How to enable the Security Auditing of Active Directory

Auditing Active Directory is necessary from both a security point of view and for meeting compliance requirements. Organizations majorly favor native Active Directory audit methods provided by Event Viewer (a large pool where events are stored in an unorganized manner). An experienced IT Auditor knows how to extract the meaningful events from this cluttered environment, but it takes time and patience. In this article, we will discuss how to enable the security auditing of Active Directory and how to extract its events from Event Viewer.

Enable the Security Auditing

For security auditing, it is required to either modify default domain policy or create a new Group Policy Object and edit it. You have to, in fact, deal with Advanced Audit Policy Configuration for this. Perform the following steps for enabling the security auditing of Active Directory in Windows Server 2012

  • Go to “Start Menu” → “Administrative Tools” → “Group Policy Management”.
  • In the left pane, navigate to “Forest” → “Domains” → Domain Name. Expand it.
  • You can select either “Default Domain Policy” or create a new Group Policy Object.
  • Right-click on “Default Domain Policy” or other Group Policy Object.
  • Click “Edit” in the context menu. It shows “Group Policy Management Editor”.
  • Go to “Computer Configuration” → “Policies” → “Windows Settings” → “Security Settings” → “Advanced Audit Policy Configuration” → “Audit Policies”. It lists all audit policies in the right pane.
  • Here, you have to enable the following policies for both “Successful” and “Failed” events.
    Type of Auditing Path
    Domain Logon/Logoff Auditing In “Logon/Logoff”, enable
    • Audit Logon
    • Audit Logoff
    File System Auditing In “Object Access”, enable
    • Audit Detailed File Share
    • Audit File Share
    • Audit File System
    Registry Auditing In “Object Access”, enable
    • Audit Registry
    Auditing of Handle Manipulation In “Object Access”, enable
    • Audit Handle Manipulation

  • Double click any of above events listed in the table to access its properties.
  • Check the box “Configure the following audit events” and then enable the required “Success” and “Failure” events.
  • Click “Apply” and “OK” to enable the monitoring for the selected events.

Similarly, you can configure the advanced auditing policies for other available options as well.

Enable the Global Object Access Auditing

Perform the steps below to audit the access of any object globally on the server.

  • Go to “Start Menu” → “Administrative Tools” → “Group Policy Management”.
  • In the left pane, navigate to “Forest” → “Domains” → Domain Name. Expand it.
  • You can select either “Default Domain Policy” or create a new Group Policy Object.
  • Right-click on “Default Domain Policy” or another Group Policy Object.
  • Click “Edit” in the context menu. It shows “Group Policy Management Editor”.
  • Go to “Computer Configuration” → “Policies” → “Windows Settings” → “Security Settings” → “Advanced Audit Policy Configuration” → “Audit Policies”. It lists all audit policies in the right pane.
  • Go to “Global Object Access Auditing” node under “Audit Policies” of advanced configuration.
  • Double click “Registry” entry in the right details pane.
  • Check the box “Define this policy”. It enables the subsequent button.

  • Click “Configure” to access the advanced Settings for Global Registry SACL”.

  • Click “Add” to add users or groups of which access you want to audit. It shows “Auditing Entry for Global Registry SACL” window.

  • Click “Select a Principal” link. It shows “Select User, Computer, Service Account or Group” dialog box on the screen.

  • Type the name of a user or group of which access you want to audit.
  • Click “Check Names” button to validate the name.
  • Click “OK”. It takes you back to “Auditing Entry” window.
  • Select “All” in “Type” drop-down menu.

  • Please make sure all 16 permissions are checked.
  • Click “OK”. It adds the rule to audit the selected user’s access to the registry and takes you back to “Advanced Security Settings” window.

  • Click “Apply” and “OK”. It takes you back to event properties.
  • Click “Apply” and “OK”.

You can follow the similar above steps to configure “File System” policy in “Global Object Access Auditing”.

Manage the Integrity of Advanced Auditing

The advanced auditing entries are often overwritten by the entries of basic auditing. Perform the following steps to configure that the advanced auditing entries will not be overwritten.

  • Go to “Start Menu” → “Administrative Tools” → “Group Policy Management”.
  • In the left pane, go to “Forest” → “Domains” → Domain Name. Expand it.
  • You can select either “Default Domain Policy” or create a new Group Policy Object.
  • Right-click on “Default Domain Policy” or another Group Policy Object.
  • Click “Edit” in the context menu. It shows “Group Policy Management Editor”.
  • In the left tree pane, go to “Computer Configuration” → “Policies” → “Windows Settings” → “Security Settings” → “Security Options”.
  • Double click “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”.
  • Click “Define this policy setting” and click “Enabled”.
  • Click “Apply” and “OK”.
Update Group Policy Object

Start the command prompt or “Run” prompt as an Administrator and execute the following command.

  • gpupdate /force.

It applies the modified security auditing policies on the server. Alternatively, you can logoff and logon the Administrator.

Verify the Auditing Policies

It is the time to verify that the modified auditing policies have been applied or not. Run the following command on the Command Prompt.

  • auditpol.exe /get /category:*

It lists the status of all auditing policies (both basic and advanced) on the server. Please verify both “Success” and “Failure” events for the policies, which you have enabled.

Custom Views to Keep a Check

Once the security auditing of Active Directory has been enabled, you receive these events in the Security section under “Windows Logs” in Event Viewer. You can customize the view to keep a check only on critical and error logs. Follow the steps below,

  • Right-click on Security to access the context menu.

  • Click “Create Custom View” option. It shows the following dialog box.

  • Select “Critical”, “Error”, and “Warning” to show only these types of logs in the new custom view. Keep “Security” selected in “Event logs”.
  • Click “OK”. It shows the following box to save the created view.

  • You can provide a new name for this view.
  • It will be displayed the node “Custom Views”. You can also create a new folder to save this node by clicking “New Folder”.
  • A newly created custom view is displayed under “Custom Views”.

Right pane in this window shows a list of actions you can perform such as

  • Import Custom View: It lets you import the custom view, which can be exported later on.
  • Filter Current Custom View: Click it to customize the current view using the same dialog box, which you used to create it.
  • Properties: Click it to change the name and description of this view.
  • Find: Click it to search in the current view.

Other basic options let you rename, delete, or refresh the view.

Drawbacks of Native Auditing

After enabling the security auditing, you can browse the Event Viewer and view the captured events in the “Security” logs. However, there are few drawbacks as listed herein below.

  • No predefined audit reports for Security Auditing.
  • More than one event is recorded for only one change.
  • No specific or detail information which object was accessed or changed.
  • No information about before- and after-values of a changed object.

What’s the solution?

You can make use of LepideAuditor for Active Directory, which has many features and let you keep a live check on the changes being made in the Active Directory environment.

Summary

You can follow the mentioned steps to enable the security auditing for the Active Directory. Once verified their status, you can see the recorded events in the Security logs of Event Viewer because of the enabled security auditing. To overcome the drawbacks of native auditing, LepideAuditor can be preferred.



Download LepideAuditor for Active Directory

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2017 Lepide Software Private Limited. All trademarks acknowledged.