NT Gatekeeper: Auditing the SAM Database

We're defining a set of security-hardening guidelines for our Microsoft Exchange Server 5.5 servers, which are all installed on Windows NT 4.0 member servers. What's the best way to set up auditing on a member server's SAM database?

The best way to audit a member server's SAM is to use the accounts that have permission to access these containers—typically administrator accounts—to audit for failed and successful access to these containers. First, you need to enable auditing on the member server. To do so, open NT User Manager (usrmgr.exe) and select the Policies, Audit menu option. In the Audit Policy dialog box, set the system to audit both success and failure events for File and Object Access.

Second, you need to modify the auditing settings on the SAM and SECURITY registry containers. Very few accounts have access to these containers. To solve this problem, you could modify the ACLs on the SAM and SECURITY registry containers and afterward reset the ACLs to their original value. An easier solution is to use the NT Task Scheduler service to execute the registry editor regedt32.exe. The Task Scheduler service uses as its service account the Local System account, which has access to the SAM and SECURITY registry containers. To start the Task Scheduler service, from the command prompt, type

net start schedule

To schedule a job that will start the registry editor in the security context of the Local System account, type

at  /interactive regedt32.exe

In this command, the time variable must designate a time after the moment you type the command.

In the registry editor, navigate to the HKEY_LOCAL_MACHINESAM subkey and select the Security, Auditing menu option. Add the following accounts in the Registry Key Auditing dialog box: Account Operators, Administrators, Backup Operators, Domain Admins, Server Operators, and SYSTEM. Next, set both Success auditing and Failure auditing for the Query Value, Set Value, Write DAC, and Read Control events, as Figure 2 shows. Select the Audit Permission on Existing Subkeys check box, click OK, then click Yes to confirm that auditing should be set on all existing subkeys. Depending on your organization's account and security administration rules, you might want to add or remove accounts or groups from the above list. Repeat the same process for the HKEY_LOCAL_MACHINESECURITY subkey. After you make these registry changes, stop the Task Scheduler service by typing

net stop schedule

at the command prompt.