Improving the Security of Authentication in an AD DS Domain

  • 6/15/2011

Lesson 2: Auditing Authentication

In Chapter 7, “Managing Enterprise Security and Configuration with Group Policy Settings,” you learned to configure auditing for several types of activities, including access to folders and changes to directory service objects. Windows Server 2008 R2 also allows you to audit the logon activity of users in a domain. By auditing successful logons, you can look for instances in which an account is being used at unusual times or in unexpected locations, which might indicate that an intruder is logging on to the account. Auditing failed logons can reveal attempts by intruders to compromise an account. In this lesson, you learn to configure auditing of logon authentication.

Account Logon and Logon Events

This lesson examines two specific policy settings: Audit Account Logon Events and Audit Logon Events. It is important that you understand the difference between these two similarly named policy settings.

When a user logs on to any computer in the domain using a domain user account, a domain controller authenticates the attempt to log on to the domain account. This generates an account logon event on the domain controller.

The computer to which the user logs on—for example, the user’s laptop—generates a logon event. The computer did not authenticate the user against his or her account—it passed the account to a domain controller for validation. The computer did, however, allow the user to log on interactively to the computer. Therefore, the event is a logon event.

When the user connects to a folder on a server in the domain, that server authorizes the user for a type of logon called a network logon. Again, the server does not authenticate the user—it relies on the ticket given to the user by the domain controller. However, the connection by the user generates a logon event on the server.

Configuring Authentication-Related Audit Policies

Account logon and logon events can be audited by Windows Server 2008 R2. The settings that manage auditing are located in a GPO in the Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy node. The Audit Policy node and the two settings detailed in the previous section are shown in Figure 8-4.

Figure 8-4

Figure 8-4 Authentication-related policy settings

To configure an audit policy, double-click the policy, and its properties dialog box appears. The Audit Account Logon Events Properties dialog box is shown in Figure 8-5.

Figure 8-5

Figure 8-5 The Audit Account Logon Events Properties dialog box

The policy setting can be configured to one of the following four states:

  • Not defined If the Define These Policy Settings check box is cleared, the policy setting is not defined. In this case, the server audits events based on its default settings or on the settings specified in another GPO.

  • Defined for no auditing If the Define These Policy Settings check box is selected, but the Success and Failure check boxes are cleared, the server will not audit these events.

  • Audit successful events If the Define These Policy Settings check box is selected, and the Success check box is selected, the server will log successful events in its Security log.

  • Audit failed events If the Define These Policy Settings check box is selected, and the Failure check box is selected, the server will log unsuccessful events in its Security log.

A server’s audit behavior is determined by the settings that are applied as the resultant set of policy. In Windows Server 2008 R2, the default setting is to audit successful account logon events and successful logon events. So both types of events are, if successful, entered in the server’s Security log. If you want to audit failures or turn off auditing, you must define the appropriate setting in the audit policy.

Scoping Audit Policies

As with all policy settings, you should scope settings so that they affect the correct systems. For example, if you want to audit attempts by users to connect to remote desktop servers in your enterprise, you can configure logon event auditing in a GPO linked to the OU that contains your remote desktop servers. If, on the other hand, you want to audit logons by users to desktops in your human resources department, you can configure logon event auditing in a GPO linked to the OU containing human resources computer objects. Remember that domain users logging on to a client computer or connecting to a server will generate a logon event—not an account logon event—on that system.

Only domain controllers generate account logon events for domain users. Remember that an account logon event occurs on the domain controller that authenticates a domain user, regardless of where that user logs on. If you want to audit logons to domain accounts, you should scope account logon event auditing to affect only domain controllers. In fact, the Default Domain Controllers GPO that is created when you install your first domain controller is an ideal GPO in which to configure account logon audit policies.

Viewing Logon Events

Account logon and logon events, if audited, appear in the Security log of the system that generated the event. Figure 8-6 shows an example. So if you are auditing logons to computers in the human resources department, the events are entered in each computer’s Security log. Similarly, if you are auditing unsuccessful account logons to identify potential intrusion attempts, the events are entered in each domain controller’s Security log. This means, by default, that you will need to examine the Security logs of all domain controllers to get a complete picture of account logon events in your domain.

Figure 8-6

Figure 8-6 Authentication events in the Security log

As you can imagine, in a complex environment with multiple domain controllers and many users, auditing account logons or logons can generate a tremendous number of events. If there are too many events, it can be difficult to identify problematic events worthy of closer investigation. You should balance the amount of logging you perform with the security requirements of your business and the resources you have available to analyze logged events.

PRACTICE: Auditing Authentication

In this practice, you use Group Policy to enable auditing of logon activity by users in the contoso.com domain. You then generate logon events and view the resulting entries in the event logs.

EXERCISE 1 Configure Auditing of Account Logon Events

In this exercise, you modify the Default Domain Controllers Policy GPO to implement auditing of both successful and failed logons by users in the domain.

  1. Open Group Policy Management from the Administrative Tools program group.

  2. Expand Forest, Domains, Contoso.com, and Domain Controllers.

  3. Right-click Default Domain Controllers Policy and choose Edit.

    Group Policy Management Editor appears.

  4. Expand Computer Configuration, Policies, Windows Settings, Security Settings, and Local Policies, and then click Audit Policy.

  5. Double-click Audit Account Logon Events.

  6. Select the Define These Policy Settings check box.

  7. Select both the Success and Failure check boxes. Click OK.

  8. Double-click Audit Logon Events.

  9. Select the Define These Policy Settings check box.

  10. Select both the Success and Failure check boxes. Click OK.

  11. Close Group Policy Management Editor.

  12. Open Command Prompt and type gpupdate.exe /force.

    This command causes SERVER01 to update its policies, at which time the new auditing settings take effect.

EXERCISE 2 Generate Account Logon Events

In this exercise, you generate account logon events by logging on with both incorrect and correct passwords.

  1. Log off of SERVER01.

  2. Attempt to log on as Administrator with an incorrect password. Repeat this step once or twice.

  3. Log on to SERVER01 with the correct password.

EXERCISE 3 Examine Account Logon Events

In this exercise, you view the events generated by the logon activities in Exercise 2.

  1. Open Event Viewer from the Administrative Tools program group.

  2. Expand Windows Logs, and then click Security.

  3. Identify the failed and successful events.

Lesson Summary

  • Account logon events occur on a domain controller as it authenticates users logging on anywhere in the domain.

  • Logon events occur on systems to which users log on—for example, to their individual desktops and laptops. Logon events are also generated in response to a network logon—for example, when a user connects to a file server.

  • By default, Windows Server 2008 R2 systems audit successful account logon and logon events.

  • To examine account logon events in your domain, you must look at the individual event logs from each domain controller.

Lesson Review

You can use the following questions to test your knowledge of the information in Lesson 2, “Auditing Authentication.” The questions are also available on the companion CD if you prefer to review them in electronic form.

  1. You want to obtain a log that will help you isolate the times of day that failed logons are causing a user’s account to be locked out. Which policy should you configure?

    1. Define the Audit Account Logon Events policy setting for Success events in the Default Domain Policy GPO.

    2. Define the Audit Account Logon Events policy setting for Failure events in the Default Domain Policy GPO.

    3. Define the Audit Logon Events policy setting for Success events in the Default Domain Policy GPO.

    4. Define the Audit Logon Events policy setting for Failure events in the Default Domain Policy GPO.

  2. You want to keep track of when users log on to computers in the human resources department of Adventure Works. Which of the following methods will allow you to obtain this information?

    1. Configure the policy setting to audit successful account logon events in the Default Domain Controllers GPO. Examine the event log of the first domain controller you installed in the domain.

    2. Configure the policy setting to audit successful logon events in a GPO linked to the OU containing user accounts for employees in the human resources department. Examine the event logs of each computer in the human resources department.

    3. Configure the policy setting to audit successful logon events in a GPO linked to the OU containing computer accounts in the human resources department. Examine the event logs of each computer in the human resources department.

    4. Configure the policy setting to audit successful account logon events in a GPO linked to the OU containing computer accounts in the human resources department. Examine the event logs of each domain controller.