Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understand Audit Policies LESSON 2.4 98-367 Security Fundamentals.

Published byNigel Gibbs Modified over 9 years ago

Similar presentations

Presentation on theme: "Understand Audit Policies LESSON 2.4 98-367 Security Fundamentals."— Presentation transcript:

1 Understand Audit Policies LESSON 2.4 98-367 Security Fundamentals

2 LESSON 2.4 In this lesson, you will learn:  About audit plans  Security logs  Success and failure events  Auditing settings

3 98-367 Security Fundamentals LESSON 2.4 Anticipatory Set You can use Windows ® security and system logs to record and store collected security events so that you can track key system and network activities to monitor potentially harmful behaviors and to mitigate those risks. You can customize system log events by configuring auditing. List the different “categories of security events” in Windows Server ® 2008 or Windows 7

4 98-367 Security Fundamentals LESSON 2.4 Create an Audit Plan  Before implementing an audit policy you should decide what type of information you want to gain by collecting audit events.  Decide what type of information you want to gain by collecting audit events.  If you are interested in intrusion detection (tracking the attempts of users to gain access to areas for which they are not authorized), you can collect failure audits. o But enabling failure audits can be a risk to your organization. If users attempt to access a resource for which they are not authorized, they can create so many failure audits that the security log becomes full, and the computer cannot collect any more audits.

5 98-367 Security Fundamentals LESSON 2.4 Create an Audit Plan (Continued)  If you are interested in forensics (using the audit log to determine exactly what happens in your organization), you can collect a combination of success and failure audits.  Consider the resources that you have available for collecting and reviewing an audit log o Audit events take up space on your computers, and they take up your time and the time of people in your organization. Do not audit events that do not really interest you.

6 98-367 Security Fundamentals LESSON 2.4 Collect and Archive Security Logs across Your Organization  If an intrusion occurs, isolate and preserve the security log entries. These entries can be valuable during an investigation of the intrusion.  An audit trail can contain information about changes that are made to your computer or to other computers on the network.  If intruders gain administrator rights and permissions, or if administrators abuse their rights and permissions, they can clear the security log, leaving you without a trail of their actions.  If you use a tool that regularly collects and saves security log entries across your organization, even if intruders or administrators clear the local security log, you are more likely to be able to trace the actions of intruders or administrators. Microsoft ® Operations Manager is an example of such a tool.

7 98-367 Security Fundamentals LESSON 2.4 Audit Success and Failure Events in the System Event Category  By auditing success and failure events in the system event category, you can notice unusual activity that may indicate that an intruder is attempting to gain access to your computer or your network.  The number of audits that are generated when this setting is enabled tends to be relatively low, and the quality of information that is gained from the events tends to be relatively high.

8 98-367 Security Fundamentals LESSON 2.4 Windows Server 2008 Active Directory Auditing and FGPP Interview  Hear about Windows Server 2008 AD auditing and FGPP directly from the source! In this interview with Siddharth Bhai, the program manager (PM) for this AD functionality, he gives us a bunch of great information.

9 98-367 Security Fundamentals LESSON 2.4 Auditing Settings on Objects Each object has a set of security information, or security descriptor, attached to it. Part of the security descriptor specifies the groups or users that can access an object and the types of access (permissions) that are granted to those groups or users. This part of the security descriptor is known as a discretionary access control list (DACL). A security descriptor for an object also contains auditing information. This auditing information is known as a system access control list (SACL). More specifically, a SACL specifies the following: The group or user accounts to audit when they access the object The operations to be audited for each group or user, for example, modifying a file A Success or Failure attribute for each access event, based on the permissions that are granted to each group and user in the object's DACL

10 98-367 Security Fundamentals LESSON 2.4 Class Activity  There are nine different kinds of events for which you can specify Audit Policy settings. If you audit any of these kinds of events, Windows records the events in the Security log, which you can find in Event Viewer. 1. Account logon events 2. Account management 3. Directory services access 4. Logon events 5. Object access 6. Policy change 7. Privilege use 8. Process tracking 9. System events

11 98-367 Security Fundamentals LESSON 2.4 Lesson Review  Establishing an organizational computer system audit policy is an important facet of information security.  Configuring audit policy settings that monitor the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach. Summarize the importance of auditing

Download ppt "Understand Audit Policies LESSON 2.4 98-367 Security Fundamentals."

Similar presentations

Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Policing the Power of Identity Controls Power Behavior Verify that controls are in place and functioning Monitor user behavior and verify that people.

Policing the Power of Identity Controls Power Behavior Verify that controls are in place and functioning Monitor user behavior and verify that people.
Guide to MCSE 70-290, Enhanced 1 Activity 14-1: Browsing Security Templates Objective: To become familiar with built-in security templates Start  Run.

Guide to MCSE , Enhanced 1 Activity 14-1: Browsing Security Templates Objective: To become familiar with built-in security templates Start  Run.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.

Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google