Local policies enable administrators to set user privileges on the local computer that govern what users can do on the computer and determine if the system should track user activities in an event log. Tracking events that take place on the local computer, a process referred to as auditing, is another important part of monitoring and managing activities on a computer running Windows Server 2012 R2.
The Local Policies node of a GPO, found under Security Settings, has three subordinate nodes: Audit Policy, User Rights Assignment, and Security Options. As discussed in each of the following sections, keep in mind that local policies are local to a computer. When they are part of a GPO in Active Directory, they affect the local security settings of computer accounts to which the GPO is applied.
Planning and configuring an audit policy
The Audit Policy section of a GPO enables administrators to log successful and failed security events, such as logon events, account access, and object access. You can use auditing to track both user activities and system activities. Planning to audit requires that you determine the computers to be audited and the types of events you wish to track.
When you consider events to audit, such as account logon events, you must decide whether you wish to audit successful logon attempts, failed logon attempts, or both. Tracking successful events enables you to determine how often users access network resources. This information can be valuable when planning your resource usage and budgeting for new resources. Tracking failed events can help you determine when security breaches occur or are attempted. For example, if you notice frequent failed logon attempts for a specific user
account, you might want to investigate further. The policy settings available for auditing are shown in Figure 6-5.
When an audited event occurs, Windows Server 2012 R2 writes an event to the security log on the domain controller or the computer where the event took place. If it is a logon attempt or other Active Directory–related event, the event is written to the domain controller. If it is a computer event, such as a floppy drive access, the event is written to the local computer’s event log.
FIGURE 6-5 Audit Policies in the default domain policy
You must decide which computers, resources, and events you want to audit. It is important to balance the need for auditing against the potential information overload that would be created if you audited every possible type of event. The following guidelines can help you to plan your audit policy:
– Audit only pertinent items Determine the events you want to audit and consider whether it is more important to track successes or failures of these events. You should only plan to audit events that will help you gather network information.
– Archive security logs to provide a documented history Keeping a history of event occurrences can provide you with documentation you can use to support the need for additional resources based on past usage.
– Configure the size of your security logs carefully You need to plan the size of your security logs based on the number of events that you anticipate logging. You can configure the Event Log Policy settings under the Computer ConfigurationWindows SettingsSecurity SettingsEvent Log node of a GPO.
Implementation of your plan requires that you specify the categories to be audited and, if necessary, configure objects for auditing. To configure an audit policy, use the following procedure.
1. In Server Manager, on the Tools menu, select Group Policy Management to open the Group Policy Management console.
2. Expand the forest container and browse to your domain. Then expand the domain container and select the Group Policy Objects folder. The GPOs that currently exist in the domain appear on the Contents tab.
3. Right-click the Default Domain Policy GPO and click Edit. A Group Policy Management Editor window for this policy opens.
4. Browse to the Computer ConfigurationPoliciesWindows SettingsSecurity Settings Local Policies node and select Audit Policy. The audit policy settings appear in the right pane.
5. Double-click the Audit Policy setting you want to modify. The Properties sheet for the policy you chose opens, as shown in Figure 6-6.
FIGURE 6-6 The Properties sheet for a policy setting
6. Select the Define These Policy Settings check box.
7. Select the appropriate check boxes to audit Success, Failure, or both.
8. Click OK to close the setting’s Properties sheet.
9. Close the Group Policy Management Editor and the Group Policy Management console.
You have now configured an audit policy in the default domain policy GPO, which will be propagated to all the computers in the domain during the next policy refresh.
Configuring objects for auditing is necessary when you have configured either of the two following event categories:
– Audit Directory Service Access This event category logs user access to Active Directory objects, such as other user objects or OUs.
– Audit Object Access This event category logs user access to files, folders, registry keys, and printers.
Each of these event categories requires additional setup steps, in which you open the Properties sheet for the object to be audited and specify the security principals or the files and folders for which you want to audit access.
NOTE: AUDITING OPTIONS
Beginning in Windows Server 2008, new options became available for AD DS auditing that indicate that a change has occurred and provide the old value and the new value.
For example, if you change a user’s description from Marketing to Training, the Directory Services Event Log will record two events containing the original value and the new value.
Assigning user rights
As shown in Figure 6-7, the User Rights Assignment settings in Windows Server 2012 R2 are extensive and include settings that pertain to rights users need to perform system-related tasks.
FIGURE 6-7 User Rights Assignment settings in a GPO
For example, a user logging on locally to a domain controller must have the Allow Log On Locally right assigned to his or her account or be a member of one of the following AD DS groups: Account Operators, Administrators, Backup Operators, Print Operators, or Server Operators.
These group memberships enable users to log on locally because Windows Server 2012 R2 assigns the Allow Log On Locally user right to those groups in the Default Domain Controllers Policy GPO by default. Other similar settings included in this collection are related to user rights associated with system shutdown, taking ownership privileges of files or objects, restoring files and directories, and synchronizing directory service data.
Configuring security options
The Security Options node in a GPO, shown in Figure 6-8, includes security settings related to interactive logon, digital signing of data, restrictions for access to floppy and CD-ROM drives, unsigned driver installation behavior, and logon dialog box behavior.
FIGURE 6-8 The Security Options node in a GPO
The Security Options category also includes options to configure authentication and communication security within Active Directory.
This article is a part of 70-410 Installing and Configuring Windows Server 2012 Prep course, more articles in this course are :
70-410 Installing and Configuring Windows Server 2012 Prep course includes following practice tests: