ACS – Configuring auditing on Windows 2008 R2


With Windows 2008 Microsoft introduced the ability to have granular access to auditing options, in the first release granular audit options could only be set locally using auditpol, with the advent of Windows 2008 R2 the same options can be set via GPO, too. This granularity is key to be able to audit exactly what you need without taxing too much your server and ACS if you implemented it.

During one of my periodic audits on a customer with a small ACS implementation (about 100 servers) I noticed Windows 2008 R2 file servers were returning only a subset of the events they were expected to collect. They have been configured to receive a company wide GPO for generic auditing and file access auditing via a local setting through auditpol. The GPO was using old style (Windows 2003) auditing settings.

image

If I run RSOP (gpresult) everything seemed ok, but nevertheless not all the auditing events were logged. I then turned to auditpol and the result were completely different and consistent with what I could see in the event log. It turned out you don’t have to mix old style and new style auditing policies and you better not use auditpol to set local policies. To get rid of the issue I just WMI filtered the old audit GPO to be applied to pre windows 2008 R2 systems (select * from win32_operatingsystem where version < ‘6.1’) and added a new GPO for Windows 2008 R2 systems (select * from win32_operatingsystem where version > ‘6.1’). In this specific environment we have a bunch of Windows 2008 servers that are managed as Windows 2003 ones in respect to auditing policies.

What I learned is:

  • if you intend to use advanced audit settings then the only reliable tool to know the exact audit policy is auditpol (auditpol /get /category:"*")
  • auditpol /set is not reliable, at least if GPO are applied with old style audit settings
  • don’t mix old style and advanced auditing
  • rsop is not reliable if you use advanced auditing

On the same tune I would advice to turn off Filtering Platform auditing (on by default on Windows 2008 R2) it generates tons of events and if you’re not sure you need them, you better leave them off.

clip_image002

Resources that helped me:

http://www.networksteve.com/forum/topic.php?TopicId=3516

http://social.technet.microsoft.com/Forums/en/winserverDS/thread/0486c801-8980-4afa-8fee-8cc1409c3ee2

http://support.microsoft.com/kb/921468

http://blogs.technet.com/b/asiasupp/archive/2010/12/14/secpol-can-t-detect-the-audit-policy-s-change-that-modified-through-auditpol-command.aspx

http://technet.microsoft.com/en-us/library/dd560628(WS.10).aspx

– Daniele

This posting is provided "AS IS" with no warranties, and confers no rights.

Advertisements
  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: