Administering Windows Server 2012 R2: Monitoring and Auditing

Practice exercises

The goal of this section is to provide you with hands-on practice with the following:

• Configure data collector sets
• Configure alerts
• Manage event subscriptions
• Perform network monitoring
• Configure removable device auditing
• Configure logon auditing
• Configure expression-based audit policies
• Enable folder auditing

To perform the exercises in this section, you need access to an evaluation version of Windows Server 2012 R2. You should also have access to virtual machines SYD-DC, MEL-DC, CBR-DC, and ADL-DC, the setup instructions for which are described in the Introduction. You should ensure that you have a checkpoint of these virtual machines that you can revert to at the end of the practice exercises. You should revert the Virtual Machines (VMs) to this initial state prior to beginning these exercises.

Exercise 1: Configure data collector sets

In this exercise, you configure data collector sets. To complete this exercise, perform the following steps:

1. Start SYD-DC, and sign on as CONTOSO\Don_Funk.
2. On SYD-DC, click Performance Monitor in the Tools menu of Server Manager.

3. In the Performance Monitor console, expand the Performance\Data Collector Sets\User Defined, as shown in Figure 10-26.

   

   FIGURE 10-26 Accessing data collector sets

4. On the Action menu, click New, and click Data Collector Set.

5. In the Create New Data Collector Set dialog box, type the name SYD-DC-Performance-Measurement and click Create Manually (Advanced), as shown in Figure 10-27. Click Next.

   

   FIGURE 10-27 Entering the data collector set name

6. On the What Type Of Date Do You Want To Include? page, click Performance Counter, as shown in Figure 10-28, and click Finish.

   

   FIGURE 10-28 Selecting Performance Counter

7. In the Performance Monitor console, click SYD-DC-Performance-Measurement.
8. In the details pane, click DataCollector01.
9. On the Action menu, click Properties.

10. In the DataCollector01 Properties dialog box, shown in Figure 10-29, click Add.

    

    FIGURE 10-29 Performance counters

11. In the Available Counters dialog box, click Logical Disk, and click Add.
12. Click Memory, click the arrow, click Available Mbytes, and click Add.
13. Click Network Interface, and click Add.
14. Click Processor, and click Add.

15. Verify that the list of added counters matches Figure 10-30, and click OK.

    

    FIGURE 10-30 Matching added counters

16. In the DataCollector01 Properties dialog box, set the Sample Interval to 15 seconds (see Figure 10-31), and click OK.

    

    FIGURE 10-31 Setting the interval

17. In Performance Monitor, click Data Collector Sets\User Defined\SYD-DC-Performance-Measurement.
18. On the Action menu, click Properties.
19. On the Schedule tab of the SYD-DC-Performance-Measurement Properties dialog box, click Add.
20. On the Folder Action dialog box, set a time of 3:00:00 AM, and click OK.

21. Verify that the Schedule tab appear similar to Figure 10-32, and click OK

    

    FIGURE 10-32 Configure data collector set schedule

Exercise 2: Collect data

In this exercise, you collect data from the data collector set. To complete this exercise, perform the following steps:

1. In Performance Monitor, click Data Collector Sets\User Defined\SYD-DC-Performance-Measurement.
2. On the Action menu, click Start.
3. After 2 minutes, on the Action menu, click Stop.
4. Expand Reports, expand User Defined, and click SYD-DC-Performance-Measurement.

5. Double-click the report listed in the details pane, as shown in Figure 10-33.

   

   FIGURE 10-33 Selecting a report

6. Click Change Graph Type, and click Report.

7. View the report, as shown in Figure 10-34.

   

   FIGURE 10-34 Viewing the report

Exercise 3: Configure alerts

In this exercise, you configure a free disk space alert. To complete this exercise, perform the following steps:

1. In Performance Monitor, click User Defined under Data Collector Sets.
2. On the Action menu, click New, and click Data Collector Set.
3. On the Create New Data Collector Set page, type Disk Space Alert, click Create Manually (Advanced), and click Next.

4. On the Create New Data Collector Set page, click Performance Counter Alert, as shown in Figure 10-35, and click Next.

   

   FIGURE 10-35 Choosing Performance Counter Alert

5. On the Which Performance Counters Would You Like To Monitor? page, click Add.

6. In the Available Counters dialog box, click LogicalDisk, click %Free Space, click C:, and click Add, as shown in Figure 10-36. Click OK.

   

   FIGURE 10-36 Selecting LogicalDisk

7. Set the Alert When menu to Below.

8. Set the Limit value to 5, as shown in Figure 10-37, and click Next.

   

   FIGURE 10-37 Setting the limit value

9. Click Finish.

Exercise 4: Prepare computers for event subscriptions

In this exercise, you configure computers to support event log subscriptions. To complete this exercise, perform the following steps:

1. On SYD-DC, right-click Windows PowerShell on the task bar, and click Run As Administrator.

2. Enter the following command and press Enter.

   Wecutil qc

3. When prompted, press Y, and press Enter.
4. Close the Windows PowerShell prompt.
5. Sign on to MEL-DC as Administrator.

6. Open the Windows PowerShell prompt and type the following commands.

   Add-Computer -DomainName contoso.com

7. In the Windows PowerShell Credentials dialog box, type don_funk@contoso.com and Pa$$w0rd, and click OK.

8. Type the following command at the Windows PowerShell prompt to restart the computer.

   Restart-Computer

9. Sign on to MEL-DC as Contoso\don_funk.
10. On the Tools menu on Server Manager, click Computer Management.

11. In the Computer Management console, expand Local Users And Groups, click Groups, and then click Administrators, as shown in Figure 10-38.

    

    FIGURE 10-38 Accessing Administrators

12. On the Actions pane, click More Actions, and click Properties under Administrator.
13. In the Administrators Properties dialog box, click Add.
14. In the Select Users, Computers, Service Accounts, Or Groups dialog box, click Object Types.

15. In the Object Types dialog box, enable the Computers check box, as shown in Figure 10-39, and click OK.

    

    FIGURE 10-39 Selecting Computers

16. In the Select Users, Computers, Service Accounts, Or Groups dialog box, type SYD-DC, click Check Names, and click OK.

17. Verify that the Administrators Properties dialog box matches Figure 10-40 and click OK.

    

    FIGURE 10-40 Administrators Properties dialog box

18. Restart MEL-DC.

Exercise 5: Configure event subscriptions

In this exercise, you configure event subscriptions. To complete this exercise, perform the following steps:

1. In the Server Manager console on SYD-DC, open the Tools menu, and click Event Viewer.

2. In Event Viewer, click the Subscriptions node, as shown in Figure 10-41.

   

   FIGURE 10-41 Clicking the Subscriptions node

3. On the Actions pane, click Create Subscription.
4. In the Subscription Properties dialog box, type the name as Subscription-Alpha, click Collector Initiated, and click Select Computers.
5. In the Computers dialog box, click Add Domain Computers.
6. In the Select Computer dialog box, type MEL-DC, click Check Names, and click OK.

7. Verify that the Computers dialog box matches Figure 10-42, and click Test.

   

   FIGURE 10-42 Computers dialog box

8. In the Event Viewer dialog box, click OK.
9. In the Computers dialog box, click OK.
10. Click Select Events.
11. In the Query Filter dialog box, select Critical, Error, Warning, and Information.
12. Click the Event Logs menu, and click Windows Logs.

13. Verify that the Query Filter appears the same as Figure 10-43, and click OK.

    

    FIGURE 10-43 The Query Filter dialog box

14. In the Subscription Properties dialog box, click Advanced.

15. In the Advanced Subscription Settings dialog box, click Minimize Latency, as shown in Figure 10-44, and click OK.

    

    FIGURE 10-44 Advanced Subscription Settings dialog box

16. Verify that the Subscription Properties – Subscription-Alpha dialog box matches Figure 10-45, and then click OK.

    

    FIGURE 10-45 Subscription Properties dialog box

17. Restart server MEL-DC.
18. Expand the Windows Logs node, and click Forwarded Events.

19. Verify the presence of items in the event log, as shown in Figure 10-46.

    

    FIGURE 10-46 Event log

20. Close Event Viewer.

Exercise 6: Configure network monitoring

In this exercise, you monitor the processes and services that use network interfaces. To complete this exercise, perform the following steps:

1. On the Tools menu of the Server Manager console on SYD-DC, click Resource Monitor.

2. On the Network tab, click the arrow next to TCP Connections, as shown in Figure 10-47.

   

   FIGURE 10-47 Network tab of the Resource Monitor

3. Click the arrow next to Listening Ports to list the ports on which different services are listening (see Figure 10-48).

   

   FIGURE 10-48 Listing the different ports.

Exercise 7: Using Message Analyzer

In this exercise, you use Message Analyzer to perform network monitoring. To perform this exercise, you need to download Message Analyzer from the following website: http://www.microsoft.com/en-au/download/details.aspx?id=40308 (or just use a search engine to locate the installer) and then install it on MEL-DC. Ensure that you do not run the program and that you sign off after installation. To complete this exercise, perform the following steps:

1. Ensure that you are signed on to MEL-DC as contoso\don_funk.
2. In the Server Manager on MEL-DC, click Local Server, and then select IE Enhanced Security Configuration.

3. In the Internet Explorer Enhanced Security Configuration dialog box, set the Administrators setting to Off, as shown in Figure 10-49, and click OK.

   

   FIGURE 10-49 Internet Explorer security

4. In the Search charm on MEL-DC, type Microsoft Message Analyzer.
5. Click Microsoft Message Analyzer in the results list.
6. On the Welcome To The Microsoft Message Analyzer dialog box, click Do Not Update Items, and click OK.

7. On the File menu, click Capture Trace, and click SMB2 Server Full PDU (Windows 8/Windows Server 2012 or later) as shown in Figure 10-50, and click Start With.

   

   FIGURE 10-50 SMB Server Full PDU

8. On the taskbar, click File Explorer.
9. In File Explorer, click Computer, and then double-click Local Disk (C:).
10. On the title bar, click New Folder. Name the new folder TEST.
11. Right-click the TEST folder, click Share With, and click Specific People.
12. In the File Sharing dialog box, click Share, and then click Done.

13. In Microsoft Message Analyzer, click Analysis Grid, and verify that messages have been recorded, and click the final message, as shown in Figure 10-51.

    

    FIGURE 10-51 Verifying that messages have been recorded

14. Use File Explorer to navigate to C:\TEST.
15. Create a text file in C:\TEST named secretfile.txt. The content of the file should be the words “secret secret.” Switch to SYD-DC.
16. On SYD-DC, in the Search charm, type \\MEL-DC\TEST\secretfile.txt and click Secretfile.txt in the Results pane.
17. Switch to MEL-DC.
18. Verify that additional traffic has been recorded.

19. Examine the message data for network addresses, such as server MEL-DC (see Figure 10-52).

    

    FIGURE 10-52 Examining message data

20. Close Microsoft Message Analyzer.
21. When prompted to save the captured trace, click No.

Exercise 8: Configure removable device auditing

In this exercise, you configure a GPO so that removable device usage is audited. To complete this exercise, perform the following steps:

1. On SYD-DC, click Group Policy Management on the Tools menu of Server Manager.

2. Expand Forest: Contoso.com\Domains\contoso.com\Group Policy Objects, and click Default Domain Policy, as shown in Figure 10-53.

   

   FIGURE 10-53 Clicking Default Domain Policy

3. On the Action menu, click Edit.

4. In the Group Policy Management Editor, navigate to the Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access node and click Audit Removable Storage, as shown in Figure 10-54.

   

   FIGURE 10-54 Clicking Audit Removable Storage

5. Double-click Audit Removable Storage.

6. In the Audit Removable Storage Properties dialog box, select Configure The Following Audit Events, Success, and Failure; then click OK (see Figure 10-55).

   

   FIGURE 10-55 Auditing properties

7. Close the Group Policy Management Editor.
8. On the taskbar, right-click Windows PowerShell, and click Run As Administrator.

9. In the Windows PowerShell window, type the following command and press Enter.

   Gpupdate /force

10. In the Windows PowerShell window, type the following command and press Enter.

    Auditpol /get /category:"Object Access"

11. Verify that Removable Storage is configured for Success And Failure auditing, as shown in Figure 10-56.

    

    FIGURE 10-56 Configuring Removable Storage

Exercise 9: Configure logon auditing

In this exercise, you configure logon auditing. To complete this exercise, perform the following steps:

1. In the Group Policy Management Console (GPMC) on SYD-DC, right-click the Default Domain Policy, and click Edit.

2. In the Group Policy Management Editor, navigate to the Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff, and click Audit Logon, as shown in Figure 10-57.

   

   FIGURE 10-57 Selecting Audit Logon

3. On the Action menu, click Properties.

4. In the Audit Logon Properties dialog box, select Configure The Following Audit Events, Success, and Failure (see Figure 10-58). Click OK.

   

   FIGURE 10-58 Setting audit properties

5. Close the Group Policy Management Editor.
6. On the Tools menu of the Server Manager console, click Active Directory Users And Computers.
7. In Active Directory Users And Computers, select Users, and then click Administrator.
8. On the Action menu, click Copy.

9. In the Copy Object – User dialog box, configure the following information, as shown in Figure 10-59, and click Next.

   • First Name: Gabe
   • Last Name: Frost
   • User Logon Name: Gabe_Frost
   

   FIGURE 10-59 Setting copy object data

10. Type Pa$$w0rd in the Password and Confirm Password text boxes, ensure User Must Change Password At Next Logon is not selected, click Next, and click Finish.
11. Close Active Directory Users And Computers.

12. In Windows PowerShell, type the following command and press Enter.

    Gpupdate /force

13. In Windows PowerShell, type the following command and press Enter.

    Auditpol /get /category:"Logon/Logoff"

14. Verify that Logon is configured for Success And Failure auditing, as shown in Figure 10-60.

    

    FIGURE 10-60 Logon for Success And Failure auditing

15. Switch to MEL-DC.
16. Sign out and sign on as contoso\gabe_frost with the password Pa$$w0rd.
17. Switch to SYD-DC.
18. On the Tools menu of the Server Manager console, click Event Viewer.
19. Expand Windows Logs\Security Logs and click the most recent event with Event ID 4624.

20. Click the Details pane and verify that the TargetUserName Gabe_Frost is listed, as shown in Figure 10-61. You may need to scroll through several events to find this TargetUserName.

    

    FIGURE 10-61 TargetUserName Gabe Frost

Exercise 10: Configure expression-based audit policies

In this exercise, you configure expression-based audit policies in Group Policy. To complete this exercise, perform the following steps:

1. On SYD-DC, open Active Directory Users And Computers from the Tools menu of the Server Manager console.
2. Right-click the Users container, click New, and click Group.

3. In the New Object – Group dialog box, type the name Jupiter, as shown in Figure 10-62, and click OK.

   

   FIGURE 10-62 Typing the group name

4. Right-click the Users container, click New, and click Group.
5. In the New Object – Group dialog box, type the name Saturn and click OK.
6. Right-click the Users container, click New, and click Group.
7. In the New Object – Group dialog box, type the name Neptune and click OK.
8. Right-click the Users container, click New, and click Group.
9. In the New Object – Group dialog box, type the name Mars and click OK.
10. Close Active Directory Users And Computers.
11. In the GPMC, right-click Default Domain Policy, and click Edit.

12. In the Group Policy Management Editor, navigate to the Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Global Object Access Auditing and click File System, as shown in Figure 10-63.

    

    FIGURE 10-63 Selecting File System

13. On the Action menu, click Properties.
14. In the File System Properties dialog box, click Define This Policy Setting, and click Configure.
15. In the Advanced Security Settings For Global File SACL dialog box, click Add.
16. In the Auditing Entry For Global File SACL dialog box, click Select A Principal Link.
17. In the Select User, Computer, Service Account, Or Group dialog box, type Jupiter, click Check Names, and click OK.
18. On the Type drop-down menu, click All.
19. Click the Add A Condition link.
20. Click the Add Items button.
21. In the Select User, Computer, Service Account, Or Group dialog box, type Saturn, click Check Names, and click OK.

22. Verify that the Auditing Entry For Global File SACL dialog box matches Figure 10-64 and click OK.

    

    FIGURE 10-64 Auditing the Entry For Global File SACL dialog box

23. In the Advanced Security Settings For Global File SACL dialog box, click Add.
24. In the Auditing Entry For Global File SACL dialog box, click Select A Principal link.
25. In the Select User, Computer, Service Account, Or Group dialog box, type Mars, click Check Names, and click OK.
26. Set the Type drop-down menu to Fail.
27. Click the Add A Condition link.
28. Click the Member Of Each drop-down menu, and select Not Member Of Any.
29. Click the Add Items button.
30. In the Select User, Computer, Service Account, Or Group dialog box, type Neptune, click Check Names, and click OK twice.

31. Verify that the Advanced Security Settings For Global File SACL dialog box matches Figure 10-65, and click OK.

    

    FIGURE 10-65 Advanced Security Settings For Global File SACL dialog box

32. Click OK to close the File System Properties dialog box and close the Group Policy Management Editor.

Exercise 11: Configure folder auditing

In this exercise, you configure expression-based audit policies at the folder level. To complete this exercise, perform the following steps:

1. Click File Explorer on the taskbar.
2. Click Computer and double-click Local Disk (C:).
3. On the title bar, click the New Folder icon.
4. Name the new folder Audited_Files.
5. Right-click the Audited_Files folder, and click Properties.
6. On the Security tab, click Advanced.

7. On the Auditing tab of the Advanced Security Settings For Audited_Files dialog box, shown in Figure 10-66, click Add.

   

   FIGURE 10-66 Auditing tab of the Advanced Security Settings For Audited_Files dialog box

8. In the Auditing Entry For Audited_Files dialog box, click Select A Principal link.
9. In the Select User, Computer, Service Account, Or Group dialog box, type Neptune, click Check Names, and click OK.
10. Change the type from Success to Fail.
11. Click the Add A Condition link.
12. Click the Add Items button.
13. In the Select User, Computer, Service Account, Or Group dialog box, type Saturn, click Check Names, and click OK.

14. Verify that the Auditing Entry For Audited Files dialog box matches Figure 10-67, and click OK.

    

    FIGURE 10-67 Auditing Entry For Audited Files dialog box

15. Click OK twice to close all dialog boxes.