Active Directory Domain Services (AD DS) Auditing Step-by-Step Guide.pdf

(3726 KB) Pobierz
29.01.2012
Active Director Domain Services (AD DS) Auditing Step-b-Step Guide
AD DS Auditing Step-b-Step Guide
Updated: March 15, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
This guide includes a description of the new Active Directory Domain Services (AD DS) auditing feature in
Windows Server 2008. It also provides procedures to implement this new feature.
Note
This new auditing feature also applies to Active Directory Lightweight Directory Services (AD LDS). However,
this guide refers only to AD DS.
Whats new in AD DS auditing?
In Windows Server 2008 you can now set up AD DS auditing with a new audit subcategory to log old and new
values when changes are made to objects and their attributes.
In Microsoft Windows 2000 Server and Windows Server 2003, Active Directory audit logs can show you ho
made changes to hat object attributes, but the events do not display the old and new values. For example, the
audit log can show that Joe modified his favorite drink attribute in the directory, but it cannot show his previous
favorite drinks or what the attribute was after he changed it. With the new auditing feature, you can log events
that show old and new values; for example, you can show that Joe's favorite drink changed from single latte to
triple-shot latte.
Auditing changes to objects in AD DS
In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit director service access,
that controlled whether auditing for directory service events was enabled or disabled. In Windows Server 2008,
this policy is divided into four subcategories:
Director Service Access
Director Service Changes
Director Service Replication
Detailed Director Service Replication
The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory Director
Service Changes. This guide provides instructions for implementing this audit policy subcategory.
The types of changes that you can audit include a user (or any security principal) creating, modifying, moving, or
undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS:
When a successful modify operation is performed on an attribute, AD DS logs the previous and current values
of the attribute. If the attribute has more than one value, only the values that change as a result of the
modify operation are logged.
If a new object is created, values of the attributes that are populated at the time of creation are logged. If
the user adds attributes during the create operation, those new attribute values are logged. In most cases,
AD DS assigns default values to attributes (such as samAccountName). The values of such system
attributes are not logged.
If an object is moved, the previous and new location (distinguished name) is logged for moves within the
domain. When an object is moved to a different domain, a create event is generated on the domain controller
in the target domain.
If an object is undeleted, the location where the object is moved to is logged. In addition, if the user adds,
modifies, or deletes attributes while performing an undelete operation, the values of those attributes are
logged.
technet.microsoft.com/en-us/librar/cc731607(WS.10,printer).asp
1/11
772747439.035.png 772747439.036.png 772747439.037.png 772747439.038.png 772747439.001.png 772747439.002.png 772747439.003.png 772747439.004.png 772747439.005.png 772747439.006.png 772747439.007.png 772747439.008.png 772747439.009.png 772747439.010.png 772747439.011.png 772747439.012.png
 
29.01.2012
Active Director Domain Services (AD DS) Auditing Step-b-Step Guide
Note
W , isDeleted
distinguishedName , LDAP . F
, M K B 84001 ( ://..//?LI=89248 1 ).
T S E V.
Implementing AD DS change auditing
I W S 2008, :
G
S (SACL)
S
Global audit polic
E , Audit director service access,
. Y D D C G P ( S
S\L P\A P). I W S 2008, .
A Director Service Access ,
.
I W 2000 S W S 2003, Audit director service access
A D. T
. T S ID 566. I
W S 2008, Director Service Access ,
ID 4662.
Note
T Director Service Access Audit director
service access W 2000 S W S 2003, S
. N
.
W Director Service Changes,
. T ID Director
Service Changes. S Director Service Access Director Service Changes
L S A (LSA) . T LSA
(API).
T . Y Director Service Access
Director Service Changes .
S, Director Service Changes Director Service Access, S
ID 4662.
Y - A. . T W
W S 2008 .
SACL
T SACL
. T SACL '
.
T SACL . S
M A S L (SSP) . B ,
- A .
I (ACE) SACL ,
technet.microsoft.com/en-us/librar/cc731607(WS.10,printer).asp
2/11
 
772747439.013.png 772747439.014.png 772747439.015.png
 
772747439.016.png 772747439.017.png 772747439.018.png 772747439.019.png 772747439.020.png 772747439.021.png
29.01.2012
Active Director Domain Services (AD DS) Auditing Step-b-Step Guide
Director Service Changes subcategory is enabled, no change auditing events are logged. For example, if there
is no ACE in a SACL requiring Write Property access on the telephone number attribute of a user object to be
audited, no auditing events are generated when the telephone number attribute is modified, even if the
subcategory Director Service Changes is enabled.
Schema
To avoid the possibility of an excessive number of events being generated, there is an additional control in the
schema that you can use to create exceptions to what is audited.
For example, if you want to see what values have changed as a result of all but a few attribute modifications on a
user object, you can set a flag in the schema for the attributes that you do not want audited. The searchFlags
property of each attribute defines behavior such as whether the attribute is indexed or replicated to the global
catalog. The searchFlags property has seven currently-defined bits.
If bit 8 (zero-based indexing, value 256) is set for an attribute, AD DS will not log change events when
modifications are made to the attribute. This applies to all objects that contain that attribute.
Eample modif operation and log entr
The following table shows an example of how events are logged when a user modifies a group object by adding
values to two attributes (description and member) and the global audit policy Audit director service access
has been enabled. In this example, you see both events 4662 and 5136 because both subcategories Director
Service Access and Director Service Changes are enabled. However, you do not see an event 5136 for the
Description field because the searchFlag attribute for the property is set to disable auditing changes.
SACL
User action
Audit polic settings
Audit events logged
Object modified:
Event ID: 4662
CN=GroupX,
Object: CN=GroupX,
CN=Users, <domain DN>
CN=Users,
<domain DN>
Object:
Permission: Write Property
Attribute modified:
Member
CN=GroupX,
Subcategory: Director Service Access ON
Attributes: Member;
Description
CN=Users,
<domain DN>
Subcategory: Director Service Changes ON
Operation: Add
Event ID: 5136
Description attribute in schema: search flag bit 8
set to disable change auditing
Value: User1
ACE in SACL:
Object: CN=Group X,
CN=Users, <domain DN>
Attribute modified:
{WP; AU
Operation: Add
Description
Attribute: Member
Operation: Add
Value: User1
Value: Group of
users with role 'X'
Who should use this ne feature?
Domain Admins who set up the required objects that they want to audit should use this feature. In general,
permissions to modify SACLs and view the Security log are given only to Administrators, including Domain Admins,
Built-in Administrators, and Enterprise Admins.
Benefits of auditing changes in AD DS
If you can identify how object attributes have changed, the event logs are more useful as a tracking mechanism
for changes that occur over the lifetime of an object.
Ho to set up AD DS auditing
technet.microsoft.com/en-us/librar/cc731607(WS.10,printer).asp
3/11
772747439.022.png 772747439.023.png 772747439.024.png 772747439.025.png 772747439.026.png
29.01.2012
Active Director Domain Services (AD DS) Auditing Step-b-Step Guide
Thi ecion poide ep-b-ep pocede fo enabling adiing of change o objec in AD DS. Thi poce
coni of o pima ep:
Enabling he global adi polic in Gop Polic
Seing p adiing in objec SACL ing he Acie Dieco Ue and Compe nap-in.
Thi ecion alo inclde eample of Seci log enie ha appea hen o ceae, modif, o moe a e
objec and Director Service Changes i enabled.
Prerequisites
Ue: To pefom hi e of pocede, o hold be familia ih ediing Gop Polic, ing he Acie
Dieco Ue and Compe nap-in, AD DS adiing, and een log.
Compe: To e p adiing fo change o objec in AD DS, o m hae Windo See 2008 ih he
AD DS ole inalled on o compe.
Steps to set up auditing
Thi ecion inclde pocede fo each of he pima ep fo enabling change adiing:
Sep 1: Enable adi polic.
Sep 2: Se p adiing in objec SACL b ing Acie Dieco Ue and Compe.
Step 1: Enable audit polic.
Thi ep inclde pocede o enable change adiing ih eihe he Windo ineface o a command line:
B ing Gop Polic Managemen, o can n on he global adi polic, Audit director service
access, hich enable all he bcaegoie fo AD DS adiing. If o need o inall Gop Polic
Managemen, click Add Features in See Manage. Selec Group Polic Management and hen click
Install.
B ing he Adipol command-line ool, o can enable indiidal bcaegoie.
To enable the global audit polic using the Windows interface
1. Click Start, poin o Administrative Tools, and hen Group Polic Management.
2. In he conole ee, doble-click he name of he foe, doble-click Domains, doble-click he name of
o domain, doble-click Domain Controllers, igh-click Default Domain Controllers Polic, and hen
click Edit.
3. Unde Computer Configuration, doble-click Policies, doble-click Windows Settings, doble-click
Securit Settings, doble-click Local Policies, and hen click Audit Polic.
4. In he deail pane, igh-click Audit director service access, and hen click Properties.
5. Selec he Define these polic settings check bo.
6. Unde Audit these attempts, elec he Success, check bo, and hen click OK.
To enable the change auditing polic using a command line
1. Click Start, igh-click Command Prompt, and hen click Run as administrator.
2. Tpe he folloing command, and hen pe ENTER:
auditpol /set /subcategor:"director service changes" /success:enable
Step 2: Set up auditing in object SACLs.
The folloing pocede peen an eample of j one of man diffeen pe of SACL ha o can e baed
on he opeaion ha o an o adi.
To set up auditing in object SACLs
technet.microsoft.com/en-us/librar/cc731607(WS.10,printer).asp
4/11
772747439.027.png 772747439.028.png 772747439.029.png 772747439.030.png 772747439.031.png 772747439.032.png
29.01.2012
Active Director Domain Services (AD DS) Auditing Step-b-Step Guide
1. Click Start, poin o Administrative Tools, and hen click Active Director Users and Computers.
2. Righ-click he oganiaional ni (OU) (o an objec) fo hich o an o enable adiing, and hen click
Properties.
3. Click he Securit ab, click Advanced, and hen click he Auditing ab.
4. Click Add, and nde Enter the object name to select, pe Ahenicaed Ue (o an ohe eci
pincipal), and hen click OK.
5. In Appl onto, click Descendant User objects (o an ohe objec).
6. Unde Access, elec he Successful check bo fo Write all properties.
7. Click OK nil o ei he pope hee fo he OU o ohe objec.
Eample audit events
Thi ecion peen eample of he ne een ha appea in he Seci een log hen o ceae, modif,
o moe a e objec and Director Service Changes i enabled.
Create a user object
If o ceae a ne e, o ee he Seci een in he folloing fige.
Modif a user object
When o change an aibe fo a e objec, o ee he een in he folloing fige.
technet.microsoft.com/en-us/librar/cc731607(WS.10,printer).asp
5/11
772747439.033.png 772747439.034.png

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin