var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Monday, January 3, 2011

How do you do, Auditpol?

What if there were an alternative to using the Local Security Policy to set the options needed to support of your security policy? Starting with Windows 7 and 2008 there is a new, perhaps even better way, Auditpol that offers much more granularity.

The full explanation of this setting is:

Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.

Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories.  Setting audit policy at the category level will override the new subcategory audit policy feature.  To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool.

If the category level audit policy set here is not consistent with the events that are currently being generated, the cause might be that this registry key is set.

To enable this option, visit Local Security Policy --> Local Policies --> Security Options --> Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings. By default this option is not enabled.

Auditpol is strictly a command line tool that is invoked by typing, you guessed it, Auditpol. It has several switches that allows you to display, set, clear, backup and restore these settings.

The best way to become comfortable with the use of auditpol is to try it out on a test system.

Steps:
0) Enable the Audit Setting above
1) Open the Command Prompt as Adminstrator
2) Clear any existing settings with Auditpol /clear
3)  Run the following command to view the current auditpol settings - Auditpol /get /category:*
4) Configure the settings that support your Security Policy
5) Run the following command to view the new Auditpol settings - Auditpol /get /category:*

Sure, this is nice, but what if you have more than one server?

Glad you asked.

The backup option can be used to export the Auditpol settings to a csv or txt file - Auditpol /backup /file:C:\Windows\policy.txt. This can be used to backup from one server and restore to another.

Take a look at the output file in a text editor. The first field is obviously the hostname. If you are comfortable with the security settings, simply replace the original server name with the new server name deploy the Auditpol settings. This will certainly save time over building each setting in the command line. It would save even more time by replacing the value of the hostname field with localhost.

With this change in place, the policy can be saved and then imported very quickly. To import the audit policy,  enter the command - Auditpol /restore /file:C:\Windows\policy.txt. Now these granular security settings are applied without having to go through the meticulous steps via the command line. If you are using Group Policy, you can also it to deploy and enforce auditpol in your domain.

I have not yet determined why the settings you make in Auditpol do not show up in the Local Security Policy. I did spend way too much time confirming these settings are not the same. Perhaps the answer is in the original phrase "override audit policy category settings".

Enjoy.

No comments:

Post a Comment