Organizations will go to any extend to keep their IT infrastructure safe and secure. That is why security audit has become an important job of their IT departments. The security auditing capabilities of IT administrators increased many folds after the arrival of Windows Server 2008 R2. Audit features introduced in this version of Windows server operating system allowed organizations to enforce their business rules through various audit policies.
Basics of Windows security auditing
In most organizations, formation of an auditing policy depends mainly on business requirements and regulatory compliance requirements. Practically it is not feasible to monitor all the resources and operations of the organization; even if you do so, you may not be able to find out the required audit data when some need arises. So from the beginning itself, you need to focus on what is required. By omitting unnecessary objects and operations form the purview of auditing, you make auditing simple and less resource-consuming.
- Identify what to be audited and what not to be
Depending on the business of the organization, some of its IT assets are considered critical; some user or computer operations can have critical impact on these critical assets. So focus your audit on these critical assets and critical operations.
- Think of regulatory compliances
Understand what all assets and operations are important from the point of view of the compliance, if meeting regulatory compliances is an aim of your audit. Place such objects and operations under the auditing radar.
Security auditing features in Windows Server 2008 R2
Windows Server 2008 R2 makes auditing easier and more comprehensive with the following features:
- Global Object Access Auditing
By configuring Global Object Access Auditing policy settings, administrators can define computer system access control lists (SACLs) for various object types on computers for registry or file system. After configuring, SACL will be applied to all the objects of that type.
- Reason for access auditing
Access to objects are allowed or denied according to the ‘reason for access’ list—a list of Access Control Entries (ACE). Access. So administrators can easily identify the access controls that allowed or denied access to a particular object.
- Advanced Audit Policy Configuration
AD administrators can configure 53 audit policy settings using the domain Group Policy to perform more effective and simpler auditing. Broadly, administrators can audit events related to:- Account logon events
- Account management events
- Detailed tracking events
- DS access events
- Logon/logoff events
- Object access events
- Policy change events
- Privilege use events
- System events
There are two options to manage Advanced Audit Policy Configuration settings—from Group Policy Management Console (GPMC), and from Local Security Policy snap-in for the domain/site/organizational unit (OU).
Can third-party tools be used for Active Directory Auditing?
Professional tools like LepideAuditor Suite are found to be extremely successful in conducting Active Directory Auditing. They are more user-friendly compared to the native auditing features. Also, they usually help in auditing other important components of the IT infrastructure. So the organization can rely on a single auditing solution to safeguard the entire IT assets.