Microsoft KB Archive/837454

= How to configure access auditing for storage and for configuration in ISA Server 2000 and in ISA Server 2004 =

Article ID: 837454

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2006 Standard Edition

-



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



INTRODUCTION
This article describes how to configure Microsoft Internet Security and Acceleration (ISA) Server 2000 Standard Edition and ISA Server 2004 Standard Edition to audit changes that are made to the ISA Server storage container and to the ISA Server configuration.



MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

By default, ISA Server does not audit changes that are made to its storage container or to its configuration. However, you can configure ISA Server to perform basic auditing of any such changes. When auditing is enabled in ISA Server, an event is generated whenever a user creates, modifies, or removes an access rule. Additionally, an event is logged in the security log. This event provides a user account name, and it also records the time and the date when the change was made. To configure auditing, follow these steps. Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.  Enable auditing on the server where ISA Server is installed. To do this, follow these steps:  Click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy. Expand Local Policies, and then click Audit Policy. In the details pane, double-click Audit object access. Click to select the Success check box, and then click OK. Close the Local Security Settings dialog box.</ol> </li> Configure a system access control list (SACL) on the ISA Server policy storage container. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type regedt32 in the Open box, and then click OK.</li> Locate and then click the following registry subkey:

 

</li> On the Security menu, click Permissions.</li> Click Advanced, click the Auditing tab, and then click Add.</li> Click the Everyone group, and then click OK.</li> In the Access list, click to select the Query Value check box under Successful.</li> Click OK three times.</li> Quit Registry Editor.</li></ol> </li> Configure a SACL on the folders that contain ISA Server files. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Locate the ISA Server installation folder. By default, the folder resides in the following location:



</li> Right-click the Microsoft ISA Server folder, and then click Properties.</li> Click the Security tab, click, Advanced, click the Auditing tab, click Add, click Everyone, and then click OK.</li> In the Success and in the Failed columns, click to select all the available Access permissions check boxes.</li> Click OK two times.</li> Locate the  \system32\drivers folder, where  is the folder where Windows is installed.</li> <li>Right-click the Drivers folder, and then click Properties.</li> <li>Click the Security tab, click, Advanced, click the Auditing tab, click Add, click Everyone, and then click OK.</li> <li>In the Success and in the Failed columns, click to select all the available Access permissions check boxes.</li> <li>Click OK two times.</li></ol> </li> <li>Important Complete step 4 only if you have ISA Server Enterprise Edition.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other Lightweight Directory Access Protocol (LDAP) version 3 client, and you incorrectly modify the attributes of objects in the Active Directory directory service, you may cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, ISA Server 2000, ISA Server 2004, or both Windows and ISA Server. We cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be resolved. Modify these attributes at your own risk.

Verify the SACL on the ISA Server for the Array Storage and for the Enterprise Storage containers by using the ADSI Edit utility that is located in the Windows Server 2003 Support tools folder: <ol style="list-style-type: lower-alpha;"> <li>Start the ADSI Edit utility. This utility is included with the Windows Support Tools feature. To install these tools, right-click Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD, and then click Install. Follow the steps in the Windows Support Tools Setup Wizard to complete the installation of the Windows Support Tools components. To start ADSI Edit, click Start, click Run, type adsiedit.msc in the Open box, and then click OK.</li> <li>Expand Domain NC, expand DC= , expand DC=Root Domain, and then expand CN=System.</li> <li>Right-click CN=Fpc, and then click Properties.</li> <li>Click the Security tab, click Advanced, click the Auditing tab, make sure that the Everyone object is selected, and then click View/Edit.</li> <li>In both the Successful and the Failed columns, verify that the following permissions are selected: <ul> <li>Write All Properties</li> <li>Delete</li> <li>Delete Subtree</li> <li>Modify Permissions</li> <li>Modify Owner</li> <li>All Validated Writes</li> <li>All Extended Writes</li> <li>Create Child Objects</li> <li>Delete All Child Objects</li> <li>Create msFPCGlobalSettings Objects</li> <li>Delete msFPCGlobalSettings Objects</li> <li>Create msFPCVendorParametersSets 0</li> <li>Delete msFPCVendorParametersSets 0</li></ul>

Note Additional permissions may already be selected on your server. These permissions represent the minimum recommended auditing settings for ISA server storage.</li> <li>Click OK three times.</li> <li>Quit the ADSI Edit utility.</li></ol> </li></ol>

After you follow these steps, the following events are logged in the security log when a user creates, modifies, or removes an access rule.

Note The event descriptions differ, depending on the policy modifications that the user makes. When a user opens the policy storage container to modify a policy, the following event is logged:

<pre class="fixed_text">Event Source: Security Event Category: Object Access Event ID: 560 Date: Date Time: Time Type: Success User: Example\UserName Computer: ServerName Description: Object Open: Object Server: Security Object Type: Key Object Name: : \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E205C653-0426-11D2-9A4D-0060081E9D26}\InprocServer32 New Handle ID: 632 Operation ID: {0,199050} Process ID: 1752 Primary User Name: UserName Primary Domain: Example Primary Logon ID: (0x0,0x8FE1) Client User Name: - Client Domain: - Client Logon ID: - Accesses DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Query key value Set key value Create sub-key Enumerate sub-keys Notify about changes to keys Create Link Privileges -

When a user closes the policy storage container after changing a policy, the following event is logged:

<pre class="fixed_text">Event Source: Security Event Category: Object Access Event ID: 562 Date: Date Time: Time Type: Success User: Example\UserName Computer: ServerName Description: Handle Closed: Object Server: Security Handle ID: 632 Process ID: 1752

Both of these events are generated every time ISA Server writes to the access control policy. Because ISA Server writes to the policy in three different places for each user-defined access rule, six events appear in the security log when a change is made to the access control policy.

Keywords: kbhowto kbisa2006swept KB837454

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.