Transcription

Advanced Audit Policy Configurationsfor LT Auditor Reference Guide

ContentsWINDOWS AUDIT POLICIES REQUIRED FOR LT AUDITOR . .3ACTIVE DIRECTORY .3Audit Policy for the Domain .3Advanced Auditing Polices for the Default Domain Controller Group Policy .7FILE SYSTEM .8LOGIN/LOGOUT .9AUDIT POLICY CHANGES .10APPENDIX A – WINDOWS EVENT ID’S USED BY LT AUDITOR .12ACTIVE DIRECTORY .12WINDOWS FILE SYSTEM .13Advanced Auditing Policies for LT Auditor 2

WINDOWS AUDIT POLICIES REQUIRED FOR LT AUDITOR .SACL’s need to be configured, to audit Active Directory, File System and Login/Logoutevents, on the Windows system. The following sections detail the specific policies required forAdvanced Audit policies on Windows 2008R2/Windows 2012 systems.ACTIVE DIRECTORYTo successfully audit Active Directory events, with LT Auditor , the following SACL’s (SecurityAccess Control Lists) need to be configured.1. Audit Policy(SACL) for the Domain Object2. Advanced Audit Policy for the Default Domain Controller Group PolicyAudit Policy for the DomainThis setting may be configured by default, but it is important to validate that the following auditentries are defined on the Domain object.1. Launch Windows Active Directory and Users MMC.2. Click on View Advanced Features to enable3. Right-Click on the root Domain object and click on Properties to bring up the PropertiesWindow as shown belowAdvanced Auditing Policies for LT Auditor 3

4. Select the Security Tab and click on Advanced and select the Auditing tab as shownbelow:Advanced Auditing Policies for LT Auditor 4

5. Click Add to create a new audit entry and select the object Everyone.as shown belowNote: You can also modify an existing audit entry instead of adding a new one.Advanced Auditing Policies for LT Auditor 5

6. Check the following access rights:a. Write all propertiesb. Deletec. Delete subtreed. Create all child objectse. Delete all child objects(Note: All create and delete entries will get checked automatically)7. Click Ok to save setting.NOTE: If your Active Directory environment contains multiple OU’s that donot inherit from the parent domain object, you may need to create similaraudit entries for those OU objects.Advanced Auditing Policies for LT Auditor 6

Advanced Auditing Polices for the Default Domain Controller Group PolicyThe second step requires audit entries to be defined on the default group policy for DomainControllers. Use the Group Policy Management MMC to access Advanced Audit Polices andconfigure the following audit entriesAudit PolicySub CategoryAudit EventsDS AccessAudit Directory ServiceChangesSuccess and FailureAccount ManagementAudit User AccountManagementSuccess and FailureObject AccessAudit SAMSuccess and FailureExample of a Default Domain Controller GPO configured to audit Active Directory events forLT Auditor .Advanced Auditing Policies for LT Auditor 7

FILE SYSTEMTo audit files and folder, the following audit entries need to be configured on the GPOassociated with the OU that contains the file servers.Audit PolicySub CategoryAudit EventsObject AccessAudit File SystemSuccess and FailureObject AccessAudit Handle ManipulationSuccess and FailureExample of Default Domain Controller GPO configured to audit File System activity for LTAuditor .Advanced Auditing Policies for LT Auditor 8

LOGIN/LOGOUTTo audit login and logout activity on Windows, the following audit entries need to beconfigured on the GPO associated with the OU that contains the servers. Blue Lancerecommends that these setting are defined for the Default Domain Group PolicyAudit PolicySub CategoryAudit EventsAccount LogonAudit KerberosAuthentication ServiceSuccess and FailureLogin/LogoffAudit Account LockoutSuccess and FailureLogin/LogoffAudit LogoffSuccess and FailureLogin/LogoffAudit LogonSuccess and FailureLogin/LogoffAudit Other Logon/LogoffEventsSuccess and FailureAdvanced Auditing Policies for LT Auditor 9

Login/LogoffAudit Special LogonSuccess and FailureExample of Default Domain Controller GPO configured to Login/Logout activity:AUDIT POLICY CHANGESTo audit changes to audit policies the following audit entries are required:Audit PolicySub CategoryAudit EventsPolicy ChangeAudit Policy ChangeSuccess and FailureAdvanced Auditing Policies for LT Auditor 10

Example of Default Domain Controller GPO configured to audit policy changes:Advanced Auditing Policies for LT Auditor 11

APPENDIX A – WINDOWS EVENT ID’s USED BY LT AUDITOR ACTIVE DIRECTORYCategoryLT Auditor EventObjectWindows Event IDObjectCreate Object5137UserGlobal Security GroupDomain Local Security GroupComputerDomain Local Distribution GroupGlobal Distribution GroupUniversal Distribution GroupUniversal Security GroupOtherDelete Object5141UserGlobal Security GroupDomain Local Security GroupComputerDomain Local Distribution GroupGlobal Distribution GroupUniversal Distribution GroupUniversal Security GroupOtherModify Security DACL5136Rename Object4781Move Object5139Add Attribute5136Delete Attribute5136Enable Account4722Disable Account4725Set Password4724Change Password4723Account Locked4740Account ModificationAdvanced Auditing Policies for LT Auditor 12

Account Unlocked4767Add Member to group5136Group MembershipGlobal Security GroupDomain Local Security GroupDomain Local Distribution GroupGlobal Distribution GroupUniversal Distribution GroupUniversal Security GroupRemove Member from group5136Global Security GroupDomain Local Security GroupDomain Local Distribution GroupGlobal Distribution GroupUniversal Distribution GroupUniversal Security GroupTrusted domain added4706Audit policy changed4719WINDOWS FILE SYSTEMCategoryLT Auditor EventFileWindows Event ID4656Create FileWrite FileRename FileDelete FileAccess FileDirectory4656Make DirectoryRemove DirectoryRename DirectoryAccess DirectoryFile Directory4656Write Security DACLAdvanced Auditing Policies for LT Auditor 13

Write AttributeTake OwnershipAdvanced Auditing Policies for LT Auditor 14

Category LT Auditor Event Windows Event ID File 4656 Create File Write File Rename File Delete File Access File Directory 4656 Make Directory Remove Directory Rename Directory Access Directory File Directory 4656 Write Security DACL . Advanced Auditing Policies for LT Auditor .