Configure Global Object Access Auditing in Windows Server. Keeping tabs on file and registry access in Windows Server has never been easier. Auditing file access events in Windows Server isn’t a subject that’s likely to set you alight with excitement, especially as traditionally it has been something of a pain to configure. But in recent versions of Windows Server, the job has got easier. And that’s important, because in today’s world of regulatory compliance and the need to understand exactly what’s going on in our environments, we need to make sure audit logs are capturing the right data. Today I’ll go over how to configure Global Object Access Auditing in Windows Server. Auditing File Access. Before the introduction of Global Object Access Auditing in Windows 7 and Windows Server 2. R2, in order to audit access to a file you would need to set auditing configuration on files and folders using System Access Control Lists (SACLs) in the file system. SACLs are accessed by right- clicking a file or folder in Windows, selecting Properties from the menu and then switching to the Security tab. Auditing configuration can be changed by clicking Advanced in the Properties dialog and then switching to the Auditing tab in the Advanced Security Settings dialog. The Active Directory data store, also referred to as directory, contains data on users, groups, computers, and on which resources these users, groups, and computers. Azure Active Directory can automatically provision users and groups to any application or identity store that is fronted by a web service with the interface defined. In this tip learn how to deploy a WSFC for SQL Server without using Active Directory. First make sure that you have rights in Active Directory to add computers to the necessary container. System Preferences; Users & Groups; Login Options.As most administrators are aware, managing permissions on servers containing tens of thousands of files using Access Control Lists (ACLs) can become somewhat unwieldy, and configuring auditing this way is no less of a problem. In order that audit events appear in the Event Log, you also need to enable success and/or failure auditing for Object Access, either using Group Policy or the Local Security Policy management console. Sponsored. Global Object Audit Access. As its name suggest, Global Object Audit Access allows administrators to set file and registry auditing configuration per computer, rather than at the file system level. This makes it much easier to track the settings across servers on your network, rather than having to set and inspect SACLs at the file level. In Windows Server 2. R2, the Global Object Audit Access policy can be set as part of Advanced Audit Policy Configuration in Group Policy, which can found here: Computer Configuration\Policies\Security Settings\. Note that the location of the settings differ from basic auditing. When you configure file or registry Global Object Audit Access in Windows Server 2. R2, instead of the simple success and failure options presented for most audit settings, you’ll notice there’s just a Configure button that takes you to a dialog to set audit configuration in exactly the same way as from the file system. For Global Object Audit Access to work, Object Access\Audit File System or Object Access\Audit Registry must also be enabled for success/failure auditing. Expression- Based Audit Policy. Object Access and Global Object Access Auditing are expanded in Windows 8 and Windows Server 2. This allows system administrators to use complex logic to filter auditing to specific criteria. For example, I could an event to be logged when a file is successfully deleted by users in a specific department, as defined in Active Directory. You can specify Boolean AND and OR operators, and even group together criteria to make complex expressions in the same way you would use parenthesis in a script. Configure Global Object Access. In this example I’m going to monitor for deletions on my file servers, but restrict auditing to just users who are members of the Finance group in Active Directory (AD). I’ll apply the audit configuration settings using a Group Policy Object (GPO): Log on to a Windows Server 2. GPOs. Open Server Manager from the icon on the desktop Taskbar or from the Start screen. Open the Group Policy Management Console (GPMC) from the Tools menu in Server Manager. In the left pane of GPMC, expand your AD forest, the Domains folder and then your AD domain. Right- click the Group Policy Objects folder and select New from the menu. In the New GPO dialog, give the new Group Policy Object a name, leave the Source Starter GPO field set to (none) and click OK. You will see the new GPO in the right pane of GPMC. Right- click the GPO and select Edit from the menu. In the Group Policy Management Editor window, expand Computer Configuration\Policies\Security Settings\Advanced Audit Policy Configuration\Audit Policies in the left pane. Click Object Access in the list of audit settings. In the right pane, double- click Audit File System. In the Audit File System Properties dialog, check Configure the following audit events. Check Success, Failure and click OK. In the Group Policy Management Editor window, click Global Object Audit Access at the bottom of the list audit settings. In the right pane of the editor window, double- click File system. In the File system Properties dialog, check Define this policy setting on the Policy tab and click Configure. In the Advanced Security Settings for Global File SACL dialog, click Add. In the Auditing Entry for Global File SACL dialog, click Select a principal. In the Select User, Computer, Service Account, or Group dialog, type Everyone in the box under Enter the object name to select and click OK. Leave Success selected in the Type menu. In the Auditing Entry for Global File SACL dialog under Permissions, click Clear all and then select only Delete. At the bottom of the dialog, click Add a condition. Make sure that User is selected in the first drop- down menu. In the second drop- down menu, select Department. Note that you’ll need to have properly configured and working Dynamic Access Control (DAC) in your environment to be able to use expression- based auditing. DAC can be accessed from the Active Directory Administrative Center (ADAC). If you don’t have DAC configured, you can skip the steps to add a condition to the Global Object Access auditing entry. In this example, I already have Department properly configured as a claim type, with Finance set as a suggested value. In the third- drop down, select Equals. In the fourth, make sure that Value is selected. At the end of the new condition, select Finance from the drop- down menu. Now click OK in the Auditing Entry dialog, again in the Advanced Security Settings dialog, and once more in the File system. Properties dialog. Close the Group Policy Management Editor window. Back in GPMC, right click your domain in the left pane and select Link an Existing GPO from the menu. In the Select GPO dialog, select the GPO you just created and click OK. Once policy has updated on the affected devices, you can delete a file, and assuming that the account used to delete the file has the Department attribute in AD set to Finance, an event will be logged. Look for event 4. Event Log. Tagged with Auditing, Expression- based Auditing, Global Object Access, Global Object Access Auditing. Getting started – Using Azure Active Directory (AAD) for authenticating automated clients (C#) – Microsoft Azure Simplified. In this post, we will create an ASP. Net Web API as the service to be protected and a console application as the automated client consuming the service. We will implement three methods for the client to authenticate itself to Azure AD to get the claims (Certificate, Key and Credential), that it will then send to the Web API along with service. The Web API will authenticate the client based on the claims received. We will be implementing both the Web API and the client from empty visual studio projects. For implementing this authentication scenario, you need not be the administrator of the Azure Active Directory tenant, but must be a user of it. This post contains the following sections: Registering Web API with Azure AD Tenant. Creating Web APIRegistering Client with Azure AD Tenant Creating client application. Getting client claims on the server (Web API) side. Removing certificate authentication for the client. Using Keys instead of certificate to authenticate client. Fetching Object ID for a certificate or key authenticated AD client. Using username and password instead of certificate/key authentication. Read more/ References. Prerequisites: An Azure Active Directory tenant that you are a user of. We will be using an AD named Rising. Venture. Directory and a user in it with username as ajay@risingventure. Registering Web API with Azure AD Tenant 1. Log into Azure management portal. Click on Active Directory in left navigation panel. Go to APPLICATIONS tab of your AD. Click on ADD at the bottom bar. 2. Click on 'Add an application my organization is developing'. 3. Enter name of your application (ex. Rising. Web. API). Select 'WEB APPLICATION AND/OR WEB API'. Click next. 4. In Sign- on URL, enter URL for the Web API. This does not have to be a working URL. It can be the base URL for the Web API assigned by Visual Studio (e. In App ID URI, enter https: //< AD_Tenant_Full. Name> /< Name_Of_Web. API>. (e. g. https: //risingventure. Click OK mark to complete the registration. 7. Go to CONFIGURE tab of the just registered application. Note the Client ID for it. Creating Web API 1. Create an ASP. Net project in Visual Studio and name it Rising. Web. API 2. Select Empty template and check Web. API option. Click on OK to create the Web API. 3. Open Web. config and add the following keys in App settings: < app. Settings> < add key="Tenant" value="risingventure. Audience" value="https: //risingventure. Client. ID" value="2. Settings> 4. Install the following Nuget packages to the Rising. Web. API project : Microsoft. Owin. Microsoft. Owin. Security. Active. Directory. Microsoft. Owin. Host. System. Web (This is for hosting the Web API in IIS/IIS express) 5. Add a C# file to the project, named Startup. Owin; namespace Rising. Web. API{public partial class Startup{public void Configuration(IApp. Builder app){Configure. Auth(app); }}} Please note the class must be named 'Startup'. This class is automatically found and initialized by the new ASP. Net runtime and its 'Configuration' method is called by passing IApp. Builder object. Note that this should be in default namespace of the Web API project. You can find the default namespace from project properties. If it is not in default namespace, you must add a key in 'App. Settings' section of Web. Config, like: < add key="owin: App. Startup" value="[Namespace]. Startup" />. If IApp. Builder interface is unrecognized in VS, re- install the Owin nuget package. We will add Configure. Auth method next. 6. Add another C# file to the folder App_Start in the Web API project and put the following content into it: using System. Configuration; using Microsoft. Owin. Security. Active. Directory; using Owin; using System. Identity. Model. Tokens; namespace Rising. Web. API{public partial class Startup{public void Configure. Auth(IApp. Builder app){var token. Validation. Parameter = new Token. Validation. Parameters(); token. Validation. Parameter. Valid. Audience = Configuration. Manager. App. Settings["Audience"]; app. Use. Windows. Azure. Active. Directory. Bearer. Authentication(new Windows. Azure. Active. Directory. Bearer. Authentication. Options{Token. Validation. Parameters = token. Validation. Parameter,Tenant = Configuration. Manager. App. Settings["Tenant"]}); }}} 7. Add a controller named Getdata. Controller to the Web API project. Select 'Web API 2 Controller - Empty' from Add Scaffold window. Put the following content in it: using System. Web. Http; namespace Rising. Web. API. Controllers{[Authorize]public class Getdata. Controller : Api. Controller{public string Get(){return "Hello"; }}} 8. Save and build the solution. Run the solution by pressing F5. If you try to access the Getdata controller (for example by hitting http: //localhost: 1. This is because the Web. API is now configured for Azure AD authentication and we require the Getdata controller to be authenticated ([Authorize] attribute). If you add any other controller without [Authorize] attribute, it should still be accessible. Next we will create the client that will get the authentication token from Azure AD tenant and pass to Web API. Registering Client with Azure AD Tenant Clients can authenticate to Azure AD tenant through three ways : certificate credential, client keys and username/password credential. In this section we will cover certificate credential. Other two would be discussed in later sections. Certificate and client keys create an application identity while username/password will have an identity of a user (whose credential is used to authenticate). 1. Go to Azure AD tenant as mentioned earlier on Azure management portal. 2. On the APPLICATIONS tab, click ADD from the bottom bar. 3. Click on 'Add an application my organization is developing'. 4. Enter meaningful name for the application (e. Rising. APIClient). 5. Select 'WEB APPLICATION AND/OR WEB API'. It does not matter if our client application is a native console app. Go next. 6. For Sign- on URL and App ID URI, enter any valid URI. This does not have to be an existing/working URL, however, App ID URI must be unique within your AD. Click OK mark to register the application. 7. Go to the CONFIGURE tab of the just added application and copy the client ID. Also give the client application access to the Web API. In the CONFIGURE, scroll to the bottom and click on 'Add application'. Select 'All Apps' from the drop down menu from the pop up window. Search for the 'Rising. Web. API' and select it. Click ok mark then. Give permission to 'Access Rising. Web. API' and click save. 8. Run the following command to create a self- signed certificate on your computer from developer command prompt: makecert - r - pe - n "CN=Rising. APIClient" - ss My - len 2. Rising. APIClient. Certificate need to be associated with the registered client application in Azure AD. This can be done using Azure AD module for Powershell. Install the module from this link. 1. After you have installed the module, run the following commands from a Powershell command window: PS C: \windows\system. Enter your username and password for the Azure AD user, when prompted. For example, ajay@risingventure. Note that the user must be part of this specific AD and should have username like *@risingventure. In azure portal, the account that creates the Azure AD is automatically added as an user to the newly created AD. This account may not work for adding certificate credentials for applications in newly created AD. Also, note that the user account which registered the client application on AD or a global administrator of the AD will have permissions to add certificate credentials.)PS C: \windows\system. New- Object System. Security. Cryptography. X5. 09. Certificates. X5. 09. Certificate. PS C: \windows\system. Import("E: \Certs\Rising. APIClient. cer") (Path to the created certificate)PS C: \windows\system. Cert = $cer. Get. Raw. Cert. Data()PS C: \windows\system. Value = [System. Convert]: :To. Base. 64. String($bin. Cert)PS C: \windows\system. New- Msol. Service. Principal. Credential - App. Principal. Id "< client ID> " - Type asymmetric - Value $cred. Value - Usage verify (client. Id = f. 5c. 69. 30.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |