5

In a multi-domain-setting, I want to collect security file access audit events at a central place.

In ActiveDirectory, it is possible to enable file access auditing at the Domain Controller by creating a GPO. Additionally, at a different 'file server' computer, that is a member of one of the domains, a SACL has to be configured at the file system objects that I want to be audited (and that are included in a network share).

Once this is done, the file access events are recorded and somehow magically transfered to the event log of the domain controller.

I would really like to know:

  • How and when are these events transfered? Is the transfer encrypted?
  • Is it possible to directly select another (additional) receiver of those events, apart from the domain controller? I know that it is possible to forward those log events later on, but are they by default forwarded to the Domain Controller? Is there an implicit forwarding configured?
  • How much traffic is going to be generated, with respect to network load?
mischka
  • 620
  • 5
  • 16
  • From my experience, there are 2 common approaches: the first one is to write a Windows service that will collect events from Windows Security log on every DC and send those events to a common repository. The second approach is to create kernel-mode file system driver, implement it on all file servers that you want to monitor. The driver will intercept incoming file system requests, and log corresponding events. Also Windows services should be installed on the same share, which will send events to a common repository. This approach can take up to 1 year of development and a lot of BSODs – oldovets Oct 27 '16 at 21:16
  • But these are all builtin Windows functions, why would you write your own software? – mischka Oct 28 '16 at 11:01
  • Thought about it from the programmers point of view if your goal is real time monitoring (close to real time in case of event log collection). Of course you can use built in features like event subscriptions (if all your DCs are 2008 or above) or you can configure log auto backup and move all backups to a common repository via e. g. schedule task. Why these built in features do not suit your needs? – oldovets Oct 28 '16 at 19:46
  • I wonder how they scale in terms of traffic. And additionally, this is personal information with regards to european data privacy law. It needs to be handled carefully, so I need to know at least if the data is encrypted during transmission (user name). I have no experience in log forwarding and event subscriptions and I cannot prototype it because my MS Action Pack only has 2 Win Server Licenses, and I'd need 1000 Servers :-D – mischka Nov 01 '16 at 10:25

1 Answers1

-1

First thing domain controller is server having Active Directory(a kind of organisation database). Active directory identified every component/resources connected into domain whether logical(user) and physical(computer and printer) as a object. This object has properties known as Schema. This schema has been catalog in repositories known as GC(Global catalogue) but gc has only partial information so that resources can be located. Now, coming to this policies. There is two thing GPO and OU. GPO is set of policies that you can apply on OU or higher grouping unit. Let's see how communication happen. Again, there is two widely used term 1. replication and 2. LDAP Query.

Replication is done between controller so that network traffic can be reduced and for higher availability for resources connected to server. In replication, all resource information has synchronized with server. To ensure security integrity, there is certificate(which gives identification as well encryption mechanism) and delegation(providing rights).

LDAP is protocol through which user has been authenticated. So LDAP has query which quiet similar to other query language. Well all this query has been logged ultimately to server.

GPO has been replicated on resources or you can apply forcibly. If you want to do it immediately.

user2090820
  • 1
  • 2
  • Could you please provide a source for the information that the transmission is encrypted? Which algorithm is used? – mischka Nov 03 '16 at 16:11
  • @mischka please take on below link: https://technet.microsoft.com/en-us/library/a8f53a9b-f3f6-4b13-8253-dbf183a5aa62.aspx – user2090820 Nov 04 '16 at 07:16
  • @mischka this link will tell mechanism of certification https://msdn.microsoft.com/en-us/library/bb727098.aspx – user2090820 Nov 04 '16 at 07:17
  • Those links into technet describe how to manage, install and distribute SSL certificates. Unfortunately, they don't mention anything about event logs. Specifically, they do not say whether the event logs are transfered using SSL. – mischka Sep 04 '17 at 16:15