Full text

For most network administrators, auditing ranks somewhere near documentation-one of those jobs that we all know we should do, but don't give enough time to. With Windows NT, there's no reason for this to be the case, because a well thought-out NT auditing system will almost run itself. And it can often help you discover weaknesses in the security of your systems, as well as addressing any troublesome "it wasn't me" users.

In this article, we'll look at using the functions of Windows NT auditing. We'll also examine some ways to help you manage your audit information.

Deciding what to audit

Before you turn on the audit facilities in NT, you need to decide exactly what it is you're trying to achieve. The extent of ,your auditing activities will depend greatly on your environment and system setup. One important thing to avoid is the temptation to over-audit. For example, knowing who has deleted a file or user account can be useful information, but how relevant is the fact that a file has been successfully read, or a registry key successfully accessed?

So, before you set up auditing, it's a good idea to look at what objects you're going to audit, and at what levels. Always remember that the level of auditing you set up will have an effect on the overall performance of your server or workstation.

Auditing tasks related to user account management will have little effect, unless you're amending hundreds of accounts per day. However, auditing on file, printer, and registry access can severely impact performance, if not done selectively.

Figure A Figure B

Who wants to be an auditor?

By default, only the Administrator account in NT has the ability to enable auditing, but after this is done, you can give another user the ability to manage file, printer, and registry auditing, as well as rights to manage the security log files where the Audit events are recorded. To set up an existing user to do this, start User Manager by selecting Start I Programs I Administrative Tools I User Manager For Domains.

Table A: Figure C

Next, go to the Policies menu and choose User Rights. In the User Rights Policy dialog box, select Manage Auditing And Security Log from the Right dropdown list. You'll see that the only group that receives this right by default is the Administrators group, so add the user or group of your choice by clicking the Add button and selecting who you want to add to the list. Figure A, on page 5, shows how we've added a user called Auditor in this way. When you're finished, click OK to save your changes. Now, after you've set the audit policy, someone else can do all the hard work of archiving and checking the audit log files.

Setting the audit policy

Once you've decided what you want to audit, the next step is to set the overall audit policy. If you make changes to the audit policy on a domain controller, the changes will affect the audit policy on all domain controllers in that domain. Changes made to the policy on a Windows NT stand-alone server or workstation will affect only that PC.

The audit policy is set through User Manager. In User Manager, click on the Policies menu, and then select Audit. You'll see the dialog box shown in Figure B, also on page 5. In the Audit Policy dialog box, there are seven categories of events to audit, as shown in Table A.

One special note on these options is that if you want to set up file, printer, and registry auditing, you must select the File And Object Access option. Otherwise, you'll be able to turn file, printer, and registry auditing on, but no events will be logged.

For each option, you can select whether to have success and/or failure events recorded. Choosing to have successful events recorded can provide you with a useful history of what events occurred and when. Recording failed events will allow you to determine whether someone is attempting to perform tasks on a system for which they don't have the privileges. Once you've set the overall audit policy, you can go on to set file, printer, and registry auditing.

File and directory auditing

Now that you've turned on File And Object Access auditing in User Manager, you can set up auditing on files and directories on your system. One thing before we start though-auditing of files and directories only works on partitions that are formatted with NTFS. So, if you have FAT partitions, you won't be able to do file and directory audits.

Setting up auditing is done at the file or directory level. So, using Windows Explorer or My Computer, navigate to the file or directory you want to audit. Go to the Properties page by right-clicking on the object and selecting Properties. Then, click on the Security tab. Next, click the Auditing button, which will take you to the screen shown in Figure C.

If the object you selected to audit was a file, you'll be missing the two options at the top of the dialog box. The first of these options, Replace Auditing On Subdirectories, will cause the audit selections you set up to be applied to the entire file structure below your current position. The second option, Replace Auditing On Existing Files, means that only files that exist in the current directory will have auditing applied. By understanding how these two options work, you can customize your file auditing so that you don't audit file-system objects unnecessarily.

To select which users or groups you want to audit, click the Add button and make your selections. You can choose users and groups from your own domain or from trusted domains. If you want to record access of the file or directory by all users, irrespective of how they're connected to your system, then "use the system group entitled Everyone. The file and directory events that you can audit are Read, Write, Execute, Delete, Change Permissions, and Take Ownership. With file access, as with any other part of auditing, carefully select which activities and objects you audit. Do you really need a record of every time someone reads a file? Now you can sit back safe in the knowledge that next time someone deletes that monthly report spreadsheet and denies it, he or she won't get away with it.

Printer auditing

Setting up auditing on a printer is done in a similar way to file and directory auditing, but with a different list of events to audit. To set up printer auditing, go to the printer's property page by right-clicking on the printer icon in the Printers folder and selecting Properties. Then, select the tab marked Security and click on Auditing. You'll see the Printer Auditing dialog box shown in Figure D.

Figure D: Table B:

Click the Add button and select the users or groups that you want to be audited in the same way as you would with file and directory auditing. If you don't add a specific user or group to the list, it doesn't mean that they won't be able to print to the printer. Rather, it simply means that their printer-related actions won't be audited. Once you've selected your users and groups, you need to decide what actions will be audited. As with the other audit options, you have the choice of auditing both success and failure events. The list of events that you can audit on printers are described in Table B on page 7.

Although printer auditing is simple to set up, deciphering the related events in the Security log is often not so simple. One of the best examples of this is the fact that, although the NT audit system will generate 18 security log events for a one page print, not one of the events gives information on how many pages were printed, or the name of the file printed.

Registry auditing

One of the less known and certainly less well-documented features of NT auditing is the ability to audit keys in the registry. Registry auditing is set up and managed through the Windows NT registry editor utility, REGEDT32. The default installation of NT doesn't create an icon for REGEDT32, so you can run it from the Start I Run box. If you're not used to using the registry editor, be aware that you can seriously damage the health of your machine if you use it incorrectly.

Once in the registry editor, you can specify what key or keys you want to audit by highlighting the key and selecting Auditing from the security menu. The Registry Key Auditing dialog box, shown in Figure E, allows you to choose which users are going to be audited, as well as specifying which events are to be audited.

A wide range of registry events can be audited. Table C lists the events you can audit with a brief description of which action triggers an event. Auditing can be applied to the selected key, or the selected key and all subkeys by selecting the Audit Permission On Existing Subkeys check box.

In the registry, probably more than with any other area of auditing, be prudent with your selections. The registry is referenced almost constantly by your NT system, and over-auditing here will cause your security log to fill up in no time, not to mention slowing your machine to a crawl.

After the event

Once you've set up auditing, any events that match your auditing criteria are entered into the security log. You can view the security log by choosing Start I Programs I Administrative Tools I Event Viewer. The Event Viewer will show the last log that was viewed, so if this isn't the security log from the Log menu, select Security. The Security Log will be displayed and, if you've set up auditing already, you should be able to view the audit events that have occurred so far.

Figure E: Table C:

The log screen in the Event Viewer doesn't update automatically. So, to see any new events that occur while you're viewing the log, press [F5] to refresh the screen. In the security log, success events are denoted by a gold key, and failures by a gray padlock. Figure F shows a Security Log screen with both success and failure events.

For each event, the date, time, and type of event are displayed along with the user who performed the action and the computer at which the action was performed. To see more detailed information on a specific event, just double-click on it. Sometimes, it's easy to ascertain exactly what event has caused the security log entry, such as that shown in Figure G. At other times, you'll be presented with a less informative message.

If your logs are particularly large, with many events, then you can sort and filter the events that are displayed by selecting View I Filter Events, and setting the display criteria. The security log, as with the other logs, can be managed by Selecting Log Settings from the Log menu in Event Viewer. From here, you can specify how large the log files can be, as well as select what you want to happen after the log files have reached their maximum size. If you're taking auditing seriously, then you should have a procedure for maintaining and archiving your security log files so that they can be retrieved if necessary.

Manging your audit data

With your auditing system up and running, you'll soon start to generate Security Log files. These log files must be checked on a regular basis, and any issues arising acted on promptly. To conserve disk space, log files should be transferred to some kind of off-line media, such as tape, CD, or even disk. How long you keep your audit files will depend on the function of the machine in question, and the overall policy your company has on this type of data.

One point that many people forget is that a good auditing regime doesn't make you any more secure. It simply allows you to track what's happening on your system. The auditing function in NT is no substitute for a thorough security check. If you want more information on general IT audit issues, then visit www.itaudit.org or www.auditnet.org.

Conclusion

The auditing function in Windows NT allows you to configure a complete range of auditing activities, in a number of areas. The information produced is easily viewed through Event Viewer. In this article, we looked at setting up and managing auditing on a Windows NT machine.

Figure F Figure G