Monitoring and Auditing Windows Server 2012

Practice exercises

The goal of this section is to provide you with hands-on practice with the following:

• Configure data collector sets
• Configure alerts
• Manage event subscriptions
• Perform network monitoring
• Configure removable device auditing
• Configure logon auditing
• Configure expression-based audit policies
• Enable folder auditing

To perform the exercises in this section, you need access to an evaluation version of Windows Server 2012. You should also have access to virtual machines SYD-DC, SYD-A, and SYD-B, the setup instructions for which are as described in the Appendix. You should ensure that you have a snapshot of these virtual machines that you can revert to at the end of the practice exercises.

EXERCISE 1 Configure data collector sets

In this exercise, you will configure data collector sets. To complete this exercise, perform the following steps:

1. On DC, click Performance Monitor in the Tools menu of Server Manager.

2. In the Performance Monitor console, expand the Performance\Data Collector Sets\User Defined, as shown in Figure 10-25.

   

   Figure 10-25 Accessing data collector sets

3. On the Action menu, click New and click Data Collector Set.

4. In the Create New Data Collector Set dialog box, enter the name DC-Performance-Measurement and click Create Manually (Advanced), as shown in Figure 10-26. Click Next.

   

   Figure 10-26 Entering the data collector set name

5. On the What Type Of Date Do You Want To Include? page, click Performance Counter, as shown in Figure 10-27, and click Finish.

   

   Figure 10-27 Selecting Performance Counter

6. In the Performance Monitor console, click DC-Performance-Measurement.

7. In the details pane, click DataCollector01.

8. On the Action menu, click Properties.

9. In the DataCollector01 Properties dialog box, shown in Figure 10-28, click Add.

   

   Figure 10-28 Performance counters

10. In the Available Counters dialog box, click Logical Disk and click Add.

11. Click Memory, click the arrow, click Available Mbytes, and click Add.

12. Click Network Interface and click Add.

13. Click Processor and click Add.

14. Verify that the list of added counters matches Figure 10-29 and click OK.

    

    Figure 10-29 Matching added counters

15. In the DataCollector01 Properties dialog box, set the Sample Interval to 15 seconds (see Figure 10-30) and click OK.

    

    Figure 10-30 Setting the interval

EXERCISE 2 Collect data

In this exercise, you will collect data from the data collector set. To complete this exercise, perform the following steps:

1. In Performance Monitor, click Data Collector Sets\User Defined\DC-Performance-Measurement.

2. On the Action menu, click Start.

3. After 2 minutes, on the Action menu, click Stop.

4. Expand Reports, expand User Defined, and click DC-Performance-Measurement.

5. Click the report listed in the details pane, as shown in Figure 10-31.

   

   Figure 10-31 Selecting a report

6. Click View Data In Performance Monitor.

7. Click Change Graph Type and click Report.

8. View the report, as shown in Figure 10-32.

   

   Figure 10-32 Viewing the report

EXERCISE 3 Configure alerts

In this exercise, you will configure a free disk space alert. To complete this exercise, perform the following steps:

1. In Performance Monitor, click User Defined under Data Collector Sets.

2. On the Action menu, click New and click Data Collector Set.

3. On the Create New Data Collector Set page, type Disk Space Alert, click Create Manually (Advanced), and click Next.

4. On the Create New Data Collector Set page, click Performance Counter Alert, as shown in Figure 10-33, and click Next.

   

   Figure 10-33 Choosing Performance Counter Alert

5. On the Which Performance Counters Would You Like To Monitor? page, click Add.

6. In the Available Counters dialog box, click LogicalDisk, click %Free Space, click C:, and click Add, as shown in Figure 10-34. Click OK.

   

   Figure 10-34 Selecting LogicalDisk

7. Set the Alert When drop-down menu to Below.

8. Set the Limit value to 5, as shown in Figure 10-35, and click Next.

   

   Figure 10-35 Setting the limit value

9. Click Finish.

EXERCISE 4 Prepare computers for event subscriptions

In this exercise, you will configure computers to support event log subscriptions. To complete this exercise, perform the following steps:

1. On DC, click Windows PowerShell on the task bar.

2. Enter the following command and press Enter:

   Wecutil qc

3. When prompted, press Y and press Enter.

4. Close the Windows PowerShell prompt.

5. Sign on to SYD-A as Contoso\Administrator.

6. In the Tools menu on Server Manager, click Computer Management.

7. In the Computer Management console, expand Local Users And Groups, click Groups, and then click Administrators, as shown in Figure 10-36.

   

   Figure 10-36 Accessing Administrators

8. On the Actions pane, click More Actions and click Properties under Administrator.

9. In the Administrators Properties dialog box, click Add.

10. In the Select Users, Computers, Service Accounts, Or Groups dialog box, click Object Types.

11. In the Object Types dialog box, enable the Computers check box, as shown in Figure 10-37, and click OK.

    

    Figure 10-37 Selecting Computers

12. In the Select Users, Computers, Service Accounts, Or Groups dialog box, type DC, click Check Names, and click OK.

13. Verify that the Administrators Properties dialog box matches Figure 10-38 and click OK.

    

    Figure 10-38 Administrators Properties dialog box

14. Restart SYD-A.

EXERCISE 5 Configure event subscriptions

In this exercise, you will configure event subscriptions. To complete this exercise, perform the following steps:

1. In the Server Manager console on DC, open the Tools menu and click Event Viewer.

2. In Event Viewer, click the Subscriptions node, as shown in Figure 10-39.

   

   Figure 10-39 Clicking the Subscriptions node

3. On the Actions pane, click Create Subscription.

4. In the Subscription Properties dialog box, enter the name as Subscription-Alpha, click Collector Initiated, and click Select Computers.

5. In the Computers dialog box, click Add Domain Computers.

6. In the Select Computer dialog box, type SYD-A, click Check Names, and click OK.

7. Verify that the Computers dialog box matches Figure 10-40 and click Test.

   

   Figure 10-40 Computers dialog box

8. In the Event Viewer dialog box, click OK.

9. In the Computers dialog box, click OK.

10. Click Select Events.

11. In the Query Filter dialog box, select Critical, Error, Warning, and Information.

12. Click the Event Logs drop-down menu and click Windows Logs.

13. Verify that the Query Filter appears the same as Figure 10-41 and click OK.

    

    Figure 10-41 The Query Filter dialog box

14. In the Subscription Properties dialog box, click Advanced.

15. In the Advanced Subscription Settings dialog box, click Minimize Latency, as shown in Figure 10-42, and click OK.

    

    Figure 10-42 Advanced Subscription Settings dialog box

16. Verify that the Subscription Properties – Subscription-Alpha dialog box matches Figure 10-43 and then click OK.

    

    Figure 10-43 Subscription Properties dialog box

17. Restart server SYD-A.

18. Expand the Windows Logs node and click Forwarded Events.

19. Verify the presence of items in the event log, as shown in Figure 10-44.

    

    Figure 10-44 Event log

20. Close Event Viewer.

EXERCISE 6 Configure network monitoring

In this exercise, you will monitor the processes and services that use network interfaces. To complete this exercise, perform the following steps:

1. On the Tools menu of the Server Manager console on DC, click Resource Monitor.

2. On the Network tab, click the arrow next to TCP Connections, as shown in Figure 10-45.

   

   Figure 10-45 Network tab of the Resource Monitor

3. Click the arrow next to Listening Ports to list the ports on which different services are listening (see Figure 10-46).

   

   Figure 10-46 Listing the different ports.

EXERCISE 7 Using Message Analyzer

In this exercise, you use Message Analyzer to perform network monitoring. This exercise requires that you have downloaded Message Analyzer from the Microsoft website and installed it on SYD-A, but have not run the program yet. To complete this exercise, perform the following steps:

1. In Server Manager on SYD-A, click Local Server and then select IE Enhanced Security Configuration.

2. In the Internet Explorer Enhanced Security Configuration dialog box, set the Administrators setting to Off, as shown in Figure 10-47, and click OK.

   

   Figure 10-47 Internet Explorer security

3. In the Search charm on SYD-A, type Microsoft Message Analyzer.

4. Click Microsoft Message Analyzer in the results list.

5. On the File menu, click SMB Server Full PDU on the Capture/Trace option, as shown in Figure 10-48, and click Start With.

   

   Figure 10-48 SMB Server Full PDU

6. On the taskbar, click File Explorer.

7. In File Explorer, click Computer and then double-click Local Disk (C:).

8. On the title bar, click New Folder. Name the new folder TEST.

9. Right-click the TEST folder, click Share With, and click Specific People.

10. In the File Sharing dialog box, click Share and then click Done.

11. In Microsoft Message Analyzer, verify that messages have been recorded and click the final message, as shown in Figure 10-49.

    

    Figure 10-49 Verifying that messages have been recorded

12. Use File Explorer to navigate to C:\TEST.

13. Create a text file in C:\TEST named secretfile.txt. The content of the file should be the words “secret secret”.

14. Switch to DC.

15. On DC, in the Search charm, type \\SYD-A\TEST\secretfile.txt and click secretfile.txt in the Results pane.

16. Switch to SYD-A.

17. Verify that additional traffic has been recorded.

18. Examine the message data for network addresses, such as server SYD-A.contoso.com (see Figure 10-50).

    

    Figure 10-50 Examining message data

19. Close Microsoft Message Analyzer.

20. When prompted to save the captured trace, click No.

EXERCISE 8 Configure removable device auditing

In this exercise, you will configure a GPO so that removable device usage is audited. To complete this exercise, perform the following steps:

1. On DC, click Group Policy Management in the Tools menu of Server Manager.

2. Expand Forest: contoso.com\Domains\contoso.com\Group Policy Objects and click Default Domain Policy, as shown in Figure 10-51.

   

   Figure 10-51 Clicking Default Domain Policy

3. On the Action menu, click Edit.

4. In the GPME, navigate to the Computer Configuration\Policies\Windows Settings\ Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access node and click Audit Removable Storage, as shown in Figure 10-52.

   

   Figure 10-52 Clicking Audit Removable Storage

5. Double-click Audit Removable Storage.

6. In the Audit Removable Storage Properties dialog box, select Configure The Following Audit Events, Success, and Failure; then click OK (see Figure 10-53).

   

   Figure 10-53 Auditing properties

7. Close the GPME.

8. On the taskbar, click Windows PowerShell.

9. In the Windows PowerShell window, type the following command and press Enter:

   Gpupdate /force

10. In the Windows PowerShell window, type the following command and press Enter:

    Auditpol /get /category:"Object Access"

11. Verify that Removable Storage is configured for Success And Failure auditing, as shown in Figure 10-54.

    

    Figure 10-54 Configuring Removable Storage

EXERCISE 9 Configure logon auditing

In this exercise, you will configure logon auditing. To complete this exercise, perform the following steps:

1. In the Group Policy Management Console (GPMC) on DC, right-click the Default Domain Policy and click Edit.

2. In the GPME, navigate to the Computer Configuration\Policies\Windows Settings\ Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff and click Audit Logon, as shown in Figure 10-55.

   

   Figure 10-55 Selecting Audit Logon

3. On the Action menu, click Properties.

4. In the Audit Logon Properties dialog box, select Configure The Following Audit Events, Success, and Failure (see Figure 10-56). Click OK.

   

   Figure 10-56 Setting audit properties

5. Close the GPME.

6. In the Tools menu of the Server Manager console, click Active Directory Users And Computers.

7. In Active Directory Users And Computers, select Users and then click Administrator.

8. On the Action menu, click Copy.

9. In the Copy Object – User dialog box, configure the following information, as shown in Figure 10-57, and click Next.

   • First Name: Don

   • Last Name: Funk

   • User Logon Name: Don_Funk

     

     Figure 10-57 Setting copy object data

10. Enter Pa$$w0rd in the Password and Confirm Password text boxes, click Next, and click Finish.

11. Close Active Directory Users And Computers.

12. In Windows PowerShell, enter the following command and press Enter:

    Gpupdate /force

13. In Windows PowerShell, enter the following command and press Enter:

    Auditpol /get /category:"Logon/Logoff"

14. Verify that Logon is configured for Success And Failure auditing, as shown in Figure 10-58.

    

    Figure 10-58 Logon for Success And Failure auditing

15. Switch to SYD-A.

16. Sign out and sign on as contoso\don_funk with the password Pa$$w0rd.

17. Switch to DC.

18. On the Tools menu of the Server Manager console, click Event Viewer.

19. Expand Windows Logs\Security Logs and click the most recent event with Event ID 4624.

20. Click the Details pane and verify that the TargetUserName Don_Funk is listed, as shown in Figure 10-59. You may need to scroll through several events to find this TargetUserName.

    

    Figure 10-59 TargetUserName Don_Funk

EXERCISE 10 Configure expression-based audit policies

In this exercise, you will configure expression-based audit policies in Group Policy. To complete this exercise, perform the following steps:

1. On DC, open Active Directory Users And Computers from the Tools menu of the Server Manager console.

2. Right-click the Users container, click New, and click Group.

3. In the New Object – Group dialog box, enter the name Jupiter, as shown in Figure 10-60, and click OK.

   

   Figure 10-60 Entering the group name

4. Right-click the Users container, click New, and click Group.

5. In the New Object – Group dialog box, enter the name Saturn and click OK.

6. Right-click the Users container, click New, and click Group.

7. In the New Object – Group dialog box, enter the name Neptune and click OK.

8. Right-click the Users container, click New, and click Group.

9. In the New Object – Group dialog box, enter the name Mars and click OK.

10. Close Active Directory Users And Computers.

11. In the GPMC, right-click Default Domain Policy and click Edit.

12. In the GPME, navigate to the Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Global Object Access Auditing and click File System, as shown in Figure 10-61.

    

    Figure 10-61 Selecting File System

13. On the Action menu, click Properties.

14. In the File System Properties dialog box, click Define This Policy Setting and click Configure.

15. In the Advanced Security Settings for Global File SACL dialog box, click Add.

16. In the Auditing Entry For Global File SACL dialog box, click Select A Principal Link.

17. In the Select User, Computer, Service Account, Or Group dialog box, type Jupiter, click Check Names, and click OK.

18. In the Type drop-down menu, click All.

19. Click the Add A Condition link.

20. Click the Add Items button.

21. In the Select User, Computer, Service Account, Or Group dialog box, type Saturn, click Check Names, and click OK.

22. Verify that the Auditing Entry For Global File SACL dialog box matches Figure 10-62 and click OK.

    

    Figure 10-62 Auditing the Entry For Global File SACL dialog box

23. In the Advanced Security Settings For Global File SACL dialog box, click Add.

24. In the Auditing Entry For Global File SACL dialog box, click Select A Principal link.

25. In the Select User, Computer, Service Account, Or Group dialog box, type Mars, click Check Names, and click OK.

26. Set the Type drop-down menu to Fail.

27. Click the Add A Condition link.

28. Click the Member Of Each drop down menu and select Not Member Of Any.

29. Click the Add Items button.

30. In the Select User, Computer, Service Account, Or Group dialog box, type Neptune, click Check Names, and click OK twice.

31. Verify that the Advanced Security Settings For Global File SACL dialog box matches Figure 10-63 and click OK.

    

    Figure 10-63 Advanced Security Settings For Global File SACL dialog box

32. Click OK to close the File System Properties dialog box and close the GPME.

EXERCISE 11 Configure folder auditing

In this exercise, you will configure expression-based audit policies at the folder level. To complete this exercise, perform the following steps:

1. Click File Explorer on the taskbar.

2. Click Computer and double-click Local Disk (C:).

3. On the title bar, click the New Folder icon.

4. Name the new folder Audited_Files.

5. Right-click the Audited_Files folder and click Properties.

6. On the Security tab, click Advanced.

7. On the Auditing tab of the Advanced Security Settings For Audited_Files dialog box, shown in Figure 10-64, click Add.

   

   Figure 10-64 Auditing tab of the Advanced Security Settings For Audited_Files dialog box

8. In the Auditing Entry For Audited_Files dialog box, click Select A Principal link.

9. In the Select User, Computer, Service Account, Or Group dialog box, type Neptune, click Check Names, and click OK.

10. Change the type from Success to Fail.

11. Click the Add A Condition link.

12. Click the Add Items button.

13. In the Select User, Computer, Service Account, Or Group dialog box, type Saturn, click Check Names, and click OK.

14. Verify that the Auditing Entry For Audited Files dialog box matches Figure 10-65 and click OK.

    

    Figure 10-65 Auditing Entry For Audited Files dialog box

15. Click OK twice to close all dialog boxes.