Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to Configure ISA Server to Audit Changes Made to Its Configuration Settings or to Its Policies


View products that this article applies to.

Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 (http://support.microsoft.com/kb/256986/) Description of the Microsoft Windows Registry

↑ Back to the top


Summary

This article describes how to configure Internet Security and Acceleration (ISA) Server 2000 Standard Edition to audit changes that are made to its configuration or to its policies.

↑ Back to the top


More information

By default, ISA Server does not audit changes that are made to its configuration or to its policies. However, you can configure ISA Server to perform basic auditing of any such changes. When ISA Server audits these changes, an event is generated when a user creates, modifies, or removes an access rule, and an event message is logged in the security log. The event provides a user account name and records the time and the date when the policy change was made. To configure auditing, follow these steps:

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
1.Turn on auditing on the server where ISA Server is installed. To do this, follow these steps:
a. Click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.
b. Expand Local Policies, and then click Audit Policy.
c. In the details pane, double-click Audit object access.
d. Select the Success check box, and then click OK.
e. Quit Local Security Settings.
2.Configure a system access control list (SACL) on the ISA Server policy storage container. To do this, follow these steps:

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
a. Click Start, click Run, type regedt32 in the Open box, and then click OK.
b. Click the following registry subkey:
HKEY_CLASSES_ROOT\CLSID\{E205C653-0426-11D2-9A4D-0060081E9D26}\InprocServer32
c. On the Security menu, click Permissions.
d. Click Advanced, click the Auditing tab, and then click Add.
e. Click the Everyone group, and then click OK.
f. Under Successful, select the Query Value check box.
g. Click OK, click OK, and then click OK.
h. Quit Registry Editor.
After you configure the SACL, when a user creates, modifies, or removes an access rule, the following event messages appear in the security log.

Note The event descriptions differ depending on the policy modification that the user makes.
When a user opens the policy storage container to modify a policy, the following event message appears:

Event Source: Security
Event Category: Object Access
Event ID: 560
Date: Date
Time: Time
Type: Success
User: Example\UserName
Computer: ServerName
Description:
Object Open:
Object Server: Security
Object Type: Key
Object Name: : \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E205C653-0426-11D2-9A4D-0060081E9D26}\InprocServer32
New Handle ID: 632
Operation ID: {0,199050}
Process ID: 1752
Primary User Name: UserName
Primary Domain: Example
Primary Logon ID: (0x0,0x8FE1)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link
Privileges -

When a user closes the policy storage container after changing a policy, the following event message appears:

Event Source: Security
Event Category: Object Access
Event ID: 562
Date: Date
Time: Time
Type: Success
User: Example\UserName
Computer: ServerName
Description:
Handle Closed:
Object Server: Security
Handle ID: 632
Process ID: 1752

These two events are generated each time ISA Server writes to the access control policy. Because ISA Server writes to the policy in three different places for each user-defined access rule, six events appear in the security log when a change is made to the access control policy.

↑ Back to the top


Keywords: KB827818, kbinfo

↑ Back to the top

Article Info
Article ID : 827818
Revision : 1
Created on : 8/27/2003
Published on : 8/27/2003
Exists online : False
Views : 307