Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  36. Shares
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Windows 2000 Auditing

Auditing is done from two programs depending on if the computer is local or a domain computer;

  • Local computer - "Local Security Policy" administrative tool.
  • Domain computers - "Domain Controllers Security Policy" administrative tool on domain controllers or other computers with the ADMINPAK installed. The "Domain Controllers Security Policy" administrative tool must be used to first enable auditing then the appropriate Active Directory administrative tool as listed below can be used.

Audit policy is configured at the following levels:

  • Local
  • Organizational Unit - Use the "Active Directory Users and Computers" administrative tool.
  • Domain - Use the "Active Directory Sites and Services" administrative tool.

Audit policy is applied in the same order as group policy as listed by priority in the System Policy Editor's, Group Priority dialog box. The policy applied last overrides policies applied first if there is a conflict.

Auditing is divided into two main areas which are auditing of access to:

  • Objects
  • Systems - The "domain Controller Security Policy" tool is the best choice for enabling system access on a Windows 2000 Server computer.

Audit Policy

These policies are set using the administrative tool "Domain Security Policy". The following event successes or failures may be logged:

  • Account logon events - User logs onto the domain.
  • Account management - Account created, modified, renamed, or deleted.
  • Directory service access - An active directory object was accessed. The active directory object must have auditing on.
  • Logon events - A user logs on or off a Windows 2000 computer.
  • Object access - An object was accessed. The object must have auditing on.
  • Policy change - A user right, security policy, or other policy was changed
  • Privilege use - A user right other than access to a computer or log on locally was used.
  • Process tracking - A process was started.
  • System events - System was shutdown, restarted, or security event happened.

The "Active Directory Users and Computers" administrative tool is used to configure auditing for active directory objects.

Active Directory Object Auditing

To enable object auditing on a computer System access auditing must be enabled. The administrative tool "Domain Security Policy" can be used to enable system access auditing. The "Domain Controller Security Policy" tool to enable system auditing on a domain controller. The administrative tool, "Active Directory Users and Computers" is used to modify active directory object auditing configuration. Failure and success of the following object events may be audited by user or group:

  • Full Control
  • List Contents
  • Read All Properties
  • Write All Properties
  • Delete
  • Delete Subtree
  • Read Permissions
  • Modify Permissions
  • Modify Owner
  • All Validated Writes
  • All Extended Rights
  • Create All Child Objects
  • Delete All Child Objects

Auditing entries inherited from parent objects cannot be removed.

File Auditing

Windows Explorer is used to enable auditing on files and folders. The file or folder to be audited must be on an NTFS file system. Failure and success of the following file events may be audited by user or group:

  • Traverse Folder / Execute File
  • List Folder / Read Data
  • Read Attributes
  • Read Extended Attributes
  • Create Files / Write Data
  • Write Attributes
  • Write Extended Attributes
  • Delets Subfolders and Files
  • Delete
  • Read Permissions
  • Change Permissions
  • Take Ownership

Auditing settings are inherited from parent folders into sub folders or files contained in the parent folder(s).

Printer Auditing

Auditing on printers may be controlled from the "Printers" folder. Failure and success of the following file events may be audited by user or group:

  • Print
  • Manage Printers
  • Manage Documents
  • Read Permissions
  • Change Permissions
  • Take Ownership

Viewing the Audit Log

Use the administrative tool, "Event Viewer" to view the logs. Highlight "Security Log" in the left pane. Events may be filtered by selecting "View", and "Filter", then clicking the "Filter" tab. Events may be filtered by:

  • Source
  • Category
  • Event ID
  • User
  • Computer
  • Types including and of the checkboxes, Information, Warning, Error, Succes audit, and Failure audit.

Event viewer Menus:

  • Action
    • Save Log File As
    • Clear all Events
    • Properties
  • View
    • Filter - Filter to only see certain events.

To save a security log for analysis in a spreadsheet, save it as a comma delimited (.csv) file.

Security Templates

A file with security settings that can be applied to several computers. It is a text ".INF" file. They are managed with the MMC "Security Templates" snap-in. Once installed, it is the administrative tool called "Security Console" which is used to add and manage security templates. Security templates can:

  • Be applied to several computers
  • Be compared to a computer's current security configuration

Common templates:

  • basicdc.inf - Default domain controller.
  • basicsv.inf - Default server.
  • basicwk.inf - Default workstation.
  • compatws.inf - Compatable server or workstation.
  • securede.inf - Secure domain controller.
  • securews.inf - Secure server or workstation.
  • hisecdc.inf - High security domain controller.
  • hisecws.inf - High security workstation.

The following methods can be used to implement a security template:

  • Import the template into a Group Policy Object (GPO) in Active Directory using the administrative tool, "Active Directory Users and Computers". Menus:
    • Action
      • Policies
  • Import the template locally to a computer using the administrative tool, "Local Security Policy" or "Security Configuration and Analysis". Menus:
    • Action
      • Import Policy - Import a policy locally into the computer.

Security Configuration and Analysis

The "Security Configuration and Analysis" tool is used to analyze a computer security configuration. To get ready to use this tool, do the following:

  • The MMC "Security Templates" snap-in must be previously installed Once installed, it is the administrative tool called "Security Console".
  • The MMC "Security Configuration and Analysis" snap-in must be installed to the "Security Console" by starting it from "Administrative Tools", selecting "Console" and "Add/Remove snap-in".
  • A database in the snap-in must be created by selecting "Administrative Tools", "Security Console", select "Action", and "Open database".
  • To perform the analysis against a template, open a database, then select "Action", and "Analyze Computer Now".
  • To apply settings from a template, open a database that has the settings you want to apply to the computer, then select "Action", and "Configure Computer Now".

Secedit Command Line Tool

It is used to perform computer security configuration and analysis. For help type "secedit /?" on the command line