An important tool in securing your NT network
If you're planning to migrate your network to Windows NT 5.0, the Active Directory (AD) will become a major part of your life. Whether you roll out NT 5.0 to 10 workstations or 10,000 workstations, one aspect of AD will be important to you: security. AD's security falls into two areas: creating and managing permissions to objects and their properties in a Directory Information Tree (DIT) and creating and managing audits of objects and their properties in a DIT. I discussed how to create and manage permissions in "Managing Permissions for NT 5.0's Active Directory" (July 1998). Now I will discuss how to create and manage audits.
In the context of NT, you can define auditing as the tracking of successful and unsuccessful events. NT 5.0 provides similar levels of auditing compared with NT 4.0; however, NT 5.0 extends the audit's reach to new areas, such as AD. You can add triggers, or alerts, to AD objects and see the results in the auditing log.
The following article looks at how to view and create auditing entries and how to check auditing logs in NT 5.0's 1773 Interim Developers Release (i.e., post-beta 1). I used a single-server domain running the post-beta 1 release of NT 5.0 as my default setup. The domain's AD contains the NT server and workstation client running NT 5.0 post-beta 1.
Viewing Auditing Entries
Suppose you want to set up an auditing process for a domain called ims. Before you consider what audits to apply to AD objects and containers, you need to know the default auditing entries for the domain.
To view the auditing entries for the ims domain, you must use the Microsoft Management Console (MMC--for more information about MMC, see Darren Mar-Elia, "Microsoft Management Console," June 1998). In MMC, open Directory Management. Right-click ims in the scope pane, and select Properties. In the ims Properties dialog box that appears, select the Security tab. Click Advanced to bring up the Access Control Settings for ims, and select the Auditing tab.
Screen 1, page 156, shows AD's default auditing settings. In Screen 1, the system is auditing all successful and failed events (All) of varying accesses (Special) in the ims domain (this object only) for AD's built-in group (Everyone). The default access control setting of Special means that the system audits multiple events. To see those events, you can either double-click the auditing entry line or highlight the line and click View/Edit. In the dialog box that appears, you'll see two tabs: Object and Properties. Screen 2, page 156, shows the default Object tab; Screen 3 shows the default Properties tab. Both screens display the audited events that apply to only the root of the ims DIT for the Everyone group.
As Screen 3 shows, AD audits only property writes for the ims domain object by default. This default makes sense when you consider that Microsoft designed AD for more reads than writes. Users log on to a DIT or query published resources much more often than they change their password or change the name of a printer. Consequently, if the system default were full auditing instead of write access, the log containing the auditing entries would fill up quickly and individual entries would be hard to find.
For the same reasons, the List contents, List object, Read all properties, and Read permissions check boxes in Screen 2 are empty. The system enables only the auditing of write, delete, and modify events of ims objects by default.
You might have noticed that Screen 3 has a Read all properties check box, but not a corresponding Write all properties check box. NT 5.0 beta 1 had a Write all properties check box in the Properties tab. But in NT 5.0 post-beta 1, the developers moved this option to the Object tab (as Screen 2 shows) and added a duplicate Read all properties check box. This modification is a good reminder that NT 5.0 is still prerelease software and therefore can change.
Creating Auditing Entries
To show you how to create auditing entries, I used object examples from "Managing Permissions for NT 5.0's Active Directory" and created a DIT for the ims domain. This DIT has an organizational unit (OU) container, TestOU1, which contains a user, TestUser1. Elsewhere in the DIT, the default Users container houses a domain group, DataEntryGroup. TestUser1 is a member of DataEntryGroup.