Windows Server 2008: Auditing Active Directory

حتی اگر مدت کوتاهی است که پا به عرصه شبکه و مدیریت سرورها گذاشته اید، حتماً به بررسی کنترل های امنیتی بر خورده اید. اما چه کسانی، چه زمانی و چگونه از دسترسی هایشان استفاده کرده اند یا قصد دسترسی بدون اجازه به منابع دیگران را داشته اند ؟ اگر از Audit logging  استفاده نکنید مجبور خواهید بود تمام مدت خودتان کل شبکه را با چشمانتان مراقبت کنید 😀

بحث Auditingدر نسخه های قبلی Active Directory  به وسعت سرور 2008 نبود و این بلوغ امکان بررسی کنترل های بیشتری را برای شما به ارمغان آورده است.

Auditing Changes in Windows Server 2008

یکی از تغییرات اساس در ویندوز 2003 نسبت به 2000 بهبود Auditingبود، در زمان ویندوز 2000 فقط چه کسی، کدام attributeرا تغییر داده مد نظر بود اما در ویندوز 2003 مقادیر قبل و بعد از تغییر نیز ذخیره میشد تا دلیل تغییر مشخص گردد که اگر نیاز به بازگردانی بود مشکلی وجود نداشته باشد.

تغییر مهم دیگر امکان on/offنمودن Auditing Policyهای بود. در ویندوز سرور 2008 این تفاوت به جایی رسید که Auditing Policyها در 4 زیر مجموعه دسته تفکیک شدند:

  • Directory Service Access
  • Directory Service Changes
  • Directory Service Replication
  • Detailed Directory Service Replication

در این مقاله نحوه فعال سازی Directory Service Changesرا مورد بررسی قرار خواهیم داد.

How to Enable Global Audit Policy on Windows Server 2008

The first step is to enable the audit policy. I will walk you through both doing it through the GUI and then through the command line:

1.Go to Start, Administrative Tools, and then click on Group Policy Management.

Server 2008: Auditing Active Directory - 1

2.Navigate down through your Forest, to the Domains, then Domain Controllers and left click on Default Domain Controllers Policy.

You will get a warning that changes here will impact all other locations that the GPO is linked to. Click Ok.

Server 2008: Auditing Active Directory - 2

3.Right click on Default Domain Controllers Policy and then left click on Edit…

Server 2008: Auditing Active Directory - 3

4.Navigate under Computer Configurations Policies Windows Settings Security Settings Local Policies Audit Policy

Server 2008: Auditing Active Directory - 4

5.Right click on Audit Directory Service Access, and then click Properties.

Server 2008: Auditing Active Directory - 5

6.Select Define these policy settings and then select Success. Click on Apply and then Ok.

Server 2008: Auditing Active Directory - 6

That’s it! You now have configured auditing via GUI.

Let’s take a look at the command line method (much faster):

1.Start Command Prompt with elevated rights.

Server 2008: Auditing Active Directory - 7

2.Type in the following command and hit Enter:

auditpol /set /subcategory:”directory service changes” /success:enable

Server 2008: Auditing Active Directory - 8

I told you it was much faster! You should see The command was successfully executed. Now let’s move on to the next step.

How to Setup Auditing in System Access Control List (SACL)

As was mentioned earlier, the SACLs do most of the work in determining what gets auditing and what doesn’t. Please note that there are many different types of SACLs that can be setup; we are only using one as an example.

1.Open Active Directory Computers and Users.

Server 2008: Auditing Active Directory - 9

2.Click on View and make sure that Advanced Features is enabled. If not left click on it to place a check next to it.

Server 2008: Auditing Active Directory - 10

3.Right click on any of the Organizational Units you want to audit; in our example I am going to audit Users. Then click on Properties.

Server 2008: Auditing Active Directory - 11

4.In the Properties window click on Security.

Server 2008: Auditing Active Directory - 12

5.Next click on Advanced.

Server 2008: Auditing Active Directory - 13

6.Click the Auditing tab, then click Add.

Server 2008: Auditing Active Directory - 14

7.Under Enter the object name to select:, type in Authenticated Users and click Ok.

Server 2008: Auditing Active Directory - 15

8.In the next window under Apply onto:select Descendant User Objects and under Access check the box for Successful next to Write all properties and click Ok.

Server 2008: Auditing Active Directory - 16

9.Click Ok until you are out of any dialog boxes.

Now that we have enabled auditing in a SACL let’s go ahead and give it a test.

Example: Security Events with Auditing Enabled

With auditing enabled, all events will be logged under the Security Event Viewer. Let’s see what happens when you change a value on an object.

For brevity sake, I am going to create a user called audittest, change his name from Audit Test to Test Audit and then we will take a look in the security log to see what was shown.

There are two images that show the change that corresponds with Event 5136, here is the first one which shows the value being deleted, which in this case is Audit Test:

Server 2008: Auditing Active Directory - 17

The next image shows the changed object’s new value which in our case is Test Audit:

Server 2008: Auditing Active Directory - 18

همانطور که مشاهده می کنید مقدار قبلی و مقدار جدید قابل مشاهده و مقایسه هستند و شما بدون استفاده هیچ Backupی میتوانید تغییرات را به حالت قبل برگردانید.

About Mahyar

OrcID: 0000-0001-8875-3362 ​PhD Candidate (National Academy of Sciences of Ukraine - Institute for Telecommunications and Global Information) MCP - MCSA - MCSE - MCTS Azure Security Engineer Associate MCITP: Enterprise Administrator CCNA, CCNP (R&S , Security) ISO/IEC 27001 Lead Auditor CHFI v10 ECIH v2

Check Also

آشنایی با Windows Azure Active Directory

Windows Azure Active Directory سرویسی است که خدمات Identity and access یا به اختصار IDA …