Enabling Monitoring for Anonymous Active Directory Access
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2
You can enable monitoring for anonymous access through audit settings on the Active Directory object CN=Server,CN=System,domain,DC=…ForestRootDomain. The audit settings ensure that a Security audit log event is generated whenever an application or service attempts to list or read domain data in Active Directory with anonymous access. The most common generators of these events are applications or services, such as Routing and Remote Access Service, that are running on Windows NT 4.0 domain controllers or on member servers in the context of Local System.
Note
In addition to these audit settings, the Audit directory service access audit policy must be configured to audit successful access to the directory. Success events for directory service access are audited by default in Windows Server 2003.
Requirements
Credentials: Domain Admins
Tools: ADSI Edit (Windows Server 2003 Support Tools)
To enable monitoring for anonymous Active Directory access
Log on to a domain controller in the root domain by using an account with Domain Admins credentials.
Click Start, click Run, type adsiedit.msc, and then click OK.
In the console tree, double-click the domain, and then click the System container.
In the details pane, right-click Server, and then click Properties.
On the Security tab, click Advanced.
On the Auditing tab, click Add.
In the Enter the object name to select box, type anonymous, and then click OK.
In the Auditing Entry for Server dialog box, set the auditing entries shown in Table 45.
**Table 45 Audit Settings for CN=Server,CN=System,DC=domain,DC=…**ForestRootDomain
| Type | Name | Access | Apply Onto |
|---|---|---|---|
Success |
Anonymous |
Read All Properties |
This object only |
Success |
Anonymous |
Enumerate Entire SAM Domain |
This object only |