B

E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lesson 2
Audit Au
Window
By audi
used at
intruder
intruder
auditing
Object
After co
Con
Dis
Ide
uthentica
ws Server 2008 al
ting successful lo
unusual times or
r is logging on to
rs to compromise
g logon authentic
tives
ompleting this les
nfigure auditing o
tinguish between
ntify authenticati
lmproving t
tion
llows you to audi
ogons, you can lo
r in unexpected l
o the account. Aud
e an account. In t
cation.
sson, you will be a
of authentication
n account logon a
ion-related events
the Security of Authentica
it the logon activi
ook for instances
ocations, which m
diting failed logo
this lesson, you w
able to:
n-related activity.
and logon events
s in the Security l
ation in an AD DS Domai
ity of users in a d
in which an acco
may indicate that
ns can reveal atte
will learn to confi
.
log.
n 9-29

domain.
ount is
t an
empts by
gure

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
9-30 Configuring
Accou
Key Po
This les
Audit L
similarly
When a
account
account
The com
a logon
passed
howeve
event is
g and Troubleshooting W
unt Logon an
oints
sson examines tw
ogon Events. You
y named policy s
a user logs on to a
t, a domain contr
t. This generates
mputer to which
event. The comp
the account to a d
er, allow the user
a logon event.
indows Server 2008 Ac
nd Logon Ev
wo specific policy
u need to unders
settings.
any computer in
roller authenticat
an account logon
the user logs on
puter did not auth
domain controlle
to log on interac
ctive Directory Domain
vents
settings, Audit A
tand the differen
the domain by u
es the attempt to
n event on the do
for example, the
henticate the user
er for validation. T
tively to the comp
Services
Account Logon Ev
ce between these
sing a domain us
log on to the do
omain controller.
e users laptopge
r against the acco
The computer di
puter. Therefore,

vents and
e two
ser
main
enerates
ountit
d,
, the
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
lmproving the Security of Authentication in an AD DS Domain 9-31
When the user connects to a folder on a server in the domain, that server
authorizes the user for a type of logon called a network logon. Again, the server
does not authenticate the userit relies on the ticket given to the user by the
domain controller. But, the connection by the user generates a logon event on the
server.
Note: The content in the following section is specific to Windows Server 2008 R2.
Advanced Audit Policies
In Windows Server 2008 R2, the Advanced Audit Policy configuration includes
new categories in Group Policy for auditing logon and account logon events. You
learned about these advanced audit policies in Module 8. This provides
administrators with the ability to have much more granular and more detailed
control over the logon process and obtain information about very specific events
that happen during the logon or logoff process.
For an account logon event, you can now define four different settings for audit:
Credential Validation. Audit events generated by validation tests on user
account logon credentials.
Kerberos Service Ticket Operations. Audit events generated by Kerberos
service ticket requests.
Other Account Logon Events. Audit events generated by responses to
credential requests submitted for a user account logon that are not credential
validation or Kerberos tickets.
Kerberos Authentication Service. Audit events generated by Kerberos
authentication ticket-granting ticket (TGT) requests.
You can audit the following logon and logoff events:
Logon. Audit events generated by user account logon attempts on a computer.
Logoff. Audit events generated by closing a logon session. These events occur
on the computer that was accessed. For an interactive logon, the security audit
event is generated on the computer that the user account logged on to.
Account Lockout. Audit events generated by a failed attempt to log on to an
account that is locked out.
IPsec Main Mode. Audit events generated by Internet Key Exchange protocol
(IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode
negotiations.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
9-32 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
IPsec Quick Mode. Audit events generated by IKE and AuthIP during Quick
Mode negotiations.
IPsec Extended Mode. Audit events generated by IKE and AuthIP during
Extended Mode negotiations.
Special Logon. Audit events generated by special logons.
Other Logon/Logoff Events. Audit other events related to logon and logoff that
are not included in the Logon/Logoff category.
Network Policy Server. Audit events generated by RADIUS (IAS) and Network
Access Protection (NAP) user access requests. These requests can be Grant,
Deny, Discard, Quarantine, Lock, and Unlock.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Confi
Key Po
Accoun
settings
> Policie
node. T
screen s
gure Authen
oints
t logon and logon
s that manage aud
es > Windows Se
The Audit Policy n
shot.
lmproving t
ntication-Rel
n events can be a
diting are located
ettings > Security
node and the two
the Security of Authentica
lated Audit P
audited by Windo
d in a GPO in the
Settings > Local
o settings are show
ation in an AD DS Domai
Policies
ows Server 2008.
Computer Confi
Policies > Audit P
wn in the followi
n 9-33

These
iguration
Policy
ing

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
9-34 Configuring
In Wind
Advanc

To conf
Then, it
Propert
be confi
Not
pol
on
Def
sele
not
Aud
sele
eve
Aud
and
its S
A server
applied
In Wind
events a
entered
auditing
g and Troubleshooting W
dows Server 2008
ed Audit Policy C
figure an audit po
ts properties dialo
ties dialog box is
igured to one of t
t Defined: If the D
icy setting is not
its default setting
fined for no aud
ected, but the Suc
t audit the event.
dit successful ev
ected, and the Su
nts in its Security
dit failed events:
d the Failure che
Security log.
rs audit behavior
as the resultant s
dows Server 2008
and successful log
d in the servers Se
g, you will need t
indows Server 2008 Ac
8 R2, you can con
Configuration nod
olicy, both basic a
og box appears. T
shown in the foll
the following fou
Define These Po
defined. In this c
gs or on the settin
iting: If the Defin
ccess and Failure
vents: If the Defin
uccess check box
y log.
: If the Define Th
ck boxes selected
r is determined b
set of policy (RSo
8, the default sett
gon events. So, b
ecurity log. If you
to define the appr
ctive Directory Domain
nfigure additiona
de, as shown in t
and advanced, do
The Audit Accoun
lowing screen sho
ur states:
olicy Settings che
case, the server w
ngs specified in a
ne These Policy S
e check boxes are
ne These Policy S
is selected, the se
hese Policy Settin
d, the server will l
by the one of thes
oP).
ting is to audit su
both types of even
u want to audit fa
ropriate setting in
Services
al audit policies in
he following scre
ouble-click the po
nt Logon Events
ot. The policy set
eck box is cleared
will audit the even
nother GPO.
Settings check b
e cleared, the serv
Settings check bo
erver will log suc
ngs check box is
log unsuccessful
e four settings th
uccessful account
nts are, if successf
ailures or to turn
n the audit policy
n the
eenshot:

olicy.
tting can
d, the
nt based
ox is
ver will
ox is
ccessful
selected,
events in

hat is
t logon
ful,
off
y.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Scopi
Key Po
As with
affect th
connect
event, a
servers.
your hu
GPO lin
that dom
generat
Only do
Remem
authent
audit lo
to affect
ng Audit Po
oints
all policy setting
he correct system
t to remote deskt
auditing in a GPO
If, on the other h
uman resources d
nked to the OU c
main users loggin
e a logon eventn
omain controllers
mber that an accou
ticates a domain u
ogons to domain a
t only domain co
lmproving t
licies
gs, you should be
ms. For example, if
top servers in you
O linked to the OU
hand, you want to
department, you c
ontaining human
ng on to a client c
not an account lo
s generate accoun
unt logon event o
user, regardless o
accounts, you sh
ntrollers. In fact,
the Security of Authentica

careful to scope
f you want to aud
ur enterprise, you
U that contains y
o audit logons by
can configure log
n resources comp
computer or conn
ogon eventon th
nt logon events fo
occurs on the dom
of where that user
ould scope accou
the Default Dom
ation in an AD DS Domai
settings so that t
dit attempts by us
u can configure lo
your remote desk
y users to desktop
gon event auditing
puter objects. Rem
necting to a serve
hat system.
or domain users.
main controller th
r logs on. If you w
unt logon event a
main Controllers G
n 9-35

they
sers to
ogon
top
ps in
g in a
member
er will
hat
want to
auditing
GPO that
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
9-36 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
is created when you install your first domain controller is an ideal GPO in which to
configure account logon audit policies.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

View
Key Po
Accoun
system
So, if yo
the even
unsucce
entered
need to
picture
Logon Event
oints
t logon and logon
that generated th
ou are auditing lo
nts are entered in
essful account log
d in each domain
examine the Sec
of account logon
lmproving t
ts
n events, if audite
he event. An exam
ogons to compute
n each computers
gons to identify p
controllers Secu
curity logs of all d
n events in your d
the Security of Authentica
ed, appear in the
mple is shown in
ers in the human
s Security log. Sim
potential intrusio
urity log. This mea
domain controller
domain.
ation in an AD DS Domai
Security log of th
the following scr
resources depart
milarly, if you are
n attempts, the e
ans, by default, y
rs to get a comple
n 9-37

he
reen shot.

tment,
e auditing
events are
ou will
ete
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
9-38 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
As you can imagine, in a complex environment with multiple domain controllers
and many users, auditing account logons or logons can generate a tremendous
number of events. If there are too many events, it can be difficult to identify
problematic events worthy of closer investigation. You should balance the amount
of logging you perform with the security requirements of your business and the
resources you have available to analyze logged events.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1

Lab B: Au
The virt
A. Howe
be unab
1. Star
2. Log
3. Op
6. Run
Pat
7. The
8. Clo

udit Auth
tual machines sho
ever, if they are n
ble to successfully
rt 6425C-NYC-DC
g on to NYC-DC1
en Windows Exp
n Lab09b_Setup
t.Coleman_Admi
e lab setup script
ose the Windows
lmproving t
henticatio
ould already be s
not, you should co
y complete Lab B
C1.
1 as Pat.Coleman
plorer and then b
.bat with admini
in, with the passw
runs. When it is
Explorer window
the Security of Authentica
on
started and availa
omplete Lab A be
B unless you have
n, with the passw
browse to D:\Lab
strative credentia
word, Pa$$w0rd
complete, press
w, Lab09b.
ation in an AD DS Domai
able after complet
efore continuing.
e completed Lab A
word, Pa$$w0rd.
bfiles\Lab09b.
als. Use the accou
d.
any key to contin
n 9-39

ting Lab
You will
A.
unt
nue.
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
9-40 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Lab Scenario
The security team at Contoso, Ltd has tasked you with increasing the security and
monitoring of authentication against the enterprises AD DS domain. Specifically,
you need to create an audit trail of logons.
Exercise: Audit Authentication
In this exercise, you will use Group Policy to enable auditing of both successful
and unsuccessful logon activity by users in the contoso.com domain. You will then
generate logon events and view the resulting entries in the event logs.
The main tasks for this exercise are as follows:
1. Configure auditing of account logon events.
2. Configure auditing of logon events.
3. Force a refresh Group Policy.
4. Generate account logon events.
5. Examine account logon events.
6. Examine logon events.


Task 1: Configure auditing of account logon events.
1. Run Group Policy Management as an administrator, with the user name
Pat.Coleman_Admin and the password Pa$$w0rd.
2. Modify the Default Domain Controllers Policy GPO to enable auditing events
for both successful and failed account logon events.
3. Close Group Policy Management Editor.

B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
lmproving the Security of Authentication in an AD DS Domain 9-41
Task 2: Configure auditing of logon events.
1. Create a Group Policy Object (GPO) linked to the Servers\Important Project
OU. Name the GPO Server Lockdown Policy.
2. Modify the Server Lockdown Policy to enable auditing events for both
successful and failed logon events.
3. Close Group Policy Management Editor and Group Policy Management.

Task 3: Force a refresh Group Policy.
1. Start 6425C-NYC-SVR1. As the computer starts, it will apply the changes you
made to Group Policy.
2. On NYC-DC1, run the Command Prompt as an administrator, with the user
name Pat.Coleman_Admin and the password Pa$$w0rd, and then run the
command gpupdate.exe /force. Close the command prompt.

Task 4: Generate account logon events.
1. Log on to NYC-SVR1 as Pat.Coleman, but enter an incorrect password. The
following message appears: The user name or password is incorrect.
2. After you have been denied logon, log on again with the correct password,
Pa$$w0rd.

Task 5: Examine account logon events.
1. On NYC-DC1, run Event Viewer as an administrator, with the user name
Pat.Coleman_Admin and the password Pa$$w0rd.
2. Identify the failed and successful events in the Security log.

Question: Which Event ID is associated with the account logon failure events?
(Hint: Look for the earliest of a series of failure events at the time you logged on
incorrectly to NYC-SVR1.)
Question: Which Event ID is associated with the successful account logon? (Hint:
Look for the earliest of a series of events at the time you logged on incorrectly to
NYC-SVR1.)
B
E
T
A

C
O
U
R
S
E
W
A
R
E

E
X
P
I
R
E
S

4
/
1
8
/
2
0
1
1
9-42 Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services
Task 6: Examine logon events
1. On NYC-SVR1, run Event Viewer as an administrator, with the user name
Pat.Coleman_Admin and the password Pa$$w0rd.
2. Identify the failed and successful events in the Security log.

Question: Which Event ID is associated with the logon failure events? (Hint: Look
for the earliest of a series of failure events at the time you logged on incorrectly to
NYC-SVR1.)
Question: Which Event ID is associated with the successful logon? (Hint: Look for
the earliest of a series of events at the time you logged on incorrectly to NYC-
SVR1.)
Results: In this exercise, you established and reviewed auditing for successful and
failed logons to the domain and to servers in the Important Project OU.
Note: Do not shut down the virtual machine after you are finished with this lab because the
settings you have configured here will be used in subsequent labs in this module.
Lab Review Questions
Question: You have been asked to audit attempts to log on to desktops and
laptops in the Finance division by using local accounts such as Administrator.
What type of audit policy do you set, and in what GPO(s)?