Advanced Security Auditing in Windows 7 and Windows Server 2008 R2

Advanced Security Auditing in Windows 7 and Windows Server 2008 R2

This article is a work-in-progress. Please help update and extend it. If you add new security auditing topics, please add a link to the new topic at the bottom of this page. It is the Wiki way!

Security auditing allows you to track the effectiveness of your network defenses and identify attempts to circumvent them. There are a number of auditing enhancements in Windows Server 2008 R2 and Windows 7 that increase the level of detail in security auditing logs and simplify the deployment and management of auditing policies. These enhancements include:

  • Global Object Access Auditing. In Windows Server 2008 R2 and Windows 7, administrators can define computer-wide system access control lists (SACLs) for either the file system or registry. The specified SACL is then automatically applied to every single object of that type. This can be useful both for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs.
  • "Reason for access" reporting. This list of access control entries (ACEs) provides the privileges on which the decision to allow or deny access to the object was based. This can be useful for documenting the permissions, such as group memberships, that allow or prevent the occurrence of a particular auditable event.
  • Advanced audit policy settings. These 53 new settings can be used in place of the nine basic auditing settings under Local Policies\Audit Policy to allow administrators to more specifically target the types of activities they want to audit and eliminate the unnecessary auditing activities that can make audit logs difficult to manage and decipher.  
    The following sections describe these enhancements in greater detail.

What do these auditing enhancements do?
In Windows XP, administrators have nine categories of security auditing events that they can monitor for success, failure, or both success and failure. These events are fairly broad in scope and can be triggered by a variety of similar actions, some of which can generate a large number of event log entries.

In Windows Vista® and Windows Server 2008, the number of auditable events is expanded from nine to 53, which enables an administrator to be more selective in the number and types of events to audit. However, unlike the nine basic Windows XP events, these new audit events are not integrated with Group Policy and can only be deployed by using logon scripts generated with the Auditpol.exe command-line tool.

In Windows Server 2008 R2 and Windows 7, all auditing capabilities have been integrated with Group Policy. This allows administrators to configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). Windows Server 2008 R2 and Windows 7 make it easier for IT professionals to track when precisely defined, significant activities take place on the network.

Audit policy enhancements in Windows Server 2008 R2 and Windows 7 allow administrators to connect business rules and audit policies. For example, applying audit policy settings on a domain or OU basis will allow administrators to document compliance with rules such as:

  • Track all group administrator activity on servers with finance information.
  • Track all the files that are accessed by defined groups of employees.
  • Confirm that the correct SACL is applied to every file, folder, and registry key when they are accessed.

Auditing enhancements in Windows Server 2008 R2 and Windows 7 support the needs of IT professionals who are responsible for implementing, maintaining, and monitoring the ongoing security of an organization's physical and information assets.
These settings can help administrators answer questions such as the following:

  • Who is accessing our assets?
  • What assets are they accessing?
  • When and where did they access them?
  • How did they obtain access?

Security awareness and the desire to have a forensic trail are significant motivators behind these questions. The quality of this information is required and evaluated by auditors in a growing number of organizations.

Are there any special considerations?
A number of special considerations apply to various tasks associated with auditing enhancements in Windows Server 2008 R2 and Windows 7:

  • Creating an audit policy. To create an advanced Windows security auditing policy, you must use the GPMC or Local Security Policy snap-in on a computer running Windows Server 2008 R2 or Windows 7. (You can use the GPMC on a computer running Windows 7 after installing the Remote Server Administration Tools.)
  • Applying audit policy settings. If you are using Group Policy to apply the advanced audit policy settings and global object access settings, client computers must be running Windows Server 2008 R2 or Windows 7. In addition, only computers running Windows Server 2008 R2 or Windows 7 can provide "reason for access" reporting data.
  • Developing an audit policy model. To plan advanced security audit settings and global object access settings, you must use the GPMC targeting a domain controller running Windows Server 2008 R2.
  • Distributing the audit policy. After a Group Policy object (GPO) that includes advanced security auditing settings has been developed, it can be distributed by using domain controllers running any Windows server operating system. However, if you cannot put client computers running Windows 7 in a separate OU, you should use Windows Management Instrumentation (WMI) filtering to ensure that the advanced policy settings are applied only to client computers running Windows 7.

Note: Advanced audit policy settings can also be applied to client computers running Windows Vista. However, the audit policies for these client computers must be created and applied separately by using Auditpol.exe logon scripts.

Important: Using both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should not be combined.  

Which editions include this feature?

All versions of Windows Server 2008 R2 and Windows 7 that can process Group Policy can be configured to use these security auditing enhancements. Versions of Windows Server 2008 R2 and Windows 7 that cannot join a domain do not have access to these features. There is no difference in security auditing support between 32-bit and 64-bit versions of Windows 7.

For more information

To learn more about security audit policy, see the following resources:

Sort by: Published Date | Most Recent | Most Useful
Comments
Page 1 of 1 (4 items)