Vol. 41, #8 - August 5, 2013 - Issue #941
- Editor's Corner
- Security Auditing
- Tip of the Week
- Recommended for Learning
- Quote of the Week
- Admin Toolbox
- Admin Tools We Think You Shouldn't Be Without
- Events Calendar
- Webcast Calendar
- Register for Webcasts
- Tech Briefing
- Best Practices for Securing Active Directory
- Security Compliance Manager (SCM)
- AD DS Auditing Step-by-Step Guide
- Advanced Security Audit Policy Step-by-Step Guide
- The Four Pillars of Identity - Identity Management in the Age of Hybrid IT
- What's New with Windows Azure? Lots!!
- Killer Feature in PSv4: Desired State Configuration
- Deploying System Center 2012 SP1 Using the PowerShell Deployment Toolkit
- Configuring a Syslog Agent in Windows Server 2012
- Firmware Replacements for Wireless Routers
- SP2 for Office 2010 and SharePoint 2010 officially released
- VIDEO: Tim's Favorite Sysinternals Utilities
- Troubleshooting the TMG Firewall with Network Monitor (Part 1)
- Use PowerShell to Work with SkyDrive for Powerful Automation
- It's Time for Small Businesses to Move to Windows Server 2012 Essentials
- Windows Server News
- Windows Azure Media Services gives YouTube junkies a new outlet
- Four alternatives to the major VDI vendors
- Resource contention and other key causes of VM performance bottlenecks
- Looking at Windows 8 BitLocker full-disk encryption and alternatives
- WServerNews FAVE Links
- This Week's Links We Like. Fun Stuff.
- WServerNews - Product of the Week
- Beat server downtime with anytime server backup
- SAVE THIS NEWSLETTER so you can refer back to it later for helpful tips, tools and resources!
- FORWARD THIS NEWSLETTER to a colleague who you think might find it useful!
- SEND YOUR FEEDBACK to [email protected] if you have any comments or suggestions!
This week's newsletter is all about security auditing in Active Directory environments. Naturally, auditing is one of the best practices for managing any type of IT environment. But as this Dilbert comic illustrates, sometimes it's best not to let others know about your organization's best practices:
Active Directory forms the core of the identity architecture for most IT infrastructures these days. So monitoring the security of Active Directory is important to protect your infrastructure against compromise and misuse.
Auditing used to be simple in early versions of Windows Server. You could track success or failure for events in the following categories:
- Account Logon Events
- Account Management
- Directory Service Access
- Logon Events
- Object Access
- Policy Change
- Privilege Use
- Process Tracking
- System Events
Auditing got a lot more powerful (and complex) however beginning with Windows Server 2008 with the introduction of Advanced Audit Policy. Initially you had to use the auditpol.exe command-line utility to configure Advanced Audit Policy settings, but on more recent platforms you can also use Group Policy to do this:
Figure 1: Configuring Advanced Audit Policy using Group Policy.
The big question of course with auditing is what you should audit. Or perhaps more specifically, how much should you audit. That's because the more things you audit, the more information you'll have to analyze. That can be a good thing or a bad thing. Too much information might make it difficult to distinguish what's really important from all the background noise you've collected. Too little information might cause you to miss something important that happened to your environment.
Because of such considerations, there's really no one size fits all audit policy recommendation that applies to every Active Directory environment. Instead, the best approach is probably to consider how important security is for your environment and then either leave the windows audit settings at their defaults, apply some baseline audit policy appropriate for most environments, or configure stronger audit settings suitable for high-security environments.
For example, the Audit Credential Validation policy setting under Account Logon shown previously in Figure 1 lets you audit events generated by validation tests performed on user account logon credentials. To audit this for domain accounts, you enable this policy setting on domain controllers. By default, neither success nor failure auditing is enabled for this policy setting. At a minimum however, you should enable success auditing for this policy setting--this is the baseline recommendation. If you need that extra level of security, you can also enable failure auditing for this policy setting. In either case, you need to be aware that enabling this policy setting can result in a high volume of security events being logged for your environment.
Where you can you find out more about the recommended audit policy settings for Active Directory environments? A good place to start is the whitepaper "Best Practices for Securing Active Directory" that was recently released by Microsoft and is available from the Microsoft Download Center. Another good place to begin is to download and install the Security Compliance Manager (SCM) version 3.0, which is also available as a free download from Microsoft. You'll find links to both of these items and other auditing resources in the Tech Briefing section of this newsletter.
What's your own take on auditing Active Directory environments? Got any third-party auditing tools you'd like to recommend? Any tips or gotchas to share concerning auditing? Send your feedback to [email protected]
Tip of the Week
GOT TIPS you'd like to share with other readers? Email us at [email protected]
The following tip was submitted by reader Quentin Gurney who is an enterprise IT architect currently working for a Fortune 100 company:
How to clean up device manager after a P2V Migration
We all have done a Physical to Virtual Migration (P2V) and noticed that there are some things that just do not translate well. What if you had a physical server, say a Dell, and you had the Dell open manage software installed, it is not going to do anything for you anymore so that is easy to find and remove. There are some other things though that you might not notice.
When you do a P2V migration, you are essentially doing a move from one hardware platform onto a software platform that emulates hardware. This emulated hardware requires drivers just like the physical platform. When you move the O/S, the old system drivers are not uninstalled. Neither is any vendor specific software. All the new drivers you need are added to your existing driver store and the device manager keeps both the old and the new, but you may not find the old ones without a bit more digging.
Here is a networking tip. Prior to migration, break all teaming done on the server via any vendor software (e.g. Broadcom or Intel). The teaming software will not function properly after the P2V, and you may not be able to uninstall it. If you do not take this step, you might have to restart your P2V again.
After migration, uninstall all hardware specific software – HP management agents, Dell OpenManage, Broadcom Advanced Control Suite, etc. None of these will be of any use in the virtual environment as the hardware will be gone. This will help clean things up from the O/S application perspective, but might not clean up everything in the device manager.
An additional step that you can take if you like is to remove all the non-present device drivers that are no longer required from the old hardware. These do get loaded, but not used. This is easily done, but you need to follow these steps to be able to find them.
Type devmgmt.msc at a command prompt on the server to launch device manager. In the device manager view menu, select 'show hidden devices'.
Figure 2: Showing hidden devices in Device Manager.
Devices that are no longer present in the system will show as grayed out in the device manager as shown:
Figure 3: Grayed out devices are no longer present.
Right click on the non-present device you wish to remove and select uninstall:
Figure 4: Uninstalling a non-present device.
The device will be removed.
You may find that other drivers stay and even seem to be active, for instance I have found that certain old HP ILO cards will appear in the device manager as visible, active devices. You can remove them of course because they do not really exist.
A note – some software installs as a device driver and may also be removed this way – for instance antivirus programs install as a filter driver and may show up as a system device. You can uninstall these as well. If you change antivirus on a server or even your laptop, you will find these non-present devices.
Be judicious about what you uninstall as some software installed devices are only enabled when needed, like the MS RAS Async Adapter. Don't remove anything you are not sure of.
Recommended for Learning
Here are a few books on Windows security and related stuff you might want to check out.
Windows Server 2012 Security from End to Edge and Beyond: Architecting, Designing, Planning, and Deploying Windows Server 2012 Security Solutions (Syngress)
Group Policy: Fundamentals, Security, and the Managed Desktop (Sybex)
Thor's Microsoft Security Bible: A Collection of Practical Security Techniques (Syngress)
And still my all-time favorite despite being a bit dated:
Protect Your Windows Network: From Perimeter to Data
Quote of the Week
"Defeat is not defeat unless accepted as a reality-in your own mind." - Bruce Lee
Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at [email protected] and we’ll try to troubleshoot things from our end.
Admin Tools We Think You Shouldn't Be Without
Free Tool: Idera Server Backup Free – fast, disk-based continuous data protection for Windows and Linux servers – back up and restore files in seconds
SysAdmins: Stop paying for unnecessarily overpriced IT management solutions or help desk software. With Spiceworks, you get it all, and you get it free. Even smartphone & tablet apps. Download now.
New. Altaro Hyper-V Backup v4. Powerful new features, faster and easier to use than ever. Still free (forever) for 2 VMs, still competitively priced. Download now.
Need a bench for heavy computer or test equipment in your lab or office? Check out AnthroBench:
Project Conference, 2014 on February 2-5 in Anaheim, California
Lync Conference 2014 on February 18-20, 2014 at The Aria in Las Vegas, Nevada
SharePoint Conference 2014 on March 3-6, 2014 at The Venetian in Las Vegas, Nevada
Microsoft Worldwide Partner Conference (WPC 2014) coming in July, 2014 in Washington, D.C.
European SharePoint Conference on May 5-8, 2014 in Barcelona, Spain
Microsoft TechEd Australia on September 3-6, 2013 in Gold Coast, Australia
Microsoft TechEd New Zealand on September 10-13, 2013 in Auckland, New Zealand
Add your event
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 100,000 subscribers about? Contact [email protected]
Register for Webcasts
Add your Webcast
PLANNING A WEBCAST you'd like to tell our 100,000 subscribers about? Contact [email protected]
We'll start off with some resources for auditing Active Directory environments...
Best Practices for Securing Active Directory (Microsoft Download Center)
This whitepaper contains recommendations to enhance the security of Active Directory installations, discusses common attacks against Active Directory and countermeasures to reduce the attack surface, and offers recommendations for recovery.
Security Compliance Manager (SCM) (TechNet)
Version 3.0 of the Security Compliance Manager (SCM) tool offers new baselines for Internet Explorer 10, Windows 8, and Windows Server 2012! SCM enables you to quickly configure and manage computers and your private cloud using Group Policy and Microsoft System Center Configuration Manager.
AD DS Auditing Step-by-Step Guide (TechNet)
This guide includes a description of the new Active Directory Domain Services (AD DS) auditing feature in Windows Server 2008 and provides procedures to implement this new feature.
Advanced Security Audit Policy Step-by-Step Guide (TechNet)
This step-by-step guide demonstrates the process of setting up an advanced Windows 7 and Windows Server 2008 R2 security auditing policy infrastructure in a test environment.
Now let's move on to some other stuff...
The Four Pillars of Identity - Identity Management in the Age of Hybrid IT (TechNet)
The purpose of this document is to define and provide detailed conceptual information on the four fundamental pillars of identity that can be useful in creating a strategic direction for an identity infrastructure in your organization.
What's New with Windows Azure? Lots!! (Michael S. Collier's Blog)
A presentation made to the Pittsburgh .NET User Group about the exciting new Windows Azure features announced during recent Microsoft conferences.
Killer Feature in PSv4: Desired State Configuration (PowerTheShell)
Most of the things found in PowerShell 4.0 is consolidation work, but there is one feature called Desired State Configuration (DSC) that really has the potential to become a killer feature.
Deploying System Center 2012 SP1 Using the PowerShell Deployment Toolkit (VirtualizationAdmin.com)
Janique Carbone provides an overview of the PowerShell Deployment Toolkit PDT, the function of each of the components, and some critical steps needed to properly leverage the toolkit.
Configuring a Syslog Agent in Windows Server 2012 (WindowsNetworking.com)
David Davis takes a look at what you need to know about syslog and how to configure your Windows Servers to send syslog.
Firmware Replacements for Wireless Routers (WindowsNetworking.com)
Eric Geier discusses how replacing your router's stock firmware with a third-party firmware can add more functionality.
SP2 for Office 2010 and SharePoint 2010 officially released (Office IT Pro Blog)
Service Pack 2 (SP2) for Office 2010 and SharePoint 2010 is officially released. SP2 contains new fixes for areas of each product as well as all Cumulative Updates and Public Updates that have already shipped.
VIDEO: Tim's Favorite Sysinternals Utilities (YouTube)
In this MicroNugget, CBT Nuggets trainer Tim Warner discusses his favorite set of troubleshooting tools you should add to your USB thumbdrive recovery toolkit.
Troubleshooting the TMG Firewall with Network Monitor (Part 1) (ISAserver.org)
Deb Shinder takes a look at a basic overview of Network Monitor 3.4.
Use PowerShell to Work with SkyDrive for Powerful Automation (Hey, Scripting Guy! Blog)
Microsoft PFE, Chris Wu, talks about creating powerful automation scenarios by using Windows PowerShell and SkyDrive.
It's Time for Small Businesses to Move to Windows Server 2012 Essentials (PCWorld)
Windows Small Business Server (SBS) may be coming to an end, but it's not really dead--just rebranded.
Windows Server News
Windows Azure Media Services gives YouTube junkies a new outlet
YouTube’s impressive statistics prove that video is a very powerful content delivery platform, but organizations require more control than YouTube offers. Learn how Windows Azure Media Services allows you to securely and easily provide on-demand access to video content through cloud services.
Four alternatives to the major VDI vendors
Although vendors such as VMware, Citrix and Microsoft are atop the VDI market, there is a wide array of lesser-known vendors that may be just what you need to jump on the VDI bandwagon. Inside, learn more about the unique features and offerings of four emerging VDI alternatives.
Resource contention and other key causes of VM performance bottlenecks
Finding a balance between achieving the highest level practical of virtual machine density while ensuring each VM delivers an acceptable level of performance can be a challenge – and it’s not always easy to determine why your VM performance is suffering. Hear from the experts on the five most common causes of VM performance bottlenecks.
Looking at Windows 8 BitLocker full-disk encryption and alternatives
After years in the making, Microsoft’s BitLocker Drive Encryption may finally be enterprise-ready. In this IT tip, uncover the new and noteworthy features of BitLocker for Windows 8 and Windows Server 2012 that make it a worthwhile investment, even for large-scale desktop environments.
This Week's Links We Like. Tips, Hints And Fun Stuff
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at [email protected]
The best costumes from the San Diego Comic Book Convention 2013.
What would happen if all your computer problems were problems in the real (physical) world?
Explore the outer reaches of the universe in 'Cosmos: A Spacetime Odyssey' - an upcoming space and science spectacular hosted by astrophysicist Neil deGrasse Tyson:
Jumpy the Border Collie knows a lot of cool tricks:
WServerNews - Editors
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros. Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com
Ingrid Tullochis Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also Head of Research for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.