Auditing?

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi all,
This is one of several questions seriously doing my head in, if anyone has any insight I would be most grateful.

I administer an active directory based network. All computers in the accounts department belong to the accounting organizational unit, and all employees in that department belong to the accounting group. You suspect someone has been trying to gain unauthorised access over the network to shared files on the computers in accounting. You want to identify that person without affecting other computers and by using the least administrative effort. 2 choices

a. Enable an audit policy for the accounting OU
b. Enable auditing for the everyone group for the shared files on the computers in accounts
c. Enable an audit policy for each computer in the accounting OU individually
d. Enable auditing for the accounting group

I would go for b as part of the answer as you would need to audit everyone in order to find out the culprit, no good only auditing certain accounts right?
I also know auditing is off as default so I would need to turn it on but the difference between a and d I am unsure. I am also sure I read c is possible as you do need to set up each pc to audit individually?
Please help!

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

As a follow up I would go for
B. Enable auditing for the everyone group for the shared files on the computers in accounting as I think B and D are the same thing but D is for the accounting group who already have access to these file so it must be B.
I also think A & C are the same but you need to set up an audit policy on each computer in the OU individually rather than just for the OU itself.
Please correct me if I am wrong!

 

One of the key statements in the question is with the least administrative effort. B and C will involve a lot of work.

 

Here's my thoughts on the question:

Implied Objective: Enable auditing for anyone trying to access files over the network residing on the computers in the accounting dept only.

A & C achieve the same result, however A obviously involves the least administrative effort. So check A and discard C.

D is ambigous. If we take it to mean enabling auditing in general on the computer then it is incorrect as auditing is enabled on a per computer basis, not per user basis. If we take it to mean enabling auditing on the file objects it is also incorrect as we can assume that the unauthorised user(s) we need to audit are not in the accounting group. So discard D.

I am now sure that B forms part of the answer, as it is compliementary with answer A, and is the only one that specifies an audit policy on the files concerned. Remember that auditing is a three part process:

1. Enable auditing on the computer (logon, object, privilege, etc. : success/failure).
2. Enable auditing on the objects you want to audit (files, printers etc), this is similar to the way you configure ACLs.
3. Review the audit logs regularly!

Answer A covers part 1, and answer B covers part 2.

Note, B does seem like a lot of work, however I think it could be done by using a security template applied to the accounting OU also (I am fairly sure that auditing can be included in security templates, but I've never done it and it's probably beyond the scope of this exam).

z.

 

Update: yes, auditing of file system objects can be configured in a Security Template.

So here is how I would tackle the problem in real life:

1. Create a new Security Template.
2. In "Local Policies">"Audit Policy", enable auditing of Object Access for both Success and Failure.
3. In "File System", configure an object representing the folders that are being shared (this assumes a similar configuration on all computers).
4. Set an Auditing entry for NETWORK*: Success (full control) & Failure (full control) on the object. [ You have to go to the properties of the object, then click "Edit Security", then "Advanced", then the "Auditing" tab.]
5. Additionally, I would also set the folder permissions to lock down any unauthorised access in the first place!
6. Now, create a new GPO and import the Security Template into it.
7. Apply the GPO to the accounting OU.

*: Note, "NETWORK" is a special built-in security group representing users who are connecting remotely - we don't need to audit local users.



z.

 

Thanks for the input,

I was going for C as everytime I read about auditing it states you need to set it up on each computer individually. Can you audit an OU?

 

Now you mention it, option A is also ambiguous. I was taking it to mean "enable object auditing in a GPO and apply the GPO to the accounting OU", as opposed to enabling auditing specifically on the OU object in AD (which wouldn't offer a solution to the problem). I am pretty sure the first interpretation is the intended interpretation, as not even M$ are that pedantic. Hence I still think A is correct.

Yes, you can audit an OU object, open an OU's properties in ADUC and go to the security tab, then click "Advanced", then the "Auditing" tab. There are over 70 options! Note also that some auditing is enabled by default.

You definitely don't have to set auditing policy individually on each machine, you can do it with a GPO. I've done this loads of times.

If in doubt, set up a test domain and try it!

z.