Section 4.8: Auditing Access to Active Directory Objects

The procedure of enabling auditing consists of two steps: enabling the appropriate auditing policy and specify events to audit. Auditing access to Active Directory objects relates to operations performed on the domain controller. Therefore, the most appropriate place to enable audit is the Default Domain Controllers Policy or a GPO linked to the Domain Controllers OU.

4.8.1: Monitoring User Access to Shared Folders

Computer Management in Windows Server 2003 allows you to monitor and administer shared resources on local and remote computers. With Computer Management you can view information about shared resources, and perform administrative tasks, such as modifying permissions for a shared resource and determining the number of users who are currently gaining access to a shared resource. You would ant to monitor access to:

• Check which users have access to which shared folders;

• Check which users are currently using a shared folder so that you can notify them before making the folder temporarily or permanently unavailable; and

• Check which shared folders are being used, how many users are using the folder and how often, so that you can plan for future system growth.

4.8.1.1: Monitoring User Sessions

You can monitor users who have a connection to open files on a server and the files to which they have a connection and use this information to determine which users you must contact when you must stop sharing a folder or shut down the server. You can also disconnect one or more users to free idle connections to the shared folder, prepare for a backup or restore operation, shut down a server, and change group membership and permissions for the shared folder. After you disconnect a user, the user can immediately gain access to a shared folder unless you change the permissions or stop sharing the folder.

Note: Disconnecting users from open files can result in data loss. To prevent data loss you should notify users that are connected to shared folders or files that there will be a disruption to the computer or resource availability.

4.8.1.2: Sending Administrative Messages to Users

It is thus recommended that you send administrative messages to users when there will be a disruption to the availability of computers or resources to which they are a currently connected. You would send administrative messages to notify users when you intend to:

• Perform a backup or restore operation.

• Disconnect users from a resource.

• Upgrade software or hardware.

• Shut down the server.

You can use the Shared Folders snap-in to send administrative messages to users. By default, all currently connected computers appear in the list of recipients to which you can send a message. You can add other users or computers to this list even if they do not have a current connection to resources on the computer. To send administrative messages:

Note: Administrative messages will only be sent to computers running Windows NT, Windows 2000, Windows XP Professional and Windows Server 2003 if they are running the Windows Messenger. For Windows 95, Windows 98, and Windows ME, you must use Winpopup.exe.

Note: When you combine NTFS permissions, the effective permission is a combination of all permissions, and when you combine shared folder permissions, the effective permission is a combination of all permissions. However, when you combine NTFS permissions with shared folder permissions, the effective permission is the most restrictive permissions of the effective permissions. Thus, if a user cannot gain the appropriate access to a resource, you must first determine the shared folder permissions that the user has. Then you must determine the NTFS permissions on the resource that the user is trying to access. Finally, you must determine which of these effective permissions are the most restrictive.