OVERVIEW: Audit Directory Service Access
The Audit directory service access policy provides a low-level audit trail of changes to objects in AD. The policy tracks the same activity as Audit account management events, but at a much lower level. By using this policy, you can identify exactly which fields of a user account or any other AD object were accessed. Audit account management events provides better information for monitoring maintenance to user accounts and groups, but Audit directory service access is the only way to track changes to OUs and GPOs, which can be important for change-control purposes.
The following is an excerpt from my book , The Windows Server Security Log Revealed :
Whereas Account Management events provide excellent auditing of user, group, and computer maintenance, Directory Service Access events make low-level auditing available for all types of objects in AD. Directory Service Access events not only identify the object that was accessed and by whom but also document exactly which object properties were accessed. Directory Service Access events work a lot like Object Access events because you must first enable the audit policy at the system level, then activate auditing on the specific objects you want to monitor. To enable auditing on a file, open the file’s Properties dialog box from within Windows Explorer, select the Security tab, click Advanced, and then select the Auditing tab on the Advanced Security Settings dialog box. To enable auditing on an AD object, follow the same path but from within the Active Directory Users and Computers snap-in (rather than Windows Explorer), as Figure 9-1 shows. Then, specify the permissions you want to audit when users request access to the object.
 Figure 9‑1 Audit policy for an OU |
At this point, the procedure for auditing AD objects diverges a bit from file-system auditing. For files, you simply select auditing for the permissions that can be performed against the file. However, AD has two types of operations: operations performed against the object, and Read and Write operations against individual properties of the object. These two types of operations correspond to the Object and Properties tabs that Figure 9‑2 shows.
 Figure 9‑2 Auditing entry for an OU |
For a list of Event IDs generated by this category, see the Security Log Encyclopedia.
Bottom Line Windows XP, 2000 and 2003: I recommend enabling this policy for success on domain controllers as well as enabling auditing on the root of the domain, OUs and GPOS for modification of important properties. - Windows Server 2008 and Vista: I don't recommend managing audit policy at this level because too much noise is generated. Use subcategories instead. See Audit Category: DS Access (Windows Server 2008 and Vista ).
User Comments
Hey Randy, does audit work on custom object attributes as well? For example if you extend a data object with some additional fiedls would they be covered by the "Read All Properties" option? Or does it only cover standard object attributes?
Max,
I haven't tested it but my gut says yes, Read All Properties would do the job. Also, you should be able to add an ACE specifically for the new attribute - the secret is dssec.dat. I need to do a post about dssec.dat on my site but I have an old article about it at Windows IT Pro http://www.windowsitsecurity.com/WindowsSecurity/article/articleid/9187/setting-active-directory-property-permissions.html. Not as detailed but open to non subscribers is http://windowsitpro.com/article/articleid/25732/access-denied-editing-the-dssecdat-file.html
I'm not sure I understand. You say you recommend enabling this on Win2k/Win2k3, but from looking at the event IDs associated with this auditing feature, the only relevant ones exist for Win2k8 only. The only ones that exist for 2k/2k3 are object open and object operation, neither of which seem to capture relevant information for OU and GPO changes. So my question is, will this auditing feature capture information pertaining to OU and GPO changes? If so, what event IDs are associated with them? Thanks.
Ben,<br /><br />Yes this category is very important on Win2k/Win2003 and the object access event 566 includes the ability to audit OUs and GPOs but there's a few steps to setting it up and you have to know what to look for in the security log. To help you with that I have a free webinar recording you can watch: "Top 10 Active Directory Changes to Monitor in the Security Log" at http://www.ultimatewindowssecurity.com/webinars/register.aspx?id=35
Add Your Comments
|
Rated 5 stars based on 1 vote.
Article has been viewed 2,592 times.
|