Managing Auditing and Audit Permissions

This chapter describes how to use the Master Auditor role and group policies to control who is audited and who can search and play back captured user sessions for an installation.

Configuring Selective Auditing

If you are using identity and privilege management features, you can control audit and monitoring service by using Access Manager to configure role definitions with different audit requirements, and then assigning those role definitions to different sets of Active Directory users. For more information about using role definitions to control auditing, see Defining custom roles with specific rights.

If you are using audit and monitoring service without also using identity and privilege management features, you can use group policies to control which Windows users to audit, or to capture activity for all Windows users.

To control audit and monitoring service using group policies:

  1. Open the Group Policy Management console.

  2. Expand the forest and domains to select the Default Domain Policy object.

  3. Right-click, then click Edit to open Group Policy Management Editor.

  4. Expand Computer Configuration > Policies, then select DirectAudit Settings.

  5. Select the Audited user list to identify specific users to audit.

    When you enable this group policy, only the users you specify in the policy are audited. If this policy is not configured, all users are audited.

  6. Select the Non-audited user list to identify specific users that should not be audited.

    When you enable this group policy, only the users you specify are not audited. If this policy is not configured, all users are audited. If you enable both the Audited user list and the Non-audited user list policies, the users you include in the Non-audited user list take precedence over the Audited user list.

The following table details the effect of configuring and enabling the Audited user list and Non-audited user list group policies, and including or not including Windows users in those lists.

Non-audited user list Audited user list How the setting affects auditing
Not configured Not configured No users are defined for either policy, so all users accessing audited computers are audited.
Not configured Enabled Only the users you specify in the Audited user list policy are audited. If no users are specified when the policy is enabled, no users are audited.
Not configured Enabled Only AUL is enabled, but user is not listed in it.
Enabled Not configured If no users are specified in the Non-audited user list and the policy is enabled, no users are exempt from auditing. All users are audited.
Enabled Enabled If both policies are enabled, the non-audited user takes precedence over the audited list of users. If a user is specified in the audited list, that user is explicitly audited. If a user is specified in the non-audited list, that user is explicitly not audited. If the same user is specified in both lists, the user is not audited because the non-audited user takes precedence. If no users are specified for either policy, all users are audited because the non-audited user takes precedence.

Enabling Audit Notification

If you enable audit notification, users see a message informing them that their actions are being auditing when they log on. After you enable notification, the message is always displayed on audited computers if the session activity is being recorded.

To enable audit notification for an installation:

  1. In the Audit Manager console, right-click the installation name, then select Properties.

  2. Click the Notification tab.

  3. Select Enable notification.

    Deselect this option to turn off notification.

  4. Click the browse button to locate and select a text file that contains the message you want to display.

    A notification message is required if you select the Enable notification option. The contents of the file you select are displayed below the file location. The maximum text file size is 30 KB.

  5. Click the browse button to locate and select an image to appear as a banner across the top of the audit notification.

    Displaying a banner image is optional when you enable notification. The maximum image file size is 15 KB. For the best image display, use an image that is 468 pixels wide by 60 pixels high.

    {b}Note: {/b}Animated GIF files are not supported for use as audit notifications. If you do specify an animated GIF, the image displays as a static image.

  6. Click OK or Apply.

    Users will see the notification message the next time they log in.

  7. If you enable notification after you have deployed agents, update the local policy on the audited computers by running the following command:

    gpupdate /FORCE

Managing Audit Roles and Auditors

Audit roles grant access to auditors to search, replay, and delete specific audited sessions using the Audit Analyzer console. Each audit role identifies a set of audited sessions, the list of auditors who have access to those sessions, and what the auditors in a specific role are allowed to do.

You identify a set of sessions by specifying criteria you want to use, for example, all sessions from a particular audited computer, associated with a specific application, or recorded during a specific period of time.

You identify the auditors for a set of sessions by specifying individual Active Directory users or Active Directory groups of auditors. If you use Active Directory groups, you can manage the privileges for all of the members of the group using your existing procedures for managing Active Directory groups. You can also configure the type of access granted to each member of the audit role.

You create and assign users and groups to audit roles using the Audit Manager console. You create the audit roles by right-clicking on the Audit Roles node. You add users and groups to an audit role by right-clicking on the specific role name.

Every installation automatically has a Master Auditor role. The Master Auditor has access to all audit data and permission to read, replay, update the review status, and delete sessions for the entire installation. The Master Auditor can also create roles, assign users, set permissions, and delegate administrative tasks for all of the audit stores in the installation. You cannot rename, delete, or modify permissions for the Master Auditor, but you can assign other users and groups to the Master Auditor role.

Granting Permission to Manage Audit Roles

The Master Auditor can grant the Manage Audit Role permission for an installation to one or more audit team leaders. The Manage Audit Role permission grants full control over all of the audit roles in the installation. An audit team leader can then create new roles, change the permissions specific audit roles grant, add or remove members, and remove roles.

When creating an audit role, an audit team leader defines the following:

  • Target session type and optional other criteria.
  • A collection of rights on the target sessions: Read, Update Status, Replay, and Delete.

For example, an audit team leader might define the following audit roles to control what different team members can do:

  • A role named Windows Session Viewer for first level reviewers with a target of Windows sessions and only the right to Read session information. The members of the First Review group who are assigned to the Windows Session Viewer audit role can read, but not delete, replay or update the status of Windows sessions in the installation.

  • A role named Incident Escalation for security managers with a target of Windows sessions from the last 72 hours, and permission to Read, Replay, and Update Status for the targeted session. The members of the Security group who are assigned to the Incident Escalation audit role can read, replay, and update the review status of Windows sessions from the previous 72 hours, but not delete any of the sessions they have reviewed.

Creating a New Audit Role

If you are the Master Auditor or have been granted the Manage Audit Role right, you can create new audit roles for your organization.

To create a new audit role:

  1. Open Audit Manager.

  2. Select Audit Roles, right-click, then click Add Audit Role.

  3. Type a name and description for the new audit role, then click Next.

  4. Select the type of session.

    For example, select Windows session to limit this audit role to sessions captured by the Agent for Windows.

  5. Click Add to select additional criteria, such as time constraints, review status, or application used.

    After you click Add, select an attribute and the appropriate criteria, then click OK. For example, if you select Time, you can then select specific date range or a period of time, such as the past 24 hours or this year.

  6. Click Execute Query to test the criteria you have selected by examining the results the query returns.

  7. Click Close to close the query results, then click Next.

  8. Select the rights to allow for this role, then click Next.

  9. Review your settings for this role, then click Next.

    By default, the Assign Users and Groups to the Audit Role option is selected so that you can immediately begin populating the new audit role.

  10. Click Finish to begin adding users and groups to the role.

Assigning Users and Groups to an Audit Role

If you selected the Assign Users and Groups to the Audit Role option at the end of the Add Audit Role wizard, the Assign Users and Groups to the Audit Role wizard opens automatically. You can also open the wizard at any time by right-clicking a specific audit role name in the Audit Manager console and choosing Assign Users and Groups.

To assign users and groups to an audit role:

  1. Open Audit Manager.

  2. Expand Audit Roles, and select a specific audit role name.

  3. Right-click, then click Assign Users and Groups.

  4. Type all or part of a name and click OK.

    If there is more than one name that matches the criteria you specify, select the appropriate name from the names found, then click OK. A user or group can be a member of more than one audit role.

Delegating Audit-related Permissions

As the Master Auditor, you can delegate administrative tasks to other Active Directory users or groups. When you grant administrative rights to designated users and groups, you make them “trustees” with permission to perform specific operations. Because delegating administrative tasks to other users is a key part of managing an installation, it is covered in the next chapter.

However, one of the permissions you can delegate to other users and groups is the Manage Audit Role permission. With this permission, selected trustees can create, modify, and delete audit roles. For more information about delegating administrative tasks, see Setting administrative permissions.

Modifying an Audit Role's Properties

The Master Auditor and the audit roles you define are listed under Audit Roles in the Audit Manager console. Selecting a specific audit role name displays a list of members in the right pane. If you are the Master Auditor or been granted the Manage Audit Role permission, you can modify the properties for an audit role after you have created it by selecting the role in Audit Manager, right-clicking, then selecting Properties. For example, you can change the name or description of an audit role, specify the type of sessions members of the role can access, the privileges the audit role grants, and the users and groups who are assigned to the audit role.

How Access Roles and Audit Roles Differ

Depending on whether you have enabled audit and monitoring service together with identity and privilege manager on an agent-managed computer, you might have two sets of roles or just one set of roles and the information captured and the activity allowed depends on the type of role being used.

Identity and Privilege Management Only

If you have only enabled identity and privilege management on a computer and defined access roles:

  • Users will not be able to log on if they are assigned to a role where is audit and monitoring service required.

  • Users will be able to log on if they are assigned to a role where the audit if possible option is set. In this case, only identity and privilege management audit trail events are captured. For example, the agent records successful and failed logons and when users change from one role to another. Because audit and monitoring service is not enabled, the agent does not capture a video record of all user activity. You also are not able to define audit roles to control who can read or delete audit trail records.

  • Users will be able to log on if they are assigned to a role that does not require audit and monitoring service. In this case, only identity and privilege management audit trail events are captured.

  • Auditors will not be able to review user activity on these computers. You also are not able to define audit roles to control who can read or delete audit trail records.

If no audit and monitoring service components are installed, you must use the Windows Event Viewer to search for and review audit trail events.

Auditing Only

If you have enabled only audit and monitoring service on a computer and defined access roles:

  • Users will be able to log on if they are assigned to a role where audit and monitoring service is required as long as the agent is running.

  • Users will be able to log on if they are assigned to a role where the audit if possible option is set. In this case, logging on starts a video record of all user activity on the computer. Because identity and privilege management are not enabled, the user cannot select any access roles that provide desktop, application, or network access rights. The user cannot change roles so only the audit trail records successful and failed logons events.

  • Users will be able to log on if they are assigned to a role that does not require audit and monitoring service. In this case, audit trail events are recorded, but no session activity is captured.

  • Auditors will be able to review all or selected user activity on these computers, and you can define audit roles to control who has access to the captured user sessions based on the criteria you specify.

Identity and Privilege Management and Auditing on the Same Computer

If you have enabled audit and monitoring service together with identity and privilege management on the same computer and defined access and audit roles:

  • Users will be able to log on if they are assigned to a role where audit and monitoring service is required as long as the agent is running. If the agent is stopped for any reason, the user will be allowed to log on only if also assigned a role with a rescue system right.

  • Users will be able to log on if they are assigned to a role where the audit

    if possible option is set. If the audit and monitoring service is active and you have enabled video capture auditing, both audit trail events and user activity are captured. For example, the agent records successful and failed logons and user activity when users change from one role to another. If the audit and monitoring service is not enabled or not currently active, the agent does not capture a video record of all user activity.

  • Users will be able to log on if they are assigned to a role that does not require audit and monitoring service. In this case, only audit trail events are captured.

  • Auditors will be able to review user activity associated with specific roles on these computers, and you can define audit roles to control who has access to the captured user sessions based on the criteria you specify.