Windows Server 2008 – AD Auditing Enhancements

David Tesar — Thu, 29 Nov 2007 03:50:00 GMT

I hope this post will act as a good reference point to be able to quickly understand the good and bad about new AD auditing enhancements and then enable you to dive deeper at will using the links in this article.

There’s nothing more exciting than auditing right? Well, check this out and hopefully it will spark some interest.

In Windows Server 2003 R2 and prior, the auditing of active directory certainly has not been a strong point. You would enable or disable global AD auditing for success or failures, set a SACL on the objects you wanted to monitor, and then typically one or both of the following would happen:

Your security event log fills up with way more security events than you’d ever hoped for, possibly wrapping or ballooning the size of the security log.
Auditing doesn’t actually provide enough information for you to make any use of the events which are recorded in the security event log. i.e. it only says who was successful at modifying the object, but nothing on the details of the value(s) which were changed.

In Server 2008, we are on a good path to fix this pain. Some of the key improvements to AD auditing are as follows:

You can limit the number of attributes which are audited for object types. For instance, you only want to know if the Employee’s Pay Level attribute is modified for all user accounts and nothing else.
Auditing is now broken into four categories: Access (same as 2000/2003), Changes, Replication, and Detailed Replication. The most interesting come from the new changes category:

AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged.
If a new object is created, values of the attributes that are populated at the time of creation are logged.
If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain. When an object is moved to a different domain, a create event is generated on the domain controller in the target domain.
If an object is undeleted, the location where the object is moved to is logged.

What are the downfalls?

You have to modify the schema in order to limit the number of attributes which are audited per object type. This isn’t really difficult, but it would be nice if there were some friendlier type way to do it.
You cannot view or modify the audit policy subcategories with the Local Group Policy Editor (GPedit.msc). You can only do this with the command-line tool Auditpol.exe.
As far as I can tell, you can’t limit auditing to different specific attributes for a subset of the same type of object. For instance, you would like to audit attributes X, Y, Z for all admin user accounts, but only attribute X for all regular user accounts. Of course you have some control over this with your SACLs…

Get Started:

A screencast on How to enable granular AD auditing in WS08 (coming in the future from me
Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide
TechNet - AD DS: Auditing
Windows Networking Site AD enhancements overview
MS Directory Services Team Blog Posts on:
WS08 Auditing Enhancements and Cool Auditing Tricks in Vista and 2008

Please comment on the same post on TechNet Edge.

Technorati tags: Windows Server 2008, AD, Active Directory, Auditing

IT Pro Momentum Program (like a TAP or RDP)

David Tesar — Tue, 27 Nov 2007 02:21:00 GMT

Would you like to learn about or use Windows Server 2008, SQL Server 2008, or the next version of Forefront Edge? If you're based in USA and 'fit the bill', I'll get you an invite to the IT Pro Momentum portal. If you're in Ireland - contact Dave Northey. You can profile a project which uses one of the above mentioned technologies in your company's environment and receive benefits as your project moves along from Evaluate, through Plan and Pilot. Details below:

And as soon as you're ready to share your experiences with the wider community, let me know and I can help you make that happen (include you in our TechNet newsletter, post details about you on my blog, help you find an attentive audience to listen to you, whatever).

Also, if you have a great story about how your company is already using one of the above mentioned technologies - please let me know and I can help you out too. You can see a quick video of what some existing customers have already done here: Stories of IT Pros adopted new technologies through Momentum.

Please email me if you are interested.

Thanks,

Dave.

Edge is Coming!

David Tesar — Tue, 30 Oct 2007 04:10:00 GMT

I recently found out about some big news inside of Microsoft here. There is something called "Edge" coming out in the future. Unfortunately at this time, I can't really say any more about it - other than it's going to be really sweet!

Technorati tags: Microsoft, Edge

eXtreme. tech. : Edge

Windows Server 2008 – AD Auditing Enhancements

IT Pro Momentum Program (like a TAP or RDP)

Edge is Coming!