One of the main aspects of security is the maintenance and to do that correctly the administrator needs to be able to track changes that are done in the environment. There are a lot of challenges on this area and one of the biggest challenge is to log what needs to be logged without overwhelm the server.
When I was working in the platforms team I remember that I received a call from a customer saying that he wants to know who deleted a record on his DNS Zone. First question was: do you have an audit policy for DNS enable? He was like: what is that? After review his environment I saw that the auditing was enabled, but not for the Active Directory Objects (his DNS Zone was integrated to AD).
This post will walk through the Auditing configuration of a DNS Zone (AD Integrated) on Windows Server 2003.
2. Preparing the Environment
There are three steps to prepare the environment:
· Verify if the Audit Policy called Audit Directory Service Access is enabled and what is the setting.
· Enabled the Auditing on the DNZ Zone that you want to audit.
· Use the Event Viewer to find out which object of modified (in this case the example will be an object deletion).
3. Configuring the Audit Policy
Open the Default Domain Controllers Policy, and check if the policy highlighted below is selected just like that:
Figure 1 – Configuring Upload and Download Policy.
In my case I changed to audit Success and Failure, but the final configuration will be according to your needs.
4. Configuring the DNS Zone
Now that we have enabled the Audit Policy to all Domain Controller in the domain, we need to change the DNS Zone. To do that follow the steps below:
1) Open ADSIEdit (Start / Run / ADSIEDIT.msc)
2) Right click in the ADSI Edit and click in Connect To…
3) In the Connection Settings window, configure just like show below:
Figure 2 – Connection Setting.
Note: Change the dc= to reflect your domain name.
4) After that click OK.
5) Now expand the container until you get to the same node as show below:
Figure 3 – Configuring the Zone.
5) Right click in the name of the zone located under CN=MicrosoftDNS and click in Properties.
6) Click in Security and then Advanced.
7) Click in Auditing and click in Add.
8) Type Everyone and click OK. Add the following type of access:
· Write All Properties
· Delete Subtree
9) Click OK on all three windows.
Now we are ready to log !!
For testing purpose I delete the record called work01 and here what you should see on the security event log:
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Time: 7:33:51 PM
Object Server: DS
Operation Type: Object Access
Object Type: dnsNode
Object Name: DC=work01,DC=contoso.msft,CN=MicrosoftDNS,DC=DomainDnsZones,DC=contoso,DC=msft
Handle ID: -
Primary User Name: DCCONT$
Primary Domain: CONTOSO
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: CONTOSO
Client Logon ID: (0x0,0x19062D)
Accesses: Write Property
Default property set
Access Mask: 0x20
Note the following points in red (from top to down):
· The event type: the user was able to successfully perform this operation.
· Category: the object was categorized as a DS Object.
· User: the name of the user that performed this operation.
· Object Name: the complete path from where the object was located.
· dNSTombstoned: this is probably the only one that is not friendly. This attribute is logged whenever an object is deleted. For more information review the DNS-Tombstoned Attribute at MSDN.
This simple action can help you to track changes on your DNS Zone and prevent security compliance issues when auditors approach to review your environment.
Disclaimer: This article was originally posted in Portuguese on 09/08/2006 at Microsoft Latam Team Blog.
I've checked: it works if you change audit settings in DNS console =)
This is great ! But What is the event id for Windows 2008 / R2 ?
event ID in Win2k8 R2 for this is 4662
What's the differnece between this and seeting up debug logging?
Debug logging will not provide details on who changed a zone, only information regarding the fields described in this article http://technet.microsoft.com/en-us/library/cc776361(v=ws.10).aspx