0
1
00:00:06,430 --> 00:00:13,780
Before configuring auditing you first need to understand the difference between two similarly named
1

2
00:00:13,810 --> 00:00:23,950
policies settings audit account log on events and audit log on events when a user science into any computer
2

3
00:00:23,950 --> 00:00:31,330
or the domain by using a domain user account edamame controller authenticates this attempt.
3

4
00:00:31,330 --> 00:00:36,580
This generates an account log on a wound on the domain controller.
4

5
00:00:36,580 --> 00:00:45,400
The computer to which the user assigned soon for example the user's laptop generates a log on a wound.
5

6
00:00:45,460 --> 00:00:54,730
The computer did not authenticate the user against the account but rather passed the account to a domain
6

7
00:00:54,730 --> 00:00:56,890
controller for validation.
7

8
00:00:56,890 --> 00:01:05,230
However the computer did allow the user to sign in interactively to the computer.
8

9
00:01:05,230 --> 00:01:14,770
Therefore the event is a log on a wound when a user connects to a folder on a server in the domain that
9

10
00:01:14,770 --> 00:01:24,370
server also resides the user for a type of log on call to a network log on again the server does not
10

11
00:01:24,730 --> 00:01:26,680
authenticate the user.
11

12
00:01:26,680 --> 00:01:32,760
Instead it relies on the ticket that the domain controller gives to the user.
12

13
00:01:32,770 --> 00:01:39,250
However the user connection generally generates a log on account on the server.
13

14
00:01:39,250 --> 00:01:45,060
Now let's talk about advanced audit policies and basic audit policies.
14

15
00:01:45,130 --> 00:01:50,980
In previous Windows Server versions such as Windows Server 2008.
15

16
00:01:50,980 --> 00:01:54,800
There are only 9 auditing categories.
16

17
00:01:54,940 --> 00:02:04,180
Administrators can configure each category to perform auditing and to monitor their success failure
17

18
00:02:04,240 --> 00:02:10,050
or both success and failure of specific tasks and events.
18

19
00:02:10,060 --> 00:02:17,800
These events are fairly broad in scope and can be triggered by a variety of similar actions some of
19

20
00:02:17,800 --> 00:02:26,140
which can generate a large number of we went log entries in Windows Server 2012 found Windows Server
20

21
00:02:26,170 --> 00:02:27,730
2016.
21

22
00:02:27,910 --> 00:02:36,700
The number of auditable events expanded from nine to fifty three which enables administrators to be
22

23
00:02:36,700 --> 00:02:46,660
more selective in the number and types of events to audit this new advanced audit policies allow administrators
23

24
00:02:46,660 --> 00:02:50,310
to connect business rules sound audit policies.
24

25
00:02:50,320 --> 00:02:59,560
This gives administrators much more control over their Logan process and they can obtain information
25

26
00:02:59,560 --> 00:03:08,180
about very specific events that happened during the Logan and log of process for an account log on a.
26

27
00:03:08,380 --> 00:03:17,860
You know can define for different audit sentence which are credential validation it audits events that
27

28
00:03:18,190 --> 00:03:24,890
validation tests generate on user account log on credentials and other settings.
28

29
00:03:25,060 --> 00:03:34,060
Gerber a service ticket operations it audits events that Cobra's service ticket requests generate.
29

30
00:03:34,060 --> 00:03:42,790
Next one is other account log on arounds it audits events that are generated by responses to credential
30

31
00:03:42,790 --> 00:03:49,080
requests that are not credential validation or Cobra's tickets or requests.
31

32
00:03:49,090 --> 00:03:54,010
And the fourth one is Gerber as authentication service.
32

33
00:03:54,010 --> 00:04:01,600
It audits events that occur birth authentication TGT requests generate.
33

34
00:04:01,960 --> 00:04:07,030
Additionally you can audit the following log on and log off events.
34

35
00:04:07,120 --> 00:04:09,580
You can audit log home.
35

36
00:04:09,580 --> 00:04:18,430
These are the events that are generated by user account log on attempts on a computer log golf.
36

37
00:04:18,430 --> 00:04:26,740
It audits events that close on a log on session generates these events secure on the accessed computer
37

38
00:04:26,740 --> 00:04:34,480
and for an interactive log on the security audit event is generated on the computer to which the user
38

39
00:04:34,480 --> 00:04:36,090
account logged on.
39

40
00:04:36,100 --> 00:04:39,520
You can audit account lockout to end.
40

41
00:04:39,580 --> 00:04:46,160
It is generated by a failed attempt to assign into an account that is locked out.
41

42
00:04:46,180 --> 00:04:49,300
You can audit IP SEC main mode.
42

43
00:04:49,300 --> 00:04:59,440
These are audit events that are generated by the Internet key exchange protocol or I key K E protocol
43

44
00:04:59,530 --> 00:05:04,660
and authenticated Internet Protocol or oth IP.
44

45
00:05:04,960 --> 00:05:10,370
During main negotiations you can audit IP SEC week mode.
45

46
00:05:10,390 --> 00:05:20,320
This event that I see and also IP generate you're in Greek mode negotiations IP SEC extended mode.
46

47
00:05:20,350 --> 00:05:29,830
These are audit events that IKB and also IP generate your an extended mode negotiations you can
47

48
00:05:29,830 --> 00:05:38,960
more ordered special logo on it audits events that special log ons generate other log on and log off
48

49
00:05:39,000 --> 00:05:48,190
events and network policies server it audits events that are generated by radius Internet authentication
49

50
00:05:48,190 --> 00:05:58,840
service and map user access requests this request can be ground deny discard quarantine log count unlock
50

51
00:05:59,140 --> 00:06:07,600
now some words about basic audit policies versus advanced audit policies the basic security audit policies
51

52
00:06:07,600 --> 00:06:17,240
settings are in security settings local policies audit policy and the advanced security audit policies
52

53
00:06:17,250 --> 00:06:26,290
settings are in security settings advanced audit policy configuration and audit policies although the
53

54
00:06:26,530 --> 00:06:35,500
base account advance security audit all these incidents appear to overlap they are recorded and applied
54

55
00:06:35,560 --> 00:06:45,520
differently than new set of advanced audit policies enables administrators to be more selective in their
55

56
00:06:45,520 --> 00:06:54,160
number and types of events to audit for example where a basic audit policy provides a single Saddam
56

57
00:06:54,460 --> 00:07:03,310
for loop account log gone advanced audit policy provides for enabling the single basic account to log
57

58
00:07:03,310 --> 00:07:12,020
on certain is the equivalent of certain all for advanced account log on Saddam's in comparison said
58

59
00:07:12,030 --> 00:07:20,320
in a single advanced order and policies certain does not generate audit events for activities for which
59

60
00:07:20,320 --> 00:07:21,750
you have no interest.
60

61
00:07:21,790 --> 00:07:30,160
For example if you enable success audit to enforce the basic audit account log on Iran's policies certain
61

62
00:07:30,520 --> 00:07:39,410
only success events will be logged for role account log on related behaviors in comparison you can configure
62

63
00:07:39,410 --> 00:07:47,110
a success audit and for one advanced account log on certain failure audit in for a second.
63

64
00:07:47,110 --> 00:07:55,160
Advanced account log on certain success and failure audit and for a thought advanced account log on
64

65
00:07:55,190 --> 00:08:01,300
certain and no audit and dependent on the needs of your organization.
65

66
00:08:01,390 --> 00:08:09,620
Please note that using both the base entered one sentence can cause unexpected results.
66

67
00:08:09,730 --> 00:08:19,120
Therefore do not combine the two sets of audit policies Saddam's if you use advanced audit policy configuration
67

68
00:08:19,120 --> 00:08:28,810
settings you should enable the audit force audit policies subcategory sadness to override audit policy
68

69
00:08:28,810 --> 00:08:34,930
categories settings it's a policy asset and under local policies security options.
69

70
00:08:34,930 --> 00:08:43,270
This will prevent conflicts between similar assertions by force in basic security order an audit and
70

71
00:08:43,270 --> 00:08:44,900
to be ignored.
71

72
00:08:44,920 --> 00:08:48,450
Now some reports about scoping audit policies.
72

73
00:08:48,490 --> 00:08:55,900
As with all policy assertions you should define the scope carefully for the GOP rules that apply your
73

74
00:08:56,050 --> 00:09:01,520
audit policies so that the surgeons affect the correct systems.
74

75
00:09:01,540 --> 00:09:10,270
For example if you want to audit attempts by users to connect to remote desktop servers in your enterprise
75

76
00:09:10,600 --> 00:09:20,050
you can configure log on events auditing in a GPO that is linked to the O you that contains your remote
76

77
00:09:20,050 --> 00:09:21,450
desktop servers.
77

78
00:09:21,580 --> 00:09:30,340
However on the other hand if you want to audit desktop lagoons by users in your human resource department
78

79
00:09:30,670 --> 00:09:38,650
you can configure log on a wound to auditing in a GPO that is linked to the O you that contains human
79

80
00:09:38,650 --> 00:09:40,830
resources computer objects.
80

81
00:09:40,840 --> 00:09:49,210
Remember that domain user who signs into a client computer or connects to a server will generate a log
81

82
00:09:49,210 --> 00:09:54,250
on a wound not an account log on a wound on that system.
82

83
00:09:54,250 --> 00:10:00,670
Only domain controllers generate account log on events for domain users.
83

84
00:10:00,670 --> 00:10:06,820
Remember that an account log on a worm track eurozone the domain controller of that authenticates a
84

85
00:10:06,830 --> 00:10:11,830
the main user regardless of where that user logs on.
85

86
00:10:12,100 --> 00:10:21,460
If you want to audit log on to domain accounts you should ensure account log on around auditing to affect
86

87
00:10:21,550 --> 00:10:23,290
all domain controllers.
87

88
00:10:23,290 --> 00:10:31,060
The default domain controller GPO that is created when you install your first domain controller is an
88

89
00:10:31,060 --> 00:10:37,090
ideal GPO in which to configure account log on audit policies.
89

90
00:10:37,090 --> 00:10:44,830
Next up we'll see how to configure authentication related audit policies and will you log on Iran's.