Windows 7 and Windows Server 2008 local group policy settings and audit policies allow solution providers to have greater control of the events and settings in their customers' environments, so it's important to know how to configure and properly use these settings and policies.
Some versions of Windows 7 (Professional, Ultimate and Enterprise) and all versions of Windows Server 2008 were given access to 53 different audit settings for success and failure events. This series of articles delves into the settings available to you and explain the situations that call for you to change them.
The basic interface for the System Audit Policies is shown in Figure 1. Type "gpedit.msc" into the Start menu search box in Windows 7 or Windows Server 2008 to open the Local Group Policy Editor tool used here, which displays the available auditing options.
Figure 1: The nine category entries from older Windows versions go up to 10 with the addition of Global Object Access Auditing (other category names change slightly as well).
You cannot expand these categories on a system that's running Windows 7 Basic, Start, Home or Home Premium editions. These provide the only auditing controls available to those operating systems (OS). But the net effect of turning the whole category on is to enable auditing for all subcategory items — which we explore in the rest of this article — so even if you only work on such systems, it may still be helpful to keep reading.
Figure 2: This screen capture shows the right-click accessible Properties window for one of the four subcategories for the Account Logon audit controls.
You must click the checkbox next to either "Success" and/or "Failure" for any auditing to actually occur. Checking the "Configure…" box as shown here only enables you to check one or both of those other two checkboxes. There is more information on creating and enforcing Advanced Audit Policy Configuration settings in an Active Directory environment, in this Technet article. For more information audit policy settings, check out the Technet Security Audit Policy Reference.
Here are the subcategory settings for Account Logon:
- Audit Credential Validation: Determines if the OS generates audit events when credentials are submitted for a user account logon request. These are most likely to be of interest on domain controllers, as this setting only reports local account logins on other Windows machines.
- Audit Kerberos Authentication: Determines whether the OS generates audit events for Kerberos authentication TGT (ticket-granting ticket) requests. This occurs primarily on client machines.
- Audit Kerberos Service Ticket Operations: Determines if the OS generates audit events for Kerberos service ticket requests (which use the TGT to gain access to other resources under Kerberos control). This also occurs primarily on client machines.
- Audit Other Account Logon Events: Tracks various other events that involve credential requests for user logons outside the preceding items. This includes items such as remote desktop session login and disconnect, locking or unlocking a workstation, invoking or dismissing a secure screen saver or detection of a Kerberos replay attack (same information submitted more than once). Wireless network access also falls into this subcategory.
Group policy settings: Account management
Figure 3: The account management audit settings may be used to audit changes to user and computer accounts and groups.
Here are the subcategory settings for Account Management:
- Audit Application Group Management: Determines if the OS generates audit events when application group management tasks are performed. Such tasks include creating, changing, deleting an application group and adding or removing a member from that group.
- Audit Computer Account Management: Determines whether the OS generates audit events when a computer account is created, changed or deleted. Most likely to be used for tracking account-related changes on computers that belong to a domain.
- Audit Distribution Group Management: Decides if the OS generates audit events when distribution group management tasks are carried out. These occur only on computers running a version of Windows Server 2008.
- Audit Other Account Management Events: Determines if the OS generates audit events when a password hash for an account is accessed (mainly occurs when the Active Directory Migration Tool is moving password data) or when the Password Checking Policy API is called (may be malicious).
- Audit Security Group Management: Determines whether the OS generates audit events when various group management tasks are performed, including creating, changing or deleting a security group, adding or removing a member from a security group or changing the type associate with a security group. (Security groups are typically used to manage access control permissions and for distribution lists)
- Audit User Account Management: Determines if the OS generates audit events when any of various user account management tasks occur. These include creating, changing, deleting, renaming, disabling or enabling and locking out or unlocking user accounts. Other items are setting or changing a user account password, adding SID history to a user account, setting a password for Directory Services Restore Mode (admins only), changing permissions on accounts belonging to administrator groups and backing up or restoring Credential Manager credentials. This will be enabled for both success and failure on a routine basis in high-security environments.
Figure 4: The detailed tracking subcategories, which are seldom used, enable auditing system activity at a low level, and can generate a great volume of events.
These are the subcategories for Detailed Tracking:
- Audit DPAPI Activity: Determines whether the OS generates audit events when encryption or decryption calls invoked the data protection application interface (DPAPI), which is used to protect sensitive data such as stored passwords and keys.
- Audit Process Creation: Determines if the OS generates audit events when a process is created, along with the name of the user or program that created it. This is used mostly for low-level analysis of computer behavior and user activity.
- Audit Process Termination: Determines whether the OS generates audit events when a process is terminated (here tracking failure reports on failed termination attempts). This is used mostly for low-level analysis of computer behavior and user activity.
- Audit RPC Events: Determines whether the OS generates audit events as inbound remote procedure call connections get made. This subcategory is seldom used.
Active Directory Domain Services access
Figure 5: These settings permit various activities related to access and modification of objects in Active Directory Domain Services, and are logged only on domain controllers. We skip the details here because they relate entirely to Windows 2008 R2 servers.
Ed Tittel is a full-time freelance writer and consultant who works in many areas of Windows security. Look for the revision of his Computer Forensics JumpStart, 2nd Edition (Sybex, 2011, with Neil Broom, Mike Chappell, K Rudolph, and Diane Barrett) to appear in the first quarter of 2011.
This was first published in January 2011