Vista & Server 2008's Auditing Capabilities More Granular than Being Reported
Server 2008's new auditing capabilities for Active Directory accesses are getting a lot of hype in the press and the blogosphere. The main feature being touted is the separation of the old "Audit Directory Service Access" category into four separate subcategories:
- Directory Service Access
- Directory Service Changes
- Directory Service Replication
- Detailed Directory Service Access
I'll admit that I've been pushing this meme as well, to what I've recently learned is at the exclusion of a whole set of new auditing subcategories. In doing a little research this week, it appears that Vista's and Server 2008's nine original auditing catgories have actually been broken out into 50 individual subcategories.
As an example, the original auditing category "Audit account management" now has six separate subcategories that you can enable or disable to specifically target the type of auditing of interest. Those six subcategories are:
- User Account Management
- Computer Account Management
- Security Group Management
- Distribution Group Management
- Application Group Management
- Other Account Management Event
Randy Franklin Smith has a great run-down of each of the new 50 subcategories at this site: http://www.ultimatewindowssecurity.com/newauditpol/
The only downer about Microsoft's implementation of these subcategories is that they're not presently Group Policy configurable. The nine major categories can be managed via Group Policy, but I have had no success in finding any ability for GP to manage the subcategories.
To enable or disable these subcategories, you'll need to use the command-line tool auditpol.exe.
Click below the fold for detailed info on how to use auditpol.exe...
Auditpol.exe isn't the best-documented tool in Microsoft's stable. Running it with the "/?" switch doesn't provide any ability to view the list of subcategories of interest. You'll need to know them outside the tool. Moreover, the tool's help functionality also dicusses using it for setting SDDL permissions on objects and referring to categories and subcategories by GUID -- a process that few of us are likely to use.
So, in this void of acceptable information, here's a little cheat sheet on how to use auditpol.exe to manage categories and subcategories.
- To configure success auditing for the account management category with all subcategories use the command: Auditpol /set /category:"account management"
- To enable both success and failure auditing on only the Computer account management subcategory of the account management category use the command: Auditpol /set /subcategory:"computer account management" /success:enable /failure:enable
- To view the current settings for the account management category with all subcategories use the command: Auditpol /get /category:"account management"
There are other capabilities with the tool, but these will get you started. I'm in the process now of authoring a white paper about just these configurations for a Realtime sponsor. Once that paper is released, I'll provide a link here so you can learn more about it.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine