This article takes a deeper look at the new Active Directory Domain Services auditing capabilities in Windows Server 2008.
New Default Auditing Settings in Group Policy
Windows 2000 Server and Windows Server 2003 enabled auditing for a number of policies by default. However, Windows Server 2008 does not define these global audit settings by default. These settings are instead defined by using the new auditing subcategories. This may seem as though auditing is not configured by default, however this is not the case. The configuration of the global audit settings is inherited by the subcategories below that global audit setting. Therefore, Microsoft chose to configure specific subcategories by default, which is covered in the next section.
New Auditing Subcategories
As previously mentioned, Windows Server 2008 introduces auditing subcategories. The following table shows the subcategories below each global audit setting, as well as the default configuration for each audit subcategory.
Global Audit Setting | Subcategory | Default Setting |
| Audit Account Logon Events | Kerberos Service Ticket Operations | Success |
| Other Account Logon Events | No Auditing | |
| Kerberos Authentication Service | Success | |
| Credential Validation | Success | |
| Audit Account Management | Computer Account Management | Success |
| Security Group Management | Success | |
| Distribution Group Management | No Auditing | |
| Application Group Management | No Auditing | |
| Other Account Management Events | No Auditing | |
| User Account Management | Success | |
| Audit Process Tracking | Process Termination | No Auditing |
| DPAPI Activity | No Auditing | |
| RPC Events | No Auditing | |
| Process Creation | No Auditing | |
| Audit Directory Service Access | Directory Service Changes | No Auditing |
| Directory Service Replication | No Auditing | |
| Detailed Directory Service Replication | No Auditing | |
| Directory Service Access | Success | |
| Audit Logon Events | Logoff | Success |
| Account Lockout | Success | |
| IPsec Main Mode | No Auditing | |
| IPsec Quick Mode | No Auditing | |
| IPsec Extended Mode | No Auditing | |
| Special Logon | Success | |
| Other Logon/Logoff Events | No Auditing | |
| Logon | Success and Failure | |
| Audit Object Access | File System | No Auditing |
| Registry | No Auditing | |
| Kernel Object | No Auditing | |
| SAM | No Auditing | |
| Certification Services | No Auditing | |
| Application Generated | No Auditing | |
| Handle Manipulation | No Auditing | |
| File Share | No Auditing | |
| Filtering Platform Packet Drop | No Auditing | |
| Filtering Platform Connection | No Auditing | |
| Other Object Access Events | No Auditing | |
| Audit Policy Change | Authentication Policy Change | Success |
| Authorization Policy Change | No Auditing | |
| MPSSVC Rule-Level Policy Change | No Auditing | |
| Filtering Platform Policy Change | No Auditing | |
| Other Policy Change Events | No Auditing | |
| Audit Policy Change | Success | |
| Audit Privilege Use | Non Sensitive Privilege Use | No Auditing |
| Other Privilege Use Events | No Auditing | |
| Sensitive Privilege Use | No Auditing | |
| Audit System Events | Security System Extension | No Auditing |
| System Integrity | Success and Failure | |
| IPsec Driver | No Auditing | |
| Other System Events | Success and Failure | |
| Security State Change | Success |
Source: http://www.enterpriseitplanet.com/networking/features/article.php/3797931
0 comments:
Post a Comment