3.3 Explain important concepts pertaining to identity and access management for server administration.

📘CompTIA Server+ (SK0-005)

What is Auditing?

Auditing is the process of tracking, recording, and reviewing activities that happen on a server or system.

It helps administrators:

Monitor user behavior
Detect unauthorized access
Investigate security incidents
Ensure compliance with policies and regulations

Auditing works by generating logs (records) of activities, which can later be reviewed.

Why Auditing is Important (Exam Focus)

You should understand that auditing is used for:

Security monitoring – Detect suspicious actions
Accountability – Know who did what and when
Compliance – Meet legal or organizational requirements
Troubleshooting – Identify causes of issues

Types of Auditing (Based on Exam Objectives)

1. User Activity Auditing

What it is

Tracking everything a user does on a system.

What is monitored

File access (read/write/delete)
Application usage
Configuration changes
Administrative actions

Example (IT environment)

An administrator checks logs to see:

Which user modified a configuration file
Who accessed a restricted directory

Why it matters

Detect insider threats
Identify misuse of privileges
Ensure users follow policies

2. Login Auditing

What it is

Tracking all login attempts to a system.

What is monitored

Successful logins
Failed login attempts
Login time and location (if available)
Remote vs local access

Example (IT environment)

A system log shows:

Multiple failed login attempts from the same account
A login at an unusual time

Why it matters

Detect brute-force attacks
Identify compromised accounts
Monitor unauthorized access attempts

Important Exam Point

Failed logins are especially important for detecting attacks

3. Group Membership Auditing

What it is

Tracking changes to user group memberships.

What is monitored

Users added to groups
Users removed from groups
Changes in privilege levels

Example (IT environment)

Logs show:

A user was added to the Administrators group
A user was removed from a restricted access group

Why it matters

Prevent privilege escalation
Ensure least privilege principle is followed
Detect unauthorized access rights changes

Important Exam Point

Changes to privileged groups must always be audited

4. Deletion Auditing

What it is

Tracking when objects are deleted from the system.

What is monitored

Deleted user accounts
Removed files or folders
Deleted logs or system objects

Example (IT environment)

Audit logs show:

A user account was deleted
Important system logs were removed

Why it matters

Detect malicious activity
Recover from accidental deletions
Maintain data integrity

Audit Logs

What are Audit Logs?

Audit logs are records of all tracked activities.

Common log details include:

Username
Event type (login, delete, modify)
Date and time
Source system or IP address
Success or failure status

Best Practices for Auditing (Exam Essentials)

1. Enable Proper Logging

Turn on auditing for critical systems
Focus on sensitive areas (logins, admin actions)

2. Review Logs Regularly

Do not just collect logs—analyze them
Look for unusual patterns

3. Use Centralized Logging

Store logs in a central system (e.g., SIEM)
Makes monitoring easier

4. Protect Logs

Restrict access to logs
Prevent tampering or deletion

5. Set Alerts

Configure alerts for:
- Multiple failed logins
- Privilege changes
- Account deletions

Key Exam Concepts to Remember

Auditing = Tracking and reviewing system activity
User activity auditing tracks actions performed by users
Login auditing tracks access attempts (success and failure)
Group membership auditing tracks permission changes
Deletion auditing tracks removed objects
Logs must be:
- Stored securely
- Reviewed regularly

Quick Summary (For Revision)

Auditing helps in security, compliance, and troubleshooting
Focus on:
- User actions
- Login attempts
- Permission changes
- Deletions
Always monitor privileged activities
Logs are only useful if they are reviewed and protected