Archive for June 21, 2011

Windows Server 2008 provides several categories of events that you can audit, as described in the following list:

 

■ Account Logon Events:  Track user logon and logoff via a user account.

■ Account Management:  Track when a user account or group is created, changed, or

deleted; a user account is renamed, enabled, or disabled; or a password is set or changed.

■ Directory Service Access:  Track access to Active Directory.

■ Logon Events:  Track nonlocal authentication events such as network use of a resource or a remote

service that is logging on by using the local system account.

■ Object Access:  Track when objects are accessed and the type of access performed—for example,

track use of a folder, file, or printer. Configure auditing of specific events through the object’s

properties (such as the Security tab for a folder or file).

■ Policy Change:  Track changes to user rights or audit policies.

■ Privilege Use:  Track when a user exercises a right other than those associated with logon and

logoff.

■ Process Tracking:  Track events related to process execution, such as program execution.

■ System Events:  Track system events such as restart, startup, shutdown, or events that affect

system security or the security log.

A good security step to take to prevent hackers and others from making unauthorized changes to a system’s registry is to prevent remote access to a system’s registry. When a user attempts to connect to a registry remotely, Windows Server 2008 checks the ACL for the following registry key:

 

HKLM\System\ControlSet001\Control\SecurePipeServers\winreg

 

If this key is missing, all users can access the registry subject to the permissions assigned to individual keys. If the key exists, Windows Server 2008 checks the permissions on the key to determine whether or not the remote user can gain access to the registry (and levels of access). Individual keys then determine what these remote users can do with a given key. Therefore, winreg is the first line of defense, and individual key ACLs are the second line of defense. If you want to prevent all remote access to the registry, make sure you set the permissions on the winreg key accordingly.