Transcription

Lepide DataSecurity PlatformEnable Auditing Manually

Lepide Data Security PlatformEnable Auditing ManuallyTable of Contents1. Introduction. 32. Enable Auditing Automatically. 33. Issue . 64. Solution . 74.1 Enable Auditing using Group Policy Objects . 74.1.1 Enable Local Audit Policies . 74.1.2 Enable Advanced Audit Policies .124.1.2.1 Steps to Enable Advanced Audit Policies in Windows Server 2008 Only .124.1.2.2 Steps to Enable Advanced Audit Policies in Windows Server 2008 R2 and above versions .134.2 Enable Auditing using ADSIEdit.msc .195. Restore Backed up Group Policy .266. Support.277. Copyright .288. Warranty Disclaimers and Liability Limitations .289. Trademarks .28 Lepide Software Pvt. Ltd.Page 2

Lepide Data Security PlatformEnable Auditing Manually1. IntroductionWelcome to the “Enable Auditing Manually” guide created for Lepide Data Security Platform. This solution provides acomprehensive means of auditing Active Directory, Group Policy, Exchange Server, SharePoint, SQL Server, and FileServer.This guide helps you to enable domain auditing manually. If you have any questions at any point in the process, youcan contact our Support Team. The contact details are mentioned at the end of this document.2. Enable Auditing AutomaticallyWhile adding a domain, after you provide the appropriate details, Lepide Data Security Platform shows the followingdialog box to enable auditing at the domain level automatically.Figure 1: Option to enable auditing automaticallyWhile modifying the properties of an already added domain, “Enable Audit” option appears for “Domain Credentials”property. Lepide Software Pvt. Ltd.Page 3

Lepide Data Security PlatformEnable Auditing ManuallyFigure 2: Modifying an already added domainYou can clickbutton. It displays the following dialog box.Figure 3: Enable Auditing Lepide Software Pvt. Ltd.Page 4

Lepide Data Security PlatformEnable Auditing ManuallyEnter either IP Address of the primary domain controller or name of the domain. Select any of the following options.1.Create New Policy (Recommended): Select it to create a new Domain Controller Policy. Once selected, youhave to provide the name of new Group Policy to be created.Figure 4: Creating new Group PolicyClick "OK" to create a new Group Policy at the domain to enable the auditing.2.Use Selected Domain Controller Policy: This option lets you select a policy to enable the auditing.Figure 5: Select a GPO Lepide Software Pvt. Ltd.Page 5

Lepide Data Security PlatformEnable Auditing ManuallySelect this option to enable its section. Perform the following steps to select an existing Group Policy.A.If a Group Policy is not listed here, you can clickicon to rescan the domain for listing the updatedset of Group Policies.B.You cannot select "Default Domain Controller Group Policy" or "Default Domain Group Policy" to enablethe auditing using Lepide Data Security Platform. If you try, the following error message appears on thescreen.Figure 6: Error message while enabling auditing at Default Domain Controller PolicyC.Select a custom Group Policy created at the Domain Level or Domain Controller Level upon which theauditing setting has to be applied.D.Make sure to check "Create backup of selected GPO before enable auditing" box if you are enabling theauditing on an existing Group Policy. This backup allows you to restore the previous default DomainController Policy if any issue persists after enabling the auditing.It is recommended to create a new Domain Controller Policy to enable the auditing to avoid any such issue.E.Click "OK." The software tries to enable the auditing and create the backup of the selected group policy onthe server in "%systemdrive%\Windows\Lepide\GPOBKP 24-01-2017 18 13 35\" folder. Here, 24-01-2017will be replaced with the date and 18 13 35 will be replaced with the time when you have clicked "OK" toenable auditing on the selected policy.If you face any issue in future, you can use this backup to restore the policy to the earlier state. Refer toSection 5 of this document restore the group policy.F.You have to wait until the auditing is enabled.3. IssueIf Lepide Data Security Platform faces any problem in enabling the auditing, it displays the following error messagewhile adding/modifying the domain. Lepide Software Pvt. Ltd.Page 6

Lepide Data Security PlatformEnable Auditing ManuallyFigure 7: Error message for problem in enabling the auditingIn such cases, you have to enable the auditing settings manually on the Windows Server.4. SolutionAuditing settings of the Active Directory environment could be setup as follows:Auditing EntriesforAD ForestPartition forObjectAccesstypeApply ontoAll Active DirectoryDomain namingEveryoneSuccessfulThis object and all descendantobjectscontextActive DirectoryConfiguration contextor child objects.EveryoneSuccessfulConfiguration ObjectsActive DirectoryThis object and all descendantor child objects.Schema ContextEveryoneSuccessfulSchema ObjectsThis object and all descendantor child objects.Table 1: Auditing SettingsIf Lepide Data Security Platform displays any error message or does not enable the auditing, then you have to enablethe auditing manually in the domain in both Group Policy Management Console and ADSIEdit Console. The steps tobe performed in both consoles are listed below.4.1 Enable Auditing using Group Policy ObjectsYou have to enable the local and advanced auditing policies in the Group Policy Management Console.4.1.1 Enable Local Audit PoliciesFollow the steps below to configure the Audit Polices for Windows Server 2008, Windows Server 2008 R2, WindowsServer 2012, Windows Server 2012 R2 and Windows Server 2016. Lepide Software Pvt. Ltd.Page 7

Lepide Data Security Platform1.Enable Auditing ManuallyGo to "Start Menu" "All Programs" "Administrative Tools" "Group Policy Management". It opens"Group Policy Management."NOTE: You can also type "GPMC.msc" in "Run" box and press "Enter" to access it.2.In the left panel of Group Policy Management Console, navigate to "Forest: domain.com" "Domains" "domain controller.com" "Domain Controllers".3.Select an already existing customized policy in “Domain Controllers” folder, which is active and enabled onthe domain controller organizational unit.NOTE:We do not recommend to edit “Default Domain Policy” or “Default Domain Controllers Policy” to enableauditing at domain level for Lepide Data Security Platform.4.If an existing custom policy does not exist, right-click on "Domain Controllers" node.Figure 8: Option to create new Group Policy5.Click "Create a GPO in this domain, and Link it here." to create a new Custom Group Policy. This commandalso links the newly created Group Policy to the domain controller’s node.6.The following dialog box appears on the screen, in which you have to provide the name of new policy.Figure 9: Dialog box to create a new Group Policy7.Enter the name of new Group Policy. Keep “none” selecting in “Source Starter GPO”. Lepide Software Pvt. Ltd.Page 8

Lepide Data Security Platform8.Enable Auditing ManuallyClick “OK” to create the new Group Policy Object. It takes you back to Group Policy Management Console,which now shows the newly created Group Policy in the left panel under “Domain Controllers” node.9.Right-click newly created Group Policy to access the following context menu.Figure 10: Option to edit Group Policy10. Click "Edit" to access "Group Policy Management Editor" for the selected policy.11. Browse to "Computer Configuration" "Policies" "Windows Settings" "Security Settings" "LocalPolicies" "Audit Policy". It displays the policies in the Right Panel. Lepide Software Pvt. Ltd.Page 9

Lepide Data Security PlatformEnable Auditing ManuallyFigure 11: Group Policies12. Here, you have to configure the following policies for both successful and failed events.a.Audit account logon eventsb.Audit Account Managementc.Audit directory service accessd.Audit Logon Eventse.Audit Policy Change13. Double-click "Audit account logon events" policy to access its properties. Lepide Software Pvt. Ltd.Page 10

Lepide Data Security PlatformEnable Auditing ManuallyFigure 12: Properties of "Account Logon Events."14. Check "Define these policy settings" box. It enables the subsequent section.15. Check both "Success" and "Failure" boxes under "Audit these attempts."16. Click "Apply" and "OK." It takes you back to "Group Policy Management Editor", which now shows theconfigured policy.17. Follow the same steps to configure the following policies.1.Audit Account Management2.Audit directory service access3.Audit Logon Events4.Audit Policy Change Lepide Software Pvt. Ltd.Page 11

Lepide Data Security PlatformEnable Auditing ManuallyFigure 13: Configured the required policiesNOTE:Do not close “Group Policy Management Editor” as you have to perform more steps here to enable theAdvanced Audit Policies, which are mentioned in the next section.4.1.2 Enable Advanced Audit PoliciesThere are two different methods for Windows Servers to enable the advanced auditing policies in Group PolicyManagement Console. You have to run the commands on Command Prompt for Windows Server 2008, whereas youhave to use Group Policy Management Console for Windows 2008 R2, Windows Server 2012, Windows Server 2012R2, and Windows Sever 2016.4.1.2.1 Steps to Enable Advanced Audit Policies in Windows Server2008 OnlyStart the Command Prompt using Administrator privileges and execute the following commands one by one.1.Auditpol /set /category:"Account/failure:enable Lepide Software Pvt. Ltd.Logon"/success:enablePage 12

Lepide Data Security PlatformEnable Auditing Manually2.Auditpol /set /category:"Account Management" ccess:enable5.Auditpol /set able6.Auditpol /set able4.1.2.2 Steps to Enable Advanced Audit Policies in Windows Server2008 R2 and above versionsYou have to perform the following steps to enable the Advanced Auditing Policies in the same customized GroupPolicy Object, in which you have enabled the Local Auditing Policies in the previous steps.1.In the left panel of Group Policy Management Editor, navigate to "Computer Configuration" "Policies" "Windows Settings" "Security Settings" "Advanced Audit Policy Configuration" "Audit Policies." Itdisplays the different policy categories in the Right Panel. Lepide Software Pvt. Ltd.Page 13

Lepide Data Security PlatformEnable Auditing ManuallyFigure 14: Group Policy Objects Management Editor2.You have to configure all policies of the following categories.I.Account Logona.Audit Credential Validationb.Audit Kerberos Authentication Servicec.Audit Kerberos Service Ticket Operationsd.Audit Other Account Logon EventsII.Account Managementa.Audit Application Group Managementb.Audit Computer Account Managementc.Audit Distribution Group Managementd.Audit Other Account Management Eventse.Audit Security Group Managementf.Audit User Account ManagementIII.DS Accessa.Audit Detailed Directory Service Replication Lepide Software Pvt. Ltd.Page 14

Lepide Data Security Platformb.Audit Directory Service Accessc.Audit Directory Service Changesd.Audit Directory Service ReplicationEnable Auditing ManuallyIV.Logon/Logoffa.Audit Account Lockoutb.Audit IPsec Extended Modec.Audit IPsec Main Moded.Audit IPsec Quick Modee.Audit Logofff.Audit Logong.Audit Network Policy Serverh.Audit Other Logon/Logoff Eventsi.Audit Special LogonV.Object Accessa.Audit Application Generatedb.Audit Certification Servicesc.Audit Detailed File Shared.Audit File Sharee.Audit File Systemf.Audit Filtering Platform Connectiong.Audit Filtering Platform Packet Droph.Audit Handle Manipulationi.Audit Kernel Objectj.Audit Other Object Access Eventsk.Audit Registryl.Audit SAMVI.Policy Changea.Audit Audit Policy Changeb.Audit Authentication Policy Changec.Audit Authorization Policy Changed.Audit Filtering Platform Policy Changee.Audit MPSSVC Rule-Level Policy Changef.Audit Other Policy Change Events Lepide Software Pvt. Ltd.Page 15

Lepide Data Security Platform3.Enable Auditing ManuallyExecute the following steps to configure the above policies in the above listed different categories.A.Click "Account Logon" category in the left panel to list all of its policies.Figure 15: Account Logon PoliciesB.In the Right Panel, double-click any policy say "Audit Credential Validation" to access its properties. Lepide Software Pvt. Ltd.Page 16

Lepide Data Security PlatformEnable Auditing ManuallyFigure 16: Properties of "Audit Credential Validation"C.Check "Configure the following audit events" box. It enables the subsequent section.D.Check both "Success" and "Failure" boxes.E.Click "Apply" and "OK." It takes you back to "Group Policy Management Editor", which now showsthe configured policy.F.Execute the above steps to configure other policies of "Account Logon" category.4.Follow the same steps to configure all policies in the above-listed categories.5.Close "Group Policy Management Editor." It takes you back to to “Group Policy Management Console”.6.Select the newly created Group Policy to view its details the right panel.7.In Right Panel, the "Security Filtering" section lets you select the objects like users, groups and computers onwhich this policy will be applied.8.Click "Add" to display the box to add the objects upon which this policy will be applicable.9.Type "Everyone" in the text box as adding everyone means this Group Policy will be applicable on all ActiveDirectory Objects. Lepide Software Pvt. Ltd.Page 17

Lepide Data Security PlatformEnable Auditing ManuallyFigure 17: Selecting Everyone10. Click "Check Names". It verifies the provided entry and formats it as a link.11. Click “OK” to add it. It takes you back to “Group Policy Management Console”, which now shows “Everyone”has been added to the selected custom Group Policy.Figure 18: Added “Everyone” to apply new Group Policy on all Active Directory Objects12. Close "Group Policy Management Console".13. In "Run" box or at "Command Prompt", execute the following command to update the Group Policy on alldomain controllers. Lepide Software Pvt. Ltd.Page 18

Lepide Data Security PlatformEnable Auditing Manuallygpupdate /forceFigure 19: Updating Group Policy4.2 Enable Auditing using heADSIEdit.msconanyWindowsServer.Visit 4(v ws.10).aspx to know more about installing and usingADSIEdit.msc.You have to perform the following steps for all Windows Server.1.Open ADSIEdit.msc using the "Run" dialog box. You can also open it from “Start Menu” “AdministrativeTools” “ADSIEdit”.2.Connect to the Active Directory. Select any node and perform below steps. Repeat these steps for each rootnode.3.Right-click on the root “ADSI Edit” and select “Connect to”.4.It is required to connect to the following three naming contexts and to turn on their auditing.a.Default Naming Contextb.Configurationc.SchemaNOTE: We will connect to all these naming contexts one by one and then turn on their auditing. Lepide Software Pvt. Ltd.Page 19

Lepide Data Security PlatformEnable Auditing ManuallyFigure 20: Select the naming context to which you want to connect5.Select “Default Naming Context”.6.Click “OK” to establish the connection. Default Naming Context will be connected and its root node will bedisplayed in “Left Panel”.7.Expand the root node to access the domain controller’s node – “DC www,DC domain,DC com”.8.Again, right click on “ADSIEdit” parent node and select “Connect To”.9.In “Connection Settings” box, select “Configuration” for naming context and click “OK”. Lepide Software Pvt. Ltd.Page 20

Lepide Data Security PlatformEnable Auditing ManuallyFigure 21: Connecting to Root Configuration10. It connects ADSI Edit to the Domain Configuration and displays its root node in the Left Panel.11. Expand the node to access “CN Configuration,DC www,DC domain,DC com”.12. Right click on “ADSI Edit” parent node and select “Connect To”.13. Select “Schema” as the naming context and click “OK” to connect to it. Lepide Software Pvt. Ltd.Page 21

Lepide Data Security PlatformEnable Auditing ManuallyFigure 22: Connecting to Schema14. It connects ADSI Edit to the Schema and displays its root node in the Left Panel.15. Expand its node to access “CN Schema,CN ”Configuration,DC www,DC domain,DC com”.16. Now, it is required to enable the auditing settings for the following four root nodes of different namingcontexts.a.DC www,DC domain,DC comb.CN Configuration,DC www,DC domain,DC comc.CN Schema,CN Configuration,DC www,DC domain,DC com17. The user has to perform the following steps one by one for each of the above nodes.a.Right click on “DC www,DC domain,DC com” under “Default Naming Context”. Lepide Software Pvt. Ltd.Page 22

Lepide Data Security PlatformEnable Auditing ManuallyFigure 23: Right click on root node of Default Naming Contextb.Select “Properties” option to access its properties.c.Switch to “Security” tab.Figure 24: Security Tab of Node Propertiesd.Click “Advanced” button to access the Advanced Security settings.e.Switch to “Auditing” tab in “Advanced Security Settings”. Lepide Software Pvt. Ltd.Page 23

Lepide Data Security PlatformEnable Auditing ManuallyFigure 25: Auditing tabf.Click "Add" to add "Everyone" for auditing using the following box:Figure 26: Add Userg.Type “Everyone” to audit the changes made by all objects.h.Click “Check Names” to verify the username.i.Click “OK” to add the user. It shows “Auditing Entry” dialog box. Lepide Software Pvt. Ltd.Page 24

Lepide Data Security PlatformEnable Auditing ManuallyFigure 27: Auditing Entries for wwwj.Select "This object and all descendant objects" in "Apply onto" drop-down menu.k.Click “Full Control” in “Successful” column first.l.Now, you have to uncheck the following entries in “Successful” column. Full Control List contents Read all properties Read permissionsKeep other entries checked in “Successful” column.m. Make sure all checkboxes in “Failed” column are blank or not checked.n.Keep "Apply these auditing entries to objects and/or containers within this container only" unchecked.o.Click “OK” to apply the auditing entries. It takes you back to “Auditing” tab of Advanced Security Settings.p.Click “Apply” and “OK” to apply the auditing settings.q.Close “Properties”.18. Repeat the steps (a) to (q) of Step 17 to enable the auditing of remaining root nodes.a.CN Configuration,DC www,DC domain,DC comb.CN Schema,CN Configuration,DC www,DC domain,DC com Lepide Software Pvt. Ltd.Page 25

Lepide Data Security PlatformEnable Auditing Manually19. Close the window of ADSIEdit.msc.5. Restore Backed up Group PolicyWhile enabling the auditing, Lepide Data Security Platform lets you select an existing Group Policy or create a newone. If you are selecting an existing Group Policy, the solution allows you to take its backup. The backup is created onthe server in "%systemdrive%\Windows\Lepide\GPOBKP 24-01-2017 18 13 35\" folder. Here, 24-01-2017 will bereplaced with the date and 18 13 35 will be replaced with the time when you have clicked "OK" to enable auditing ontheselectedpolicy.You can perform the following steps to restore the Group Policy using this backup to restore to its earlier state beforeenabling the auditing.1.Go to "Start" "Administrative Tools" "Group Policy Management Console" to access its console.2.In the left panel of "Group Policy Management Console", browse to "Forest" "www.domain.com".3.Right click on "Group Policy Objects" node and click "Manage Backups" option.Figure 28: Option to manage the Group Policy Backups4."Manage Backups" dialog box appears on the screen. Lepide Software Pvt. Ltd.Page 26

Lepide Data Security PlatformEnable Auditing ManuallyFigure 29: Manage the backups of Group Policies5.Click "Browse" and open "%systemdrive%\Windows\Lepide" folder.6.Now select "GPOBKP *" folder of that date and time when you have selected to create the backup whileenabling the auditing.7.Click "OK". It takes you back to "Manage Backups" dialog box that shows the Group Policy from the selectedbackup.8.You can click "Restore" to restore this backup.6. SupportIf you are facing any issues whilst installing, configuring or using the solution, you can connect with our team usingthe below contact information.Product expertsTechnical gurusUSA/Canada: 1-800-814-0578USA/Canada: 1-800-814-0578UK/Europe: 44 (0) -845-594-3766UK/Europe: 44(0)-800-088-5478 Lepide Software Pvt. Ltd.Page 27

Lepide Data Security PlatformEnable Auditing ManuallyRest of the World: 91 (0) -991-004-9028Rest of the World: 91(0)-991-085-4291Alternatively, visit http://www.lepide.com/contactus.html to chat live with our team. You can also email your queriesto the following addresses:[email protected]@Lepide.comTo read more about the Lepide Data Security Platform, visit http://www.lepide.com/.7. CopyrightLepide Data Security Platform, LepideAuditor, LepideAuditor App, LepideAuditor App Server, LepideAuditor (WebConsole), LepideAuditor Logon/Logoff Audit Module, any and all components, any and all accompanying software,files, data and materials, this guide, and other documentation are copyright of Lepide Software Private Limited, withall rights reserved under the copyright laws. This user guide cannot be reproduced in any form without the priorwritten permission of Lepide Software Private Limited. No Patent Liability is assumed, however, on the use of theinformation contained herein. Lepide Software Private Limited, All Rights Reserved.8. Warranty Disclaimers and Liability LimitationsLepide Data Security Platform, LepideAuditor, LepideAuditor App, LepideAuditor App Server, LepideAuditor (WebConsole), LepideAuditor Logon/Logoff Audit Module, any and all components, any and all accompanying software,files, data, and materials are distributed and provided AS IS and with no warranties of any kind, whether expressed orimplied. In particular, there is no warranty for any harm, destruction, impairment caused to the system where theseare installed. You acknowledge that good data processing procedure dictates that any program, listed above, mustbe thoroughly tested with non-critical data before there is any reliance on it, and you hereby assume the entire riskof all use of the copies of LepideAuditor and the above listed accompanying programs covered by this License. Thisdisclaimer of warranty constitutes an essential part of this License.In no event does Lepide Software Private Limited authorize you or anyone else to use LepideAuditor and the abovelisted accompanying programs in applications or systems where LepideAuditor and the above-listed accompanyingprograms’ failure to perform can reasonably be expected to result in a significant physical injury, or in loss of life. Anysuch use is entirely at your own risk, and you agree to hold Lepide Software Private Limited harmless from any andall claims or losses relating to such unauthorized use.9. TrademarksLepide Data Security Platform, LepideAuditor, LepideAuditor App, LepideAuditor App Server, LepideAuditor (WebConsole), LepideAuditor Logon/Logoff Audit Module, LepideAuditor for Active Directory, LepideAuditor for GroupPolicy Object, LepideAuditor for Exchange Server, LepideAuditor for SQL Server, LepideAuditor SharePoint, Lepide Lepide Software Pvt. Ltd.Page 28

Lepide Data Security PlatformEnable Auditing ManuallyObject Restore Wizard, Lepide Active Directory Cleaner, Lepide User Password Expiration Reminder, and LiveFeed areregistered trademarks of Lepide Software Pvt Ltd.All other brand names, product names, logos, registered marks, service marks and trademarks (except above ofLepide Software Pvt. Ltd.) appearing in this document are the sole property of their respective owners. These arepurely used for informational purposes only. We have compiled a list of such trademarks, but it may be possible thata few of them are not listed here.Windows , Windows Server 2008 , Windows Server 2008 R2 , Windows Server 2012 , Windows Server 2016 ,Exchange Server , SharePoint Server , and SQL Server are registered trademarks of Microsoft Corporation in theUnited States and/or other countries. Lepide Software Pvt. Ltd.Page 29

a. Audit Account Lockout b. Audit IPsec Extended Mode c. Audit IPsec Main Mode d. Audit IPsec Quick Mode e. Audit Logoff f. Audit Logon g. Audit Network Policy Server h. Audit Other Logon/Logoff Events i. Audit Special Logon V.Object Access a. Audit Application Generated b. Audit Certification Services c. Audit Detailed File Share d. Audit File .