have access to them, and at the same time make those resources available to authorized users. This article describes how to use Windows 2000 security features to audit access to resources.

You can configure the security logs to record information about either directory and file access or server events. You can set this level of auditing by using Audit Polices in Microsoft Management Console (MMC). These events are logged in the Windows Security log. The Security log can record security events, such as valid and invalid logon attempts, as well as events that are related to resource use, such as creating, opening, or deleting files. You need to log on as an administrator to control what events are audited and displayed in the Security log.

IMPORTANT: Before Windows 2000 can audit access to files and folders, you must use the Group Policy snap-in to enable the Audit Object Access setting in the Audit Policy. If you do not, you receive an error message when you set up auditing for files and folders, and no files or folders are audited. After you enable auditing in Group Policy, view the Security log in Event Viewer to review successful or failed attempts to access the audited files and folders.

To enable local Windows security auditing:

1. Log on to Windows 2000 with an account that has Administrator rights. If you want to grant other users the rights to set auditing, see the "How to Enable Another Account to Configure Auditing" section in the "Reference" section of this article.
2. Ensure that the Group Policy snap-in is installed; if it is not installed, follow the directions in the "How to Install the Group Policy Snap-in" section in the "References" section of this article to install it.
3. Click Start, point to Settings, and then click Control Panel.
4. Double-click Administrative Tools.
5. Double-click Local Security Policy to start the Local Security Settings MMC snap-in.
6. Double-click Local Policies to expand it, and then double-click Audit Policy.
7. In the right pane, double-click the policy that you want to enable or disable.
8. Click the Success (An audited security access attempt that succeeds) and Fail (audited security access attempt that fails) check boxes for logging on and logging off. For example, with this setting, a user's successful attempt to log on to the system is logged as a Success Audit event. If a user tries to access a network drive and fails, the attempt is logged as a Failure Audit event.
9. If you are setting auditing for a Web server that is running Microsoft Internet Information Services (IIS) version 5.0, see the "Recommendations for Auditing on a Web Server That Is Running Windows 2000 and Internet Information Services 5.0" section in the "References" section of this article for a list of suggested audits.

NOTE: If you are a member of a domain, and a domain-level policy is defined, domain-level settings override the local policy settings.

If Active Directory is enabled, administrators can monitor access to Active Directory, which causes successful and "failed" audit attempts to be logged in the Directory Service event log. This event log is present only on Windows 2000 domain controllers.

To enable auditing of Active Directory:

1. Log on to Windows 2000 with an account that has Administrator rights, if you wish to give others set auditing rights see reference section below.
2. Ensure the Group policy snap-in is installed, if it is not installed follow the directions to install it listed in the section below
3. Start the Active Directory Users and Computers snap-in by clicking Start, pointing to Programs, and then pointing to Administrative Tools.
4. On the View menu, click Advanced Features.
5. Right-click the Domain Controllers container, and then click Properties.
6. Click the Group Policy tab.
7. Click Default Domain Controller Policy, and then click Edit.
8. Double-click the following items to open them: Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy.
9. In the right pane, open Audit Directory Services Access.
10. Click the appropriate options: either Audit Successful Attempts, Audit Failed Attempts, or both.
11. If you are setting auditing for an IIS 5.0 Web server, see the "Recommendations for Auditing on a Web Server That Is Running Windows 2000 and Internet Information Services 5.0" section in the "References" section of this article for a list of suggested audits.

NOTE: In Windows 2000, domain controllers poll for policy changes every five minutes. Other domain controllers in the enterprise receive the changes at this interval plus the time of replication.

NOTE: If the check boxes under Access in the Auditing Entry dialog box are shaded, or if the Remove button is unavailable in the Access Control Settings dialog box, auditing has been inherited from the parent folder. Because the Security log is limited in size, select the files and folders that you want to be audited carefully. Also consider the amount of disk space that you are willing to devote to the Security log. The maximum size is defined in Event Viewer.

Auditing Events in Windows 2000 Server

Setting, Viewing, Changing, or Removing Windows File or Folder Auditing

You set up auditing to detect and record security-related events, such as when a user attempts to access a confidential file or folder. When you audit an object, an entry is written to the Windows 2000 Security log whenever the object is accessed in a certain way. You determine which objects to audit, whose actions to audit, and exactly what types of actions are audited. After you set up auditing, you can keep track of users who access certain objects and analyze security breaches. The audit trail can show who performed the actions and who tried to perform actions that are not permitted.

To set up auditing:

1. Start Windows Explorer (click Start, point to Programs, point to Accessories, and then click Windows Explorer), and then locate the file or folder that you want to audit.
2. Right-click the file or folder, click Properties, and then click the Security tab.
3. Click Advanced, and then click the Auditing tab.
4. Do one of the following, as applicable:
   1. To set up auditing for a new group or user:
      1. Click Add. In the Name box, type the name of the user that you want to audit.
      2. Click OK to automatically open the Auditing Entry dialog box.
   2. To view or change auditing for an existing group or user, click the name, and then click View/Edit.
   3. To remove auditing for an existing group or user, click the name, and then click Remove.
5. Under Access, click Successful, Failed, or both Successful and Failed, depending on the type of access that you want to audit.
6. If you want to prevent files and subfolders in the tree from inheriting these audit entries, click to select the Apply these auditing entries check box.

Auditing to Detect Unauthorized Access

You can detect unauthorized access attempts in the Windows Security log, these attempts can appear as warning or error log entries. You can also archive these logs for later use.

To detect possible security problems by reviewing the Windows Security log:

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Administrative Tools, and then double-click Computer Management.
3. Expand System Tools, and then expand Event Viewer.
4. Click Security Log.
   
   NOTE: If you are not able to view the Security log, the user account that you are using does not have the privileges to do so. This issue occurs because the domain-level security policies override the local computer-level security policies, which means that you can be logged on as the administrator of your local computer, but not have access to the computer's security log. To obtain these permissions, see your network administrator. For more information about security policies, see the Windows documentation.
5. Inspect the logs for suspicious security events, including the following events:
   • Invalid logon attempts.
   • Unsuccessful use of privileges.
   • Unsuccessful attempts to access and modify .bat or .cmd files.
   • Attempts to alter security privileges or the audit log.
   • Attempts to shut down the server.

Working with Windows Security Logs

How to Archive a Windows Security Log

To archive a Windows Security log:

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Administrative Tools, and then double-click Computer Management.
3. Expand System Tools, and then expand Event Viewer.
4. Click Security.
5. On the Action menu, click Save Log File As.
6. In the Save As dialog box, click the directory to which you want to save the file, and then type a name for the file.

NOTE: The Security log can be saved as an event (.evt) file, a text (.txt) file, or a comma-delimited (.csv) file.

How to Open an Archived Windows Security Log

To open an archived Windows Security log:

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Administrative Tools, and then double-click Computer Management.
3. Expand System Tools, and then expand Event Viewer.
4. On the Log menu, click Security.
5. On the Action menu, point to Open Log File.
6. In the Open dialog box, click the previously saved log or change to the location in the Look in list and browse to the file.
7. In the Log type list, click Security.
8. Click OK to open the file in the viewer.

Troubleshooting

Because the Security log is limited in size, select the files and folders that you want to be audited carefully. Also consider the amount of disk space that you are willing to devote to the Security log. The maximum size is defined in Event Viewer.

IMPORTANT: Before Windows 2000 can audit access to files and folders, you must use the Group Policy snap-in to enable the Audit Object Access setting in the Audit Policy. If you do not, you receive an error message when you set up auditing for files and folders, and no files or folders are audited. After you enable auditing in Group Policy, view the Security log in Event Viewer to review successful or failed attempts to access the audited files and folders.

How to Install the Group Policy Snap-In

To use the auditing features that this article describes, you need to install the Group Policy snap-in. This snap-in is not included in the Computer Management console, and you need to create a new console for the Group Policy snap-in. For more information about adding MMC snap-ins, see the Windows 2000 documentation.

To create a new MMC console and add the Group Policy snap-in:

1. Click Start, and then click Run. In the Run dialog box, type mmc to start a new MMC console.
2. In the Console menu, click Add/Remove Snap-in.
3. In the Add/Remove Snap-in dialog box, click Add.
4. In the Add Standalone Snap-in dialog box, click Group Policy from the list of available snap-ins. Click Add.
5. In the Select Group Policy Object dialog box, either click Finish to audit the local computer, or Browse to locate the computer you want to audit.
6. If you clicked Browse, proceed to step 7. If you clicked Finish, go to step 9.
7. In the Browse for a Group Policy Object dialog box, click the Computers tab, click Another computer, browse to the computer that you want to audit, and then click OK.
8. In the Select Group Policy Object dialog box, click Finish.
9. Close the Add Standalone Snap-in dialog box.
10. Click OK.
11. In the Console menu, select Save to save the new console to your hard disk. This is the console that you will use to configure the auditing features.

How to Enable Another Account to Configure Auditing

By default, only members of the Administrators group have privileges to configure auditing. You can delegate the task of configuring auditing of server events to another user account by granting the Manage Auditing and Security Log right in Group Policy.

To enable the account to configure auditing:

1. In the Group Policy console that you created, expand the following menus in the following order:
   1. Computer Configuration
   2. Windows Settings
   3. Security Settings
   4. Local Polices
   5. User Rights Assignment
2. Click Manage audit and security log, click Action, and then click Security.
3. In the Manage auditing and security log dialog box, click Add.
   
   NOTE: If the Add button is unavailable (appears dimmed), click to clear the Exclude from local policy check box to activate the Add button.
4. Click the appropriate user or user group from the list, and then click Add. Click OK.

Recommendations for Auditing on Windows 2000 IIS 5.0 Web Servers

For a Windows 2000 Server-based computer that is running IIS 5.0, you should audit by using the following Windows events. "Audit success attempts" indicates that you are interested in successful events, and "Audit failed attempts" indicates that you are interested in failures when that event is performed. "On" means that the event is being audited, while "off" means the event is not being audited.

The following list provides auditing suggestions for various events on a Windows 2000-based computer that is an IIS Web server:

• Account Logon
  Audit Success Attempts: ON
  
  Audit Failed Attempts: ON
• Account Management
  Audit Success Attempts: Off
  
  Audit Failed Attempts: ON
• Directory Service Access
  Audit Success Attempts: Off
  
  Audit Failed Attempts: ON
• Logon
  Audit Success Attempts: ON
  
  Audit Failed Attempts: ON
• Object Access
  Audit Success Attempts: Off
  
  Audit Failed Attempts: OFF
• Policy Change
  Audit Success Attempts: ON
  
  Audit Failed Attempts: ON
• Privilege Use
  Audit Success Attempts: OFF
  
  Audit Failed Attempts: ON
• Process Tracking
  Audit Success Attempts: OFF
  
  Audit Failed Attempts: OFF
• System
  Audit Success Attempts: OFF
  
  Audit Failed Attempts: OFF