The role of auditing network events/activities in maintaining a secure IT environment
If you’re an IT administrator, you probably already know that most security breaches occur because of insider abuse/misuse and the total number of breaches is increasing exponentially each year. The majority of organisations house sensitive data somewhere on their system that, if exposed, could be costly and damaging to the reputation of the business.
Thankfully, Windows comes pre-packed with numerous auditing capabilities that can be used to track events or activities within the network. In this blog, we will discuss the nine audit settings that you can configure through the Windows operating system that will allow you to better monitor your Active Directory environment.
1. Audit Account Logon Events
When active, this audit setting monitors each time your computer is validating the credentials of user accounts with the right level of authority to generate account logon events.
There are only two audit options that are available – successful attempts and failed attempts. You can check either one or both options (or neither if you require no auditing) as per your Active Directory monitoring requirements. In the above image, we have checked the “success” option.
After configuring this setting, you can view successful audit events in the audit log generated in the Event Viewer. All you need to do is navigate to the Windows Logs -> Security in the left panel and all the audit success events will be shown in the right panel. Click on a particular event to get detailed information in the lower right section of the window.
Refer to the highlighted portion in the below image for reference.
2. Audit Account Management
Configuring this audit setting enables you to audit user account management and get details on the following:
- User accounts or groups that are created, changed, or deleted
- User accounts that are renamed, disabled or enabled
- User accounts where the password has been set or changed
3. Audit Directory Service Access
This audit setting determines whether the operating system you have on your computer audits users or user accounts attempting to access objects in the Active Directory. The only objects that can be audited are ones in which the SACL (System Access Control List) is specified by the user and the requested access type, including “Write”, “Read” or “modify,” matches with the settings that have been configured in the SACL.
4. Audit Logon Events
This setting enables users to audit every instance of a user attempting to log in and out of the system.
5. Audit Object Access
The “Audit Object Access” setting enables auditing of user attempts to access objects that are not present in the Active Directory; such as files, emails, Exchange groups or SharePoint items. However, the system will only generate audits for those objects specified in the System Access Control List.
6. Audit Policy Change
Configuring this setting enables users to audit each instance of users attempting to modify critical policies – including trust policy, account policy, audit policy and the user rights assignment policy.
7. Audit Privilege Use
This audit setting is configured to monitor the levels of permissions and rights that each user has to perform specific tasks. Defining this policy setting not only helps track the actions of privileged users but also facilitates in ensuring they don’t misuse the rights granted to them. If you wish to generate an audit entry when a user succeeds in exercising the right or permission assigned to him/her, check the “Success” option. To generate audit entries where the exercise of a user right fails, select the “Failure” option.
8. Audit Process Tracking
Configuring this security setting tracks any process-related activities including the creation of process, duplication handling, termination of process and objects that have been accessed indirectly.
9. Audit System Events
“Audit System Events” monitors details of users who attempt a security system startup or shutdown, try to change system time or aim to load extensible authentication components for personal benefits or other malicious purposes.
Defining this security policy allows you to keep track of the loss of audited events that have occurred due to the auditing system failure. It also shows you whether the security log size has exceeded the configured warning threshold level.
Enabling all these settings and keeping track of them can be quite a laborious and time consuming task. Often, administrators seek the help of third-party solutions to automate the auditing and monitoring of their critical IT systems. LepideAuditor for Active Directory tracks changes across Active Directory and sends real-time alerts and notifications straight to the inbox and generates detailed reports with just a single click.