How to enable the Security Auditing of Active Directory

B 57, Sector 57

Noida, U.P.

India

201301

Phone: +91 (120) 4282353

Fax: +91 (120) 4282354

www.lepide.com

Lepide Software

B 57, Sector 57

Noida, U.P.

India

201301

Phone: +91 (120) 4282353

Fax: +91 (120) 4282354

www.lepide.com

Lepide Software

Millions of organizations from all parts of the world use Windows Server 2008 R2. It is quite necessary to audit the Active Directory from both security point of view and meeting the requirements of different compliances. In this post, we will discuss the methods to enable the security audit and to verify the enabled audit policies for Active Directory in Windows Server 2008 R2.

Enabling the Security Auditing

For security auditing, it is required to modify the existing default Domain’s policy,

which is setup while creating a domain. You have to, in fact, deal with Advanced Audit

Policy Configuration for this. Follow the steps below for enabling the security auditing

of Active Directory in Windows 2008 R2.

1. Go to “Start Menu” “Administrative Tools” “Group Policy Management”.

2. In the console tree in the left pane, go to “Forest” “Domains” Domain

Name. Expand it.

3. Right click on “Default Domain Policy” and click “Edit”. It will show “Group

Policy Management Editor”.

4. Go to “Computer Configuration” “Windows Settings” “Security Settings”

“Advanced Audit Policy Configuration” “Audit Policies”. This will list all

available audit policies.

5. Here, you can enable the following policies for following purposes:

Type of Auditing Path Domain Logon/Logoff Auditing In “Logon/Logoff”, enable

1. Audit Logon 2. Audit Logoff

File System Auditing In “Object Access”, enable

1. Audit Detailed File Share 2. Audit File Share 3. Audit File System

Handle Manipulation Auditing In “Object Access”, enable

1. Audit Handle Manipulation Table 1: Tables of required auditing values

6. Double-click any of the events listed in the above table to access its properties.

7. Check the box “Configure the following audit events” and then enable the

required “Success” and “Failure” events.

8. Click “Apply” and “OK” to enable the monitoring for the selected events.

Similarly, you can configure the advanced auditing policies for other available options as well.

B 57, Sector 57

Noida, U.P.

India

201301

Phone: +91 (120) 4282353

Fax: +91 (120) 4282354

www.lepide.com

Lepide Software

Enabling the Global Object Access Auditing

Perform the below mentioned steps to audit the access of any object globally in the

server.

1. Go to “Start Menu” “Administrative Tools” “Group Policy Management”.

2. In the console tree in the left pane, go to “Forest” “Domains” Domain

Name.

3. Right click on “Default Domain Policy” and click “Edit”. It will show “Group

Policy Management Editor”.

4. Go to “Computer Configuration” “Windows Settings” “Security Settings”

“Advanced Audit Policy Configuration” “Audit Policies”.

5. Go to “Object Access”. This will show the audit policies of object access in the

right panel.

6. Double-click “Audit Registry” to show its properties box.

7. Check the box “Configure the following audit events” and check the both

events.

8. Click “Apply” and “OK”.

9. Now, go to “Global Object Access Auditing” node under “Audit Policies” of

advanced configuration.

10. Double-click “Registry” entry in the right details pane.

11. Check the box “Define this policy”. This will enable the subsequent button.

Figure 1: Properties of Registry policy

B 57, Sector 57

Noida, U.P.

India

201301

Phone: +91 (120) 4282353

Fax: +91 (120) 4282354

www.lepide.com

Lepide Software

12. Click “Configure” to access the “Advanced Settings for Global Registry SACL”.

Figure 2: Advanced Security Settings

13. Click the “Add” button to add the users which access you want to audit.

14. Type the name of any user to be audited.

15. Click “Check Names” to validate them.

B 57, Sector 57

Noida, U.P.

India

201301

Phone: +91 (120) 4282353

Fax: +91 (120) 4282354

www.lepide.com

Lepide Software

16. Click “OK” for adding the users. This will show the auditing entries for that

user.

Figure 3: Select Audit Entries

17. Select the audit entries for both success and failure, which you want to

monitor and click the “OK” button. It is advised to select Full Control for both

of them.

18. Click “OK” once the required entries are selected. This will take you back to the

“Advanced Security Settings”.

19. You can follow the same steps to configure security auditing for other users.

20. Once done, click “Apply” and “OK”. You will be returned to “Registry

Properties”.

21. Click “Apply” and “OK” once again.

Thus, you can follow the above mentioned steps to configure the advanced file system

auditing by using the “File System” policy in “Global Object Access Auditing”.

B 57, Sector 57

Noida, U.P.

India

201301

Phone: +91 (120) 4282353

Fax: +91 (120) 4282354

www.lepide.com

Lepide Software

Managing the Integrity of Advanced Auditing

The advanced auditing entries are often overwritten by that of basic auditing. Follow the

steps below to ensure that the advanced auditing entries do not get overwritten.

1. Go to “Start Menu” “Administrative Tools” “Group Policy Management”.

2. In the console tree left pane, go to “Forest” “Domains” Domain Name.

3. Right-click on “Default Domain Policy” and click “Edit”. It will show “Group Policy

Management Editor”.

4. In the left tree pane, go to “Computer Configuration” “Policies” “Windows

Settings” “Security Settings” “Security Options”.

5. Double-click “Audit: Force audit policy subcategory settings (Windows Vista or

later) to override audit policy category settings”.

6. Click “Define this policy setting” and click “Enabled”.

7. Click “Apply” and “OK” to close the dialog box.

This will apply the modified security auditing policies on the server. Alternatively, you can

logoff and logon the Administrator. It is required to update the modified Group Policies

on the server after enabling the security auditing policies.

Verifying the Auditing Policies

It is recommended to verify whether the modified auditing policies have been applied

or not. Run the following command on the Command Prompt.

auditpol.exe /get /category:*

Figure 4: Listing the status of all policies

This will list the status of all auditing policies – both basic and advanced on the server.

Please verify both “Success” and “Failure” events for the policies, which you have

enabled.

B 57, Sector 57

Noida, U.P.

India

201301

Phone: +91 (120) 4282353

Fax: +91 (120) 4282354

www.lepide.com

Lepide Software

Summary

Thus, you can follow the above stated steps to enable security auditing for the Active

Directory. You can also enable the auditing for specific files and folders. After verifying

the update status, you can see the recorded events in the Security logs of Event Viewer

as security auditing has been enabled. Also, you can make use of LepideAuditor Suite,

which has a number of added features and it also lets you keep a live check on the

changes being made in the Active Directory environment. Real-time alerts, live

updates, and automatic reports let you audit the AD and Group Policy Objects without

any issue. You also have the freedom to restore unwanted changes in the AD objects

and restore the objects from Tombstone folder as well.

B 57, Sector 57

Noida, U.P.

India

201301

Phone: +91 (120) 4282353

Fax: +91 (120) 4282354

www.lepide.com

Lepide Software