This supplemental video is to be used while studying the CompTIA Security+ SY0-301 Cert Guide (2nd Edition)

In this lab, you turn on the auditing feature on a Windows Server, permit auditing for specific objects, and analyze the resulting logs and events for those audited objects. In this lab, we use Windows Server 2003, but the procedure is basically the same with other versions of Windows Server. You also need some sort of Windows client to connect to the server. The steps are as follows:

Step 1. Access the Windows Server 2003. You should have an OU and corresponding policy already created. If not, create them now. For more information on how to do this, see Lab 9-1 in Chapter 9, “Configuring Password Policies and User Account Restrictions.”

Step 2. Open the MMC and snap-in the policy associated with the OU into the MMC.

Step 3. Access the policy associated with the OU.

Step 4. Navigate through the following path: Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.

Step 5. Double-click the Audit object access policy. This displays a properties dialog box.

Step 6. Enable the policy by checking Define these policy settings and selecting the Success and Failure checkboxes. Then click OK.

Step 7. The policy should now show your configuration in the Policy Setting column.

Step 8. Access a shared folder on the server:
A. Verify that you have two basic, populated text files in the folder. If not, create them now.
B. Make sure that one or more users within the correct OU have at least the Read permission to the folder but not Full Control or Modify permissions. Right-click the folder and select Properties.
C. Then, select the Security tab. Verify the user permissions. If you have to change them, be sure to click the Apply button.

Step 9. Click the Advanced button, and click the Auditing tab.

Step 10. Deselect the Allow Inheritable Auditing Entries, button and click Apply.

Step 11. Click the Add button to add users or groups to audit. From here, you would add a person in the same manner as you would when creating permissions. Select one account from your OU. Make sure the account has only the permissions mentioned in Step 8.

Step 12. In the Auditing Entry for [folder] dialog box, check mark Delete Subfolders and Files and Delete in the Successful and Failed columns. Then click OK.

Step 13. Click OK for the Advanced Security Settings Auditing tab.

Step 14. Click OK for the Properties dialog box.

Step 15. Connect from a client computer to the share. In the video, we VPN in, but you could log in to the domain as you normally would, or if you are using a local computer, simply make sure that you are logged in to the local computer as the person that is to be audited.

Step 16. Map a drive to the server’s share that is being audited. For example, the path might be \\\it. It all depends on the IP of your server and the name of the share.

Step 17. Attempt to delete the text files. You should not be able to due to permissions.

Step 18. Return to the server and view the Security log. This can be accessed by navigating to Computer Management > System Tools > Event Viewer > Security.

Step 19. Press F5 to refresh the Security log. This should now display Failure Audits for the audited person.

Step 20. Double-click one of the Failure Audit entries and examine the contents. It should show who did what and when.
Note: Sometimes, the parent policy (such as the Default Domain Policy) overrides any child policies such as the one we created. If necessary, turn off the override policy option by
A. Accessing the Properties page of the OU.
B. Go to the Group Policy tab.
C. Highlight the policy and click the Options button.
D. Select the No Override checkbox and click OK.
E. Click OK for the Properties dialog box.

This supplemental video is to be used while studying the CompTIA Security+ SY0-301 Cert Guide (2nd Edition)

About Dave Testimonials FAQ Site Map Contact
Copyright © David L. Prowse – Official Website - All Rights Reserved