Windows Auditing: A Comprehensive Guide

Summary:

The ArcSight Professional Services guide titled "Best Practices for Windows Auditing" offers a comprehensive set of guidelines to configure auditing policies on Microsoft Windows platforms effectively. Here are some key properties where you might want to set up auditing, along with detailed steps and considerations as outlined in the passage: ### Properties Where You Want to Set Up Auditing: 1. **System Events**: Monitoring system access, including login attempts, logon events (both successful and failed), account management activities like creating or deleting user accounts, and changes to group memberships can provide valuable insights into potential unauthorized activities or security breaches. 2. **Object Access**: Auditing who accesses files and folders within the system is crucial for maintaining an audit trail that helps in understanding what resources are being accessed and by whom. This includes both file and folder access events. 3. **Privilege Use**: While it can generate noise, enabling this type of auditing might be necessary if there's a suspicion of privilege escalation attempts or unusual use patterns that could indicate malicious behavior. 4. **Process Tracking**: Auditing should be enabled only for specific processes that are expected to have irregular activity; otherwise, it can lead to an overwhelming amount of irrelevant data in the audit log. 5. **Log Clear Events**: Monitoring and auditing who clears the security logs is important as this might indicate attempts to conceal activities or manipulate evidence. ### Setting Up Auditing: 1. **Access Advanced Security Settings**: Navigate to the "Security" tab within the system properties, then click on "Advanced" to access advanced security settings. 2. **Navigate to Auditing Tab**: Within the advanced security settings, locate and click on the "Auditing" tab. 3. **Add a New Entry**: Click on "Add" to create a new entry where you can configure your auditing options. 4. **Configure Inheritance Carefully**: Be mindful of enabling inheritance as this might lead to excessive monitoring across different parts of the system, potentially resulting in log file bloating. 5. **Specify Users or Groups**: Define which users or groups should be monitored under this entry based on their roles and responsibilities that require specific auditing. 6. **Choose What to Audit**: Decide whether you want to audit file access, folder access, both files and folders, or specifically focus on the success/failure of certain actions like deletion. ### Testing Auditing: 1. **Create Sample Files**: Using a test user account (e.g., testarc), create some sample files that will be used for testing purposes. 2. **Trigger Audit Events**: Perform file deletion actions to trigger audit events related to access and deletions. 3. **Check Security Log**: Review the security log to verify whether the audited events are captured, confirming that the auditing setup is working correctly. ### Interpreting Events: 1. **Review Security Log**: Look for entries in the security log where file accesses and deletions should appear based on your configuration. 2. **Handle ID Matching**: Ensure that handle IDs match between related audit events to confirm a continuous chain of actions being tracked accurately. ### Policy Changes: 1. **Consider Relevance**: Enable auditing only when it is necessary for critical security monitoring scenarios, as broad application can lead to excessive log data that might not be actionable or useful. 2. **Avoid Unnecessary Auditing**: As mentioned in the text, avoid enabling audit policies that are unlikely to generate significant information and consider what events should be audited based on specific behaviors or suspicious activities. ### Conclusion: Auditing security events can significantly contribute to maintaining system integrity and compliance with security standards by providing a detailed record of user actions. However, it is important to balance the need for robust monitoring with the potential risks associated with excessive log generation that might obscure more significant issues. Proper configuration and selective enforcement of auditing policies are key to achieving an effective yet manageable security posture.

Details:

"ArcSight Professional Services: Best Practices for Windows Auditing" is a guide designed to help users configure auditing policies on Microsoft Windows platforms, focusing specifically on security-related events. The document outlines what should be audited, where to find audit policy settings, and how to interpret the results in ArcSight Enterprise Security Manager (ESM). It also provides an introduction for new users, explains intended audiences, and offers tips on using the document effectively. Key sections include:

• **What Should be Audited**: Covers various categories of events including logon events, account management, object access, policy changes, privilege use, process tracking, and more.

• **Where to Set Audit Policies**: Provides guidance on how to configure audit policies based on whether the system is local or part of a domain.

• **Finding Windows Events in ESM**: Explains how to locate and interpret the audited events within ArcSight ESM.

The document also includes references for future updates and clarifications, indicating it may be regularly updated with new information or corrections based on user feedback or changes in technology. The document outlines guidelines for setting up audit policies, detailing which events to monitor and where to find the necessary settings based on whether you're working locally or on a domain. It specifies that changes should be made by logging into the host as an Administrator and involves navigating through specific Control Panel paths depending on whether it's local or part of a domain. When making changes in a domain environment, ensure to update policies using gpupdate /force for them to take effect. The document also covers what types of events need auditing, particularly focusing on logon events which should be monitored both successfully and unsuccessfully across user accounts. To summarize the provided information about auditing in Windows Vista and Server 2008, it is important to understand which events need to be audited for specific purposes such as account management or object access. The audit policy settings vary depending on the operating system version, with some event IDs being exclusive to Windows XP, 2000, or 2003, and others having equivalent IDs in Vista and Server 2008. ### Account Management Audit Policy Settings:

• **Audit Success for Logon Events**: This includes auditing successful logons to the system.

• **Account Creation, Modification, Deletion**: Auditing these activities helps track user account changes.

• **User Account Enablement, Disablement, Renaming**: Monitoring these actions is crucial for maintaining accountability and security.

• **Password Setting or Changing**: This audit can help detect suspicious password changes that might indicate compromise.

**Event IDs (Windows XP/2000/2003) to Audit in Vista/Server 2008:**

• 4720 for account creation

• 4723 for user renaming

• 4724 for password changes

• Additional events from 4725 to 4764 and 4783 are also audited, depending on the specific actions (like disabling or enabling accounts).

### Object Access Audit Policy Settings:

• **Audit Specific Use Cases**: This is crucial as auditing everything under this category can fill up the security event log quickly. Focus audit policy settings based on the sensitivity and criticality of file access.

• **File Access Auditing**: Specifically, auditevents for files modified or deleted that are considered sensitive.

**Event IDs (Windows XP/2000/2003) to Audit in Vista/Server 2008:**

• Security events such as 560, 562, 564, and 567 related to file operations are relevant here.

### Summary: To audit these types of events effectively in Windows Vista and Server 2008, you need to set up the appropriate audit policies within the system settings. This involves auditing both success and failure conditions for logon events, account management activities (creation, modification, deletion), and specific use cases related to file access that are deemed sensitive or critical for your organization's security posture. By setting these audits, you can gain insights into potential unauthorized actions, changes, or accesses, which is essential for maintaining the integrity and security of your IT environment. To audit events in Windows Vista and Server 2008, you need to set up auditing policies that include both the success and failure of object access. This involves configuring the security settings of folders or files you wish to monitor. Here’s how you can do it step-by-step: 1. **Accessing Advanced Security Settings:**

• Open the folder properties where you want to set up auditing.

• Go to the "Security" tab and click on "Advanced".

• Navigate to the "Auditing" tab within the advanced security settings.

2. **Setting Up Auditing:**

• Click "Add" to create a new entry in the auditing section.

• Be cautious with inheritance options, as they can lead to excessive monitoring and log filling.

• Specify the users or groups you wish to monitor under this entry.

• Decide what exactly you want to audit: file access, folder access, both files and folders, etc. For this example, we will focus on auditing the success/failure of file deletion.

3. **Testing Auditing:**

• Create some sample files using a user account (e.g., testarc).

• Delete these files to trigger the audit events.

• Check the security log to see if the deleted files appear, confirming that auditing is working correctly.

4. **Interpreting Events:**

• You should observe two key events in the security log: one for file access and another for file deletion.

• Ensure handle IDs match between these related events to confirm a successful audit trail. The event showing file access will list the deleted filename, while the deletion event confirms the action.

5. **Policy Changes:**

• This auditing is typically used in specific scenarios where it adds significant value and should not be applied broadly without careful consideration due to potential log bloat.

This process involves setting up detailed auditing for security events that can help track unauthorized activities or changes to critical files and folders, ensuring compliance with security policies and troubleshooting issues related to access control and file integrity. The text discusses auditing security events, specifically in the context of Windows systems such as XP, 2000, and 2003, transitioning to Windows Vista and Server 2008. It highlights that when audit policies are enabled at a higher level, changes to the audit policy itself will be recorded with pluses (+) for enabled and minuses (-) for disabled. However, this high-level auditing can introduce noise in security event logs that is not very useful for monitoring purposes. The text also suggests specific categories of events that should or should not be audited: 1. **Privilege Use**: This category generates a lot of unnecessary noise in the security event log and does not provide significant value for security monitoring. Therefore, it is generally advisable to avoid enabling this type of auditing unless there are specific reasons to expect unusual behavior. 2. **Process Tracking**: Auditing should be reserved for situations where odd or unexpected behavior is observed. It is important to specify exactly what is being audited and use this category sparingly, as detailed tracking can quickly fill up the security event log with irrelevant data. 3. **Other Items To Note**: The text mentions that clearing of the audit log should be monitored closely. Every time a new audit log is created, an event will be recorded indicating this action. Monitoring users who clear the audit log can help identify individuals trying to cover their tracks or erase evidence of activities. 4. **Finding Windows Events in ESM**: Once audit events are captured in the Windows security log, they need to be transferred to a Security Information and Event Management (SIEM) tool like ArcSight via a Smart Connector for further analysis. A basic filter should be developed on an active channel within this SIEM tool to review these events effectively. In summary, while enabling comprehensive auditing can provide valuable insights into system activities, it is crucial to balance the need for security monitoring with considerations of log noise and relevance. The text provides guidance on which specific events and categories might not be beneficial or could even indicate suspicious behavior, making them worthy of closer scrutiny. The passage outlines a method for auditing and filtering events in an audit log, particularly focusing on new groups created either locally or globally. To achieve this, one should build a custom filter to identify these specific events within the log. Initially, it is recommended to review active channels of Microsoft Windows events from security logs within a defined timeframe as a starting point. The passage also addresses differences in event identification between older versions (Windows XP/2000/2003) and newer ones (Windows Vista/Windows 2008), advising to use different field names for searching: "deviceEventClassId=Security:" for older systems, and "deviceEventClassId=Microsoft-Windows-Security-Auditing:" for the latter.