Auditing Windows Server 2008

Windows Server 2008 Auditing

LepideAuditor for Active Directory tool allows setting Active Directory Domain Services (ADDS) auditing feature in Windows Server 2008 and Windows Server 2008 R2 with a new audit sub-category to log old and new values when changes are made to objects and their attributes. In earlier versions, that is, Windows Server 2000 and Windows Server 2003, Active Directory audit logs shows Who made changes to What object attributes, but events do not display the old and new values. With the added auditing feature, log events show both old and new values. Moreover, its permission analysis feature shows the historical changes done in the permissions of the objects. It also provide administrators the ability to compare the permissions for the selected objects between two date and time intervals.

The Active Directory Audit utility audit various changes made to objects of Active Directory such as creating, modifying, moving, deleting or undeleting an object. In Windows Server 2008, the auditing policy can be configured on the basis of four sub-categories:

  • Directory Service Access
  • Directory Service Changes
  • Directory Service Replication
  • Detailed Directory Service Replication

In Windows Server 2008, while setting up auditing, users can modify three places to implement controls

  • Global Audit Policy: In Windows Server 2008, the Global Audit Policy is not ON by-default and needs to be enabled
  • System Access Control List (SACL): It is the ultimate authority for an access check to be audited or not. It is a part of security descriptor for an AD object and specifies which operations should be audited
  • Schema: In order to protect IT administrators from generating a lot of auditing events, an override can be set in the schema to exclude the number of events having an attribute set

Enabling Global Audit Policy on Windows Server 2008:

  • Go to Start > Administrative Tools. Click on Group Policy Management
  • Navigate down through Forest, to the Domains, then Domain Controllers and then left-click on Default Domain Controllers Policy
  • Schema: In order to protect IT administrators from generating a lot of auditing events, an override can be set in the schema to exclude the number of events having an attribute set

A warning message appears stating that changes made here will impact all other locations that the GPO is linked to. Click OK.

  • Right-click on Default Domain Controllers Policy. Then, left-click on Edit.
  • Navigate under Computer Configurations > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
  • Right-click on Audit Directory Service Access, then click Properties.
  • Select Define these policy settings and then select Success. Click on Apply and then OK.

Setting up Auditing in System Access Control List (SACL):

  • Open Active Directory Computers and Users
  • Click on View and ensure that Advanced Features is enabled. If not, then left-click on it to enable it
  • Right-click on any of the Organizational Units to be audited. Let us suppose user requires auditing Users. Then click on Users > Properties
  • In Properties window, click on Security
  • Click Advanced
  • Click Auditing tab, then click Add
  • Under Enter the object name to select:, type in Authenticates Users, and then click OK
  • In the next window under Apply onto:, select Descendant User Objects and under Access check the box for Successful next to Write all properties and click OK
  • Click OK, until you are out of any dialog boxes

LepideAuditor Suite for Active Directory is available as a part of LepideAuditor Suite. Other components of LepideAuditor Suite are GPO auditor, Exchange Server auditor, SQL Server auditor, File Server auditor, and SharePoint auditor.