2.4.1 Implement auditing using Group Policy and AuditPol.exe
http://technet.microsoft.com/en-us/library/dd772623
Group policy auditing:
Computer Configuration\Policies\Windows Settings\Security settings\Local Policies\Audit policy
gpedit.msc local:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
Note: The GP setting "Security Settings\Local Policies\Security
Options\Audit: Force audit policy subcategory settings" prevents the
application of category-level audit policy in favor of Advanced Auditing. This policy is enabled by default, so if you want to use the following auditing policies, you must disable this policy setting. http://technet.microsoft.com/en-us/library/jj852246.aspx
Success or Failure:
Audit account logon events -Audits when a computer validates credentials for an account for which it is authoritative.
Audit account management - audit's account management on a computer, including changing passwords
Audit directory service access - audits access AD objects
Audit logon events - audits actual logon/logoff of user accounts on the computer
Audit object access - audit non-AD objects such as files, folders, printers, etc.
Audit policy change - audit user rights assignments, auditing, account policies, trust policies
Audit privilege use - audits user rights usage
Audit process tracking - process-related events.
Audit system events - system access such as time change, startup/shutdown, extensible authentication components, loss of auditing events, security log size beyond threshold
Be selective on what to audit, as high levels can affect performance, cause too many security event entries, and quickly fills the log.
Object Access:
After enabling the appropriate policy, you can setup auditing on specific objects(such as a file), by going to the security tab of the object, advanced, Auding tab.
Advanced Auditing Policy:
First introduced in Vista and Windows 2008 via auditpol, advanced auditing became available to configure in GP in Windows 2008 R2. Advanced auditing configured in GP will only apply to 2008R2 and later, and Windows 7 and later clients. As of 2012, there are 56 settings.
Setup in GP:
Computer Configuration\Policies\Windows Settings\Security settings\Advanced Audit Policy Configuration
gpedit.msc locally:
Computer Configuration\Windows Settings\Security settings\Advanced Audit Policy Configuration
Categories-
Account Logon - credential validation, kerberos authentication, kerberos service ticket ops, other account logon events
Account Management - application group management, computer account management, distribution group management, other account management, security group management, user account mgmt.
Detailed Tracking - DPAPI activity(encryption/decryption into DPAPI), process creation, process termination, RPC events(inbound)
DS Access - detailed DS replication, DS access, DS Changes, DS replication
Logon/Logoff - account lockout, user/device claims, ipsec extended mode, ipsec main mode, ipsec quick mode, logoff, logon, network policy server(RADIUS, NAP), other logon/logoff, special logon
Object Access(may require appropriate SACL set on object) - application generated(Windows auditing API usage), certification services(ADCS), detailed file share, file share, file system(must match SACL), filtering platform connection(firewall/WFP), WFP packet drop, handle manipulation(open/close depends on SACL), kernel object access(based on SACL usage), other object access(task scheduler, COM+, etc), registry, removable storage, SAM, central access policy staging
Policy Change - policy change, authentication policy change, authorization policy change, WFP policy change(IPSEC, WFP), MPSSVC Rule-Level policy change(Microsoft Protection Service(MPSSVC.exe) also used by Firewall), other policy change events(TPM, cryptographic ops, etc)
Privilege Use - non-sensitive privilege use, sensitive privilege use
System - IPSec driver, other system events, security state change, security system extension, system integrity.
Global Object Access Auditing - see 2.4.2
Auditpol.exe
Note: auditing set with auditpol will not show up in the local gpedit/secpol settings and also do not save between reboots.
auditpol /list category
auditpol /list subcategory:*
auditpol /set /subcategory:"Account Lockout" /success:enable
auditpol /set /subcategory:"Account Lockout" /failure:enable
auditpol /get subcategory:"Account Lockout"
auditpol /set /subcategory:"Account Lockout" /success:disable
auditpol /set /user:contoso\ajolie /subcategory:"Logon" /success:enable
auditpol /get /user:contoso\ajolie /subcategory:"Logon"
auditpol /remove /user:contoso\ajolie
removes all user auditing, on all policies, for contoso\ajolie
auditpol /remove /allusers
auditpol /clear - clears all auditing policies
auditpol /backup /file:"c:\auditpol.csv"
auditpol /restore /file:"c:\auditpol.csv"
2.4.2 create
expression-based audit policies
2012 advanced policy:
Global Object Access Auditing - applies global SACL's for file system and/or registry. Must enable appropriate Object Access policy first(Advanced Audit Policy\System Audit Policies\Object Access) . You can also specify defined properties or attributes to audit on using expression-based auditing.
Note: If both a file or folder SACL and a global SACL are configured on a
computer, the effective SACL is derived from combining the file or
folder SACL and the global SACL. This means that an audit event is
generated if an activity matches either the file or folder SACL or the
global SACL.
You can choose what permissions a user should be audited for, and whether that affects success, fail, or both.
The conditions you can add are called expression-based audit policies. This is a new feature of Windows 8 and 2012. For instance, you could choose a principal of Everyone or Authenticated Users. Then add a condition User-Group-Member of each-Value- then "Add items" and select a group. For example, Accounting. Now, any user affected by this policy, who is a member of the group "Accounting" will be audited for whichever permission and type settings you configured.
These properties are set in AD using Dynamic Access Control(covered in 70-412).
Extra Note: You can set /resourcesacl through auditpol, but setting a condition can be cryptic. for instance, the user-group setting is set with the SID as in the following example. Also, File in /type:File is actually case-sensitive:
auditpol /resourcesacl /set /type:File /user:"NT AUTHORITY\Authenticated Users" /success /failure /access:FW /condition:"(Member of {SID(S-1-5-21-1477645170-1045419550-4197897434-12603)})"
auditpol /resourcesacl /type:File /view
2.4.3 create removable device audit policies
Auditing removable devices is now configured under the advanced auditing as seen in 2.4.1, Object Access/Audit Removable Storage.
auditpol /set /subcategory:"Removable Storage" /success:enable
Event 4663 is for success and event 4656 logs failed
No comments:
Post a Comment