How 2
Configure Auditing On The Server
Go to ACTIVE DIRECTORY USERS
AND COMPUTERS.
You will break down the
Domain until you reach DOMAIN CONTROLLERS.
Right click DOMAIN
CONTROLLERS and select PROPERTIES.
You will click the GROUP
POLICY tab then click NEW.
Name the Policy then click
EDIT.
Break down the listing until
you arrive at AUDIT POLICY.
We will start by double
clicking AUDIT ACCOUNT LOGON EVENTS.
You will place a checkmark in
the box next to DEFINE THESE POLICY SETTINGS.
You can mark the FAILURE
option.
This will monitor and log
every time a user fails to login to Active Directory.
NOTE: This is a great policy
to catch hackers trying to access your network.
Select OK.
You will place a checkmark
in the box next to DEFINE THESE POLICY SETTINGS.
You can mark the SUCCESS and
FAILURE option.
This will monitor and log
every time a user fails to login to Active Directory.
NOTE: This will log and
report every time a user logs on to the network.
Select OK.
To ensure that this group
policy takes affect you can highlight the policy of choice then click the UP
button to move it to the top of the list.
You can see here that the
DCAUDIT is now at the top of the list.
If you highlight the policy
then click PROPERTIES you can link it to all the Domain Controllers.
You will select the SECURITY
tab.
You will highlight the
AUTHENTICATED USERS and uncheck the APPLY GROUP POLICY ALLOW box.
You will now highlight the
ENTERPRISE DOMAIN CONTROLLERS group.
Then click ADD.
The SELCET USERS, COMPUTERS,
OR GROUPS box will come up and you will need to click ADVANCED.
Type in the word DOMAIN in
the NAME box.
Click FIND NOW.
You will highlight DOMAIN
CONTROLLERS and click OK.
The DOMAIN CONTROLLERS will
populate in the final box.
Click OK.
With the DOMAIN CONTROLLERS
highlighted in the box you will place a checkmark in the box under ALLOW
across from APPLY GROUP POLICY.
Select APPLY then OK.
Select CLOSE on this page.
I will now try to login to
another domain controller using a valid user account but an incorrect password.
I can do this the fast way
by going to START/RUN and typing MSTSC in the box.
Click OK.
This starts the Remote
Desktop Connection.
I will type in the servers
name next to COMPUTER and click CONNECT.
Once I have the login screen
of the server I will type in a username that is a good name but type in a bad
password
for the account. (Not Shown)
Now that I have completed
the login that I know failed, I can go to ACTIVE DIRECTORY USERS AND COMPUTERS.
I will right click on the
computer name and select MANAGE from the list. (Not Shown)
You will break down the
EVENT VIEWER and select SECURITY.
You can double click any of
the SUCCESS AUDIT from the right pane and the EVENT PROPERTIES box will open.
I do not show this in the
image below but you should see FAILURE AUDIT events in the log from the test I
just performed so you may have to scroll down to find them.
You see next to TYPE it
shows SUCCESS but you will see the word FAILURE here.
NOTE: If you enable Auditing
it can consume resources which will result in high amounts of generated data.
NOTE: You can view your
audit entries in the Event Viewer Security Logs.
NOTE: For Auditing to work
your file system must be NTFS.
NOTE: You can adjust the
size of the Security Log.
NOTE: The log file will only
grow to the size you have specified.
NOTE: The log file will not
just keep growing until it fills up your hard drive space.
NOTE: Once the log file
reaches your specified size it will start writing over from the beginning.
This Ends
The Task