Active Directory Security

Active Directory (AD) holds the proverbial keys to the kingdom for many organizations-and not properly securing AD can leave that kingdom vulnerable. Admittedly, AD isn't easy to secure, but there are some basic steps you can take to ensure your AD infrastructure is reasonably secure. Note that I said basic steps. Security is a trade-off. There are always measures you can take to increase security, but they come at a price, either in terms of actual dollars or the loss of flexibility or functionality. Let me show you five steps that don't cost much to implement but can significantly help secure the free network computer inventory You can always improve AD security by automating manual processes, such as building domain controllers (DCs), but there hasn't been a programming language developed yet that will automate human behavior. That's why you need to set guidelines on how your administrators should manage AD.

Auditing Servers

You'll need to enable auditing for successful object access events on the servers on which the folders reside, and you'll need to enable auditing on the folders you want to monitor. To enable auditing for network inventory report, you can either use an existing Group Policy Object (GPO) that's applied to your file servers or, if you don't already control auditing through Group Policy, you can enable it in each server's Local Computer Policy. Either way, set the Audit object access policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy (in Group Policy Editor-GPE) to a Security Setting of Success.

Auditing Servers

You'll need to enable auditing for successful object access events on the servers on which the folders reside, and you'll need to enable auditing on the folders you want to monitor. To enable auditing for network inventory discovery, you can either use an existing Group Policy Object (GPO) that's applied to your file servers or, if you don't already control auditing through Group Policy, you can enable it in each server's Local Computer Policy. Either way, set the Audit object access policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy (in Group Policy Editor-GPE) to a Security Setting of Success.

Security-related Event IDs

After you enable object access auditing at the system level and for a specific folder, you'll start seeing event ID 560 (Object open) in the Security log. Look for instances of event ID 560, such as the one in Figure 2 in which the Object Name in the description is the name of a folder on which you enabled auditing. Then look in the Accesses field for network authority inventory, which is the system name for Change permissions. Figure 2 shows that Fred changed permissions on C:\DeptFiles. In the Security log, you'll also see a subsequent event ID 562 (A handle to an object was closed) with the same Handle ID as in event ID 560. Event ID 562 is just the corresponding close for the open in event ID 560.

Important Event IDs under Windows Server 2003

If your server is running Windows Server 2003, you'll also see event ID 567 (Object Access Attempt) in between event IDs 560 and 562. Event ID 567 is part of Windows 2003's new operation-based auditing. network inventory open lets you identify permissions that a user actually exercises as opposed to permissions that a user has but doesn't use. For instance, a program might open a file for read and write access (triggering an event ID 560 that shows both read and write access) but never actually write any data to the file. Windows 2003 logs event ID 567 the first time an application actually uses each permission while the file is open. A permission change operation is atomic (i.e., the object isn't opened for delete and then deleted-it's just deleted), so there's no need to look for event ID 567-it should always be there.