1 00:00:00,380 --> 00:00:02,520 In this short demonstration, I'm going to show you how 2 00:00:02,520 --> 00:00:04,630 to configure auditing inside Windows, 3 00:00:04,630 --> 00:00:06,660 as well as how to audit your files. 4 00:00:06,660 --> 00:00:08,880 Let's jump in the environment and get started. 5 00:00:08,880 --> 00:00:10,420 So now that we're in the lab environment, 6 00:00:10,420 --> 00:00:13,970 let's take a look inside our local group policy editor. 7 00:00:13,970 --> 00:00:15,980 Underneath the local computer policy, 8 00:00:15,980 --> 00:00:18,190 and then underneath the computer configuration, 9 00:00:18,190 --> 00:00:21,190 we have our Windows settings, our security settings, 10 00:00:21,190 --> 00:00:24,470 and finally, our audit policy, as shown here. 11 00:00:24,470 --> 00:00:27,460 Under your audit policy, you have several different events. 12 00:00:27,460 --> 00:00:29,390 And this is going to allow you to decide what 13 00:00:29,390 --> 00:00:31,620 is going to be audited and what isn't. 14 00:00:31,620 --> 00:00:34,800 For example, do you want to audit your logon events? 15 00:00:34,800 --> 00:00:37,370 Well, right now, there's no auditing enabled for that, 16 00:00:37,370 --> 00:00:40,250 so if we double click that, we can then log 17 00:00:40,250 --> 00:00:44,200 or audit the success and failures of those login attempts. 18 00:00:44,200 --> 00:00:46,910 So I'm going to go ahead and apply that and hit Okay. 19 00:00:46,910 --> 00:00:49,490 For example, you might want to audit our object access. 20 00:00:49,490 --> 00:00:51,660 This'll be things like files and folders. 21 00:00:51,660 --> 00:00:54,120 I'm going to go ahead and hit success and failure on this. 22 00:00:54,120 --> 00:00:55,900 And if you're ever wondering what something does, 23 00:00:55,900 --> 00:00:58,700 just click on the explanation and it will show you that. 24 00:01:00,130 --> 00:01:02,190 We can do the same thing for auditing privileges. 25 00:01:02,190 --> 00:01:04,040 Any time somebody logs in as an admin 26 00:01:04,040 --> 00:01:05,930 or does a run-as as an admin. 27 00:01:05,930 --> 00:01:08,560 So we can go ahead and do those auditing as well. 28 00:01:08,560 --> 00:01:10,930 And you can do this for all sorts of different things 29 00:01:10,930 --> 00:01:13,190 inside of your policies. 30 00:01:13,190 --> 00:01:14,910 Now, in addition to that, we want to look 31 00:01:14,910 --> 00:01:18,350 at how we can audit our files and the access to those. 32 00:01:18,350 --> 00:01:19,770 So I'm going to show you that here 33 00:01:19,770 --> 00:01:21,803 as I configure my share drive. 34 00:01:23,340 --> 00:01:24,820 First, I'm going to go ahead and minimize 35 00:01:24,820 --> 00:01:27,040 this global policy editor, and here you can see 36 00:01:27,040 --> 00:01:29,270 under my C-drive, I have a share drive. 37 00:01:29,270 --> 00:01:32,610 I'm going to right click on that folder and hit properties. 38 00:01:32,610 --> 00:01:35,230 From here, we can click on the security tab, 39 00:01:35,230 --> 00:01:37,410 and underneath the security tab, we're going to click 40 00:01:37,410 --> 00:01:39,390 on the advance button. 41 00:01:39,390 --> 00:01:42,260 From the advance button, we're going to click on auditing, 42 00:01:42,260 --> 00:01:44,320 and this is where you can configure it 43 00:01:44,320 --> 00:01:47,240 to audit the files and the folders. 44 00:01:47,240 --> 00:01:49,350 So to add those auditing entries, 45 00:01:49,350 --> 00:01:51,800 we're simply going to click the add button. 46 00:01:51,800 --> 00:01:54,300 And just like permissions, this is going to inherit downward 47 00:01:54,300 --> 00:01:56,420 throughout the rest of the folder structure. 48 00:01:56,420 --> 00:01:58,710 Now, from here, you'd be able to change 49 00:01:58,710 --> 00:02:01,760 what principle it is, so if I select a principle, 50 00:02:01,760 --> 00:02:05,970 and let's say I am going to go ahead and make it the Jason.ADM 51 00:02:05,970 --> 00:02:08,520 account, which is the account I'm on right now. 52 00:02:08,520 --> 00:02:10,500 Or, I could put in some group policies, 53 00:02:10,500 --> 00:02:12,770 however you want to set that up. 54 00:02:12,770 --> 00:02:16,930 Now, any time that Jason.adm has a success, 55 00:02:16,930 --> 00:02:20,640 that applies to this folder, subfolder, or files, 56 00:02:20,640 --> 00:02:23,830 then we want to be able to log that and audit that, 57 00:02:23,830 --> 00:02:26,480 and that's what we're going to be able to do right here. 58 00:02:27,670 --> 00:02:29,233 And so next, we'll hit okay. 59 00:02:30,310 --> 00:02:33,960 And now you can see that any time there's a success 60 00:02:33,960 --> 00:02:37,500 that Jason.adm is logged into it, and does a read 61 00:02:37,500 --> 00:02:40,780 or an execute, then this folder, subfolder, 62 00:02:40,780 --> 00:02:43,620 any files underneath it, it is going to be logged. 63 00:02:43,620 --> 00:02:46,200 This is going to tell me any time that happens. 64 00:02:46,200 --> 00:02:48,060 That's the benefit of doing this logging 65 00:02:48,060 --> 00:02:48,980 and this auditing. 66 00:02:48,980 --> 00:02:51,090 So that's the basics of how to set up auditing 67 00:02:51,090 --> 00:02:52,640 on a file or folder. 68 00:02:52,640 --> 00:02:56,210 You can use this to be able to log any time a certain user 69 00:02:56,210 --> 00:03:00,620 or a group of users logs in or touches some sort of files 70 00:03:00,620 --> 00:03:02,630 or folders, whether they're reading it, executing it, 71 00:03:02,630 --> 00:03:03,770 or modifying it. 72 00:03:03,770 --> 00:03:05,270 Now, why would you use this? 73 00:03:05,270 --> 00:03:07,870 Well, maybe you have some regulatory requirements. 74 00:03:07,870 --> 00:03:09,080 Maybe you're a healthcare provider 75 00:03:09,080 --> 00:03:10,080 and you fall under HIPA 76 00:03:10,080 --> 00:03:12,370 and you need to know exactly who touches each 77 00:03:12,370 --> 00:03:15,960 and every person's confidential health data. 78 00:03:15,960 --> 00:03:17,900 And so if you have a nurse who logs in, 79 00:03:17,900 --> 00:03:19,030 that would be able to keep track 80 00:03:19,030 --> 00:03:22,060 that Nurse A has touched this file on this date 81 00:03:22,060 --> 00:03:23,020 and this time. 82 00:03:23,020 --> 00:03:25,280 And this is one of the ways you can use auditing. 83 00:03:25,280 --> 00:03:26,890 Now, also, you can do this 84 00:03:26,890 --> 00:03:28,920 if you have a suspected insider threat. 85 00:03:28,920 --> 00:03:31,460 Maybe I really think Jason is a bad guy, 86 00:03:31,460 --> 00:03:34,360 and so I want to see everything that Jason touches. 87 00:03:34,360 --> 00:03:36,490 I can set up these audit trails to log 88 00:03:36,490 --> 00:03:38,900 and alert every time Jason tries to touch something, 89 00:03:38,900 --> 00:03:40,760 and that way, I can keep that information 90 00:03:40,760 --> 00:03:43,820 and go back later and use it to build my case against him. 91 00:03:43,820 --> 00:03:45,720 You can do a lot of different things with auditing, 92 00:03:45,720 --> 00:03:47,640 but it is a mainstay of security, 93 00:03:47,640 --> 00:03:50,100 and so you have to figure out exactly what you need 94 00:03:50,100 --> 00:03:51,910 to audit, how much you need to audit, 95 00:03:51,910 --> 00:03:53,310 and where you need to audit. 96 00:03:54,354 --> 00:03:56,015 (electronic whirring)