Auditing – Making your life easier with Audit Logs.
What is auditing?
By now, I am sure everyone has heard the term auditing. Most of the time, it involves an audit of a specific job/process/work flow/money trail, etc.; to show its effectiveness, usefulness, and/or necessity. While some of those applies with auditing in windows; for this guide, we will be discussing a different explanation. We will be using the definition of auditing to be basically a measured standard or baseline of all system, application, and security events to see what is actually going on while our computer is powered on and in the OS. Most of the settings in windows involving auditing are automatically set to ensure the capture of all events and logged, this is what we will be talking about; Audit logs and how to set them up. The logs are automatically generated to a cache to show a multitude of things to include(but not limited to); logons, permissions changes, file deletion, hardware failures, etc. These logs are vital information for security as well as troubleshooting when certain software/hardware fails or is about to fail. From this information, we can determine the proper course of action to take to prevent, deter, and/or solve certain failures of hardware, software and security events.
What do you mean?
Auditing is basically your computer writing a journal of everything happening. From the smallest thing as CD's having CRC errors(Cyclic Redundancy Checks[or can not read errors]) to who and what have been accessing your computer, files, folder, etc. This is meant in hopes that if you do have troubles all you have to do is read the journal at/or near the time of the error and decide what you need to accomplish to prevent or fix the problem (all audit logs are timestamped.)
Why should I audit?
As previously stated, there is a wealth of information that your computer stores for your benefit. We will go over the different event logs in a later paragraph. But, what you need to know is that you can check these logs anytime you need for information about many of your systems processes and accesses to ensure proper security protocols are being followed and you and your information haven't been compromised.
How do I do that?
First off, lets check out where our logs are and how to view our logs. There are many ways you can get to your event logs but I will tell you of a few ways I mostly prefer.
1. Right-click on my computer and select manage. Under the System Tools in the right pane, double click on Event Viewer. From here, you should notice a folder called “Windows Logs.” if you expand that folder you should see at least three folders named; Application, Security, and System
(Note: there will possibly be more logs depending on what is installed on your machine.) [I will go over what each folder audits in one of the following paragraphs.]
2. Another way to access these logs is to open a run dialog box by either clicking Start then Run... or simultaneously pressing the windows key(the key with the little windows logo on it) and the “r” key. After the window comes up, type in eventvwr and hit enter.
After you open up the event viewer, go ahead and peruse the logs within each of the folders to familiarize yourself with these.
As stated before, there are three main event logs that we will focus on:
Application: This deals with all the logs that directly correlate with any software that is being ran on your computer. (IE. Internet explorer, adobe, installer for apps, system restore points, etc.)
Security: This deals with any accounts on the machine logging in, logging off, policy changes, etc. (IE. Admin logs in and a log is created at which time the account logged in.)
System: This deals with any hardware issue or system related issue (IE. CD ROM failure, DNS resolver, windows update client, anti-virus updater, etc.)
Now that you know where your logs are located for reference purposes; lets walk through how to setup your logging in an efficient manner.
You will need to open another run windows (windows key+r) and type “secpol.msc” and hit enter.
This will bring up your local security policy that is applied to your machine (dependent on whether you have global policies settings(through enforcement of policies), these will be set on your local machine.
Go ahead and expand the Local Policies folder and the first folder should say “Audit Policy.” This is what we will be checking. Click on Audit policy and you should have 10 or so different policies that can be set. I believe by default all of these should be set to “No Auditing.” (However, your machine will still audit most things.) Each one of these items are self explanatory. To change the policy, double click the policy and change it if you wish (also there is an explanation of what each policy does/controls.)
A few that I always set are:
Audit account logon events
Audit account management
Audit object access
Audit policy change
Audit privilege use
Audit system events
For demonstration purposes, go ahead and set “Audit account logon events” and click ok. Log off and log back on and you should have a new item in your log(the event viewer) showing you logged on.
Conversely, you can directly set which drives have logging on them and can make each log more granular by controlling what is logged and who can audit these drives (IE. Reading folders, deleting files and folders, restricting access to logs.)
To do this, Open my computer and right click on any drive and select properties. Click the security tab and then click the Auditing tab. Unless you have set this already, most likely you will have no entries in the “Auditing Entries” box. To add a user, click edit and then add. Put your account name in there and hit ok. This should bring up an access control list showing what attributes and objects can be audited. Select the ones that you feel need to be audited and hit ok.
(Note: By the word “Access:” you should note that you can either set it for Success or Failure; this allows you the granularity of choosing which person or persons can audit and those who will be denied.) Also, you can set this on all child objects(files and folders) that are contained on the drive.
Additional Info:
Audit Wiki:
http://en.wikipedia.org/wiki/Computer_security_audit
Command prompt commands:
http://en.kioskea.net/faq/403-command-prompts-for-windows
Standard windows hot keys:
http://www.autohotkey.com/wiki/index.php?title=Standard_Windows_Hotkeys
Good luck, protect yourself and if you require any more information, feel free to send me a PM.
-mrface