Windows Server 2008: Active Directory Domain Services Auditing Capabilities Explained

Active Directory Domain Services Auditing has remained fairly consistent since the first release of Active Directory in Windows 2000 Server. However, Microsoft has introduced new Active Directory Domain Services auditing capabilities in Windows Server 2008. Active Directory Domain Services auditing in Windows Server 2008 provide more granular auditing capabilities and more control.

This article takes a deeper look at the new Active Directory Domain Services auditing capabilities in Windows Server 2008.

New Default Auditing Settings in Group Policy

Windows 2000 Server and Windows Server 2003 enabled auditing for a number of policies by default. However, Windows Server 2008 does not define these global audit settings by default. These settings are instead defined by using the new auditing subcategories. This may seem as though auditing is not configured by default, however this is not the case. The configuration of the global audit settings is inherited by the subcategories below that global audit setting. Therefore, Microsoft chose to configure specific subcategories by default, which is covered in the next section.

New Auditing Subcategories

As previously mentioned, Windows Server 2008 introduces auditing subcategories. The following table shows the subcategories below each global audit setting, as well as the default configuration for each audit subcategory.

Global Audit Setting	Subcategory	Default Setting
Audit Account Logon Events	Kerberos Service Ticket Operations	Success
	Other Account Logon Events	No Auditing
	Kerberos Authentication Service	Success
	Credential Validation	Success
Audit Account Management	Computer Account Management	Success
	Security Group Management	Success
	Distribution Group Management	No Auditing
	Application Group Management	No Auditing
	Other Account Management Events	No Auditing
	User Account Management	Success
Audit Process Tracking	Process Termination	No Auditing
	DPAPI Activity	No Auditing
	RPC Events	No Auditing
	Process Creation	No Auditing
Audit Directory Service Access	Directory Service Changes	No Auditing
	Directory Service Replication	No Auditing
	Detailed Directory Service Replication	No Auditing
	Directory Service Access	Success
Audit Logon Events	Logoff	Success
	Account Lockout	Success
	IPsec Main Mode	No Auditing
	IPsec Quick Mode	No Auditing
	IPsec Extended Mode	No Auditing
	Special Logon	Success
	Other Logon/Logoff Events	No Auditing
	Logon	Success and Failure
Audit Object Access	File System	No Auditing
	Registry	No Auditing
	Kernel Object	No Auditing
	SAM	No Auditing
	Certification Services	No Auditing
	Application Generated	No Auditing
	Handle Manipulation	No Auditing
	File Share	No Auditing
	Filtering Platform Packet Drop	No Auditing
	Filtering Platform Connection	No Auditing
	Other Object Access Events	No Auditing
Audit Policy Change	Authentication Policy Change	Success
	Authorization Policy Change	No Auditing
	MPSSVC Rule-Level Policy Change	No Auditing
	Filtering Platform Policy Change	No Auditing
	Other Policy Change Events	No Auditing
	Audit Policy Change	Success
Audit Privilege Use	Non Sensitive Privilege Use	No Auditing
	Other Privilege Use Events	No Auditing
	Sensitive Privilege Use	No Auditing
Audit System Events	Security System Extension	No Auditing
	System Integrity	Success and Failure
	IPsec Driver	No Auditing
	Other System Events	Success and Failure
	Security State Change	Success

Source: http://www.enterpriseitplanet.com/networking/features/article.php/3797931

Windows Server 2008 Installation

The installation of Windows Server 2008 has been simplified and it mirrors the Windows Vista installation in ease of use: several screens, about an hour and I was booting into Windows Server 2008. You can view my gallery of the Windows Server 2008 installation if you are curious as well.

Once the installation of Windows Server 2008 is complete, you’ll notice an Initial Configuration Tasks window. In Windows 2003 Server, you had a similar screen that allowed you to download updates, specify an administrator password, and allow inbound traffic to your server.

In Windows Server 2008, this is taken much further. On this window, you can specify an Administrator password, time zone settings, networking, download updates, configuration of your firewall, and server role customization.

In Windows Server 2008, a role is defined as what primary purpose the server is being created for. For example, if you turn on the Domain controller role, this server will be a Domain Controller. You can have multiple roles as well. You could turn on the Domain Controller role as well as the DHCP serve role. It all depends on the requirements of your infrastructure.

Windows Server 2008 offers you a vast amount of roles but you have the flexibility to choose only the roles that apply to your organization. Examples of roles include: Active Directory (AD) Certificate Services, AD Domain Services, Application Server, DHCP server, DNS Server, Fax Server, Web Server, Terminal Server, and a host of others.

By choosing only the applicable roles, you have a slim, streamlined Windows server running which increases security and decreases risk.

Source:techrepublic.com.com/datacenter/?p=122&tag=btxcsim