Lesson 5: Implementing an Audit Policy

Auditing is a powerful capability used for tracking events on computers. To implement auditing, you need to meet the auditing requirements and set the audit policy. After you set an audit policy on a computer, you can implement auditing on files, folders, and printers.


After this lesson, you will be able to

  • Set up auditing on files and folders
  • Set up auditing on printers

Estimated lesson time: 25 minutes


Configuring Auditing

For computers running Windows 2000 Professional, you set up an audit policy for each individual computer.

Auditing Requirements

The following are the requirements to set up and administer auditing:

  • You must have the Manage Auditing And Security Log user right for the computer on which you want to configure an audit policy or review an audit log. By default, Windows 2000 grants these rights to the Administrators group.
  • The files and folders to be audited must be on Microsoft Windows 2000 File System (NTFS) volumes.

Setting Up Auditing

Setting up auditing is a two-part process:

  1. Set the audit policy. The audit policy enables auditing of objects but doesn't activate auditing of specific objects.
  2. Enable auditing of specific resources. You specify the specific events to audit for files, folders, printers, and Active Directory objects. Windows 2000 then tracks and logs the specified events.

Setting an Audit Policy

The first step in implementing an audit policy is selecting the types of events that Windows 2000 audits. For each event that you can audit, the configuration settings indicate whether to track successful or failed attempts. You set audit policies in the Local Security Settings window, which you open by selecting Local Security Policy on the Administrative Tools menu.

Table 7.8 describes the types of events that Windows 2000 can audit.

Table 7.8 Types of Events Audited by Windows 2000

EventDescription
Account Logon EventsA domain controller received a request to validate a user account. (This is applicable only if your computer running Windows 2000 Professional joins a Windows 2000 domain.)
Account Management group.An administrator created, changed, or deleted a user account or A user account was renamed, disabled, or enabled, or a password was set or changed.
Directory Service AccessA user gained access to an Active Directory object. You must configure specific Active Directory objects for auditing to log this type of event. (Active Directory directory services are available only if your computer running Windows 2000 Professional joins a Windows 2000 domain.)
Logon EventsA user logged on or logged off, or a user made or canceled a network connection to the computer.
Object AccessA user gained access to a file, folder, or printer. You must configure specific files, folders, or printers for auditing. Object access is auditing a user's access to files, folders, and printers.
Policy ChangeA change was made to the user security options, user rights, or audit policies.
Privilege UseA user exercised a right, such as changing the system time. (This doesn't include rights that are related to logging on and logging off.)
Process TrackingA program performed an action. This information is generally useful only for programmers who want to track details of program execution.
System EventsA user restarted or shut down the computer, or an event occurred that affects Windows 2000 security or the security log. (For example, the audit log is full and Windows 2000 starts discarding entries.)

Follow these steps to set an audit policy on a computer that is running Windows 2000 Professional:

  1. Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
  2. In the Local Security Settings window's console tree, double-click Local Policies, and then click Audit Policy.

    The console displays the current audit policy settings in the details pane, as shown in Figure 7.7.

    Figure 7.7 Events that Windows 2000 can audit

  3. Select the type of event to audit, and then, on the Action menu, click Security.

    The Local Security Policy Setting dialog box appears for the selected event. Figure 7.8 shows the Local Security Policy Setting dialog box for Audit Logon Events, and Table 7.9 defines the fields available in the Local Security Policy Setting dialog box.

  4. Select the Success check box, the Failure check box, or both.
  5. Click OK.
  6. Restart your computer.

    Figure 7.8 The Local Security Policy Setting dialog box for Audit Logon Events

    Table 7.9 Local Security Policy Setting Dialog Box Fields

    FieldDescription
    Effective Policy SettingIndicates whether or not auditing is turned on. No auditing indicates it is auditing this event. Failure indicates it is auditing failed attempts. Success indicates it is auditing successful attempts. Success, Failure indicates it is auditing all attempts.
    Local Policy SettingA check mark in the Success check box indicates that auditing is in effect for successful attempts. A check mark in the Failure check box indicates that auditing is in effect for failed attempts.

    Once you have set the audit policy, remember that the changes that you make to your computer's audit policy don't take effect until you restart your computer.

Auditing Access to Files and Folders

If security breaches are an issue for your organization, you can set up auditing for files and folders on NTFS partitions. To audit user access to files and folders, you must first set your audit policy to audit access to objects, which includes files and folders.

Once you have set your audit policy to audit access to objects, you enable auditing for specific files and folders and specify which types of access, by which users or groups, to audit.

Follow these steps to enable auditing for specific files and folders:

  1. On the Security tab in the Properties dialog box for a file or folder, click Advanced.
  2. On the Auditing tab, click Add, select the users for whom you want to audit file and folder access, and then click OK.
  3. In the Auditing Entry dialog box, select the Successful check box or the Failed check box for the events that you want to audit. For a list of the events, see Figure 7.9.

    Figure 7.9 Events that can be audited for files and folders

    Table 7.10 describes when to audit these events.

  4. Click OK to return to the Access Control Settings dialog box.

    By default, any auditing changes that you make to a parent folder also apply to all child folders and all files in the parent and child folders.

  5. To prevent changes that are made to a parent folder from applying to the currently selected file or folder, clear the Allow Inheritable Auditing Entries From Parent To Propagate To This Object check box.
  6. Click OK.

    Table 7.10 User Events and What Triggers Them

    EventUser activity that triggers the event
    Traverse Folder/Execute FileRunning a program or gaining access to a folder to change directories
    List Folder/Read DataDisplaying the contents of a file or folder
    Read Attributes
    Read Extended Attributes
    Displaying the attributes of a file or folder
    Create Files/Write DataChanging the contents of a file or creating new files in a folder
    Create Folders/Append DataCreating folders in the folder
    Write Attributes
    Write Extended Attributes
    Changing attributes of a file or folder
    Delete Subfolders And FilesDeleting a file or subfolder in a folder
    DeleteDeleting a file or folder
    Read PermissionsViewing permissions or the file owner for a file or folder
    Change PermissionsChanging permissions for a file or folder
    Take OwnershipTaking ownership of a file or folder

Auditing Access to Printers

Audit access to printers to track access to sensitive printers. To audit access to printers, set your audit policy to audit access to objects, which include printers. Then enable auditing for specific printers and specify which types of access to audit and which users will have access. After you select the printer, you use the same steps that you use to set up auditing on files and folders.

Follow these steps to set up auditing on a printer:

  1. In the Properties dialog box for the printer, click the Security tab, and then click Advanced.
  2. On the Auditing tab, click Add, select the appropriate users or groups for whom you want to audit printer access, and then click OK.
  3. In the Apply Onto box in the Auditing Entry dialog box, select resource where the auditing setting applies.
  4. Under Access, select the Successful check box or the Failed check box for the events that you want to audit (see Figure 7.10).
  5. Click OK in the appropriate dialog boxes to exit.

Figure 7.10 Printer events that can be audited

Table 7.11 describes what user activities trigger events for printers.

Table 7.11 Printer Events and What Triggers Them

EventUser activity that triggers the event
PrintPrinting a file
Manage PrintersChanging printer settings, pausing a printer, sharing a printer, or removing a printer
Manage DocumentsChanging job settings; pausing, restarting, moving, or deleting documents; sharing a printer; or changing printer properties
Read PermissionsViewing printer permissions
Change PermissionsChanging printer permissions
Take OwnershipTaking printer ownership

Lesson Summary

In this lesson, you learned that the first step in implementing an audit policy is selecting the types of events that Windows 2000 audits. You can select the events to audit for files and folders, and you can select the events you want to audit for printers. For each event that you can audit, the configuration settings indicate whether to track successful attempts, failed attempts, or both. You use the Local Security Settings window to set audit policies, and then you restart your computer to enable auditing.

You also learned that you can set up auditing for access to files, folders, and printers on NTFS partitions. To do so, you must first set your audit policy to audit access to objects, which includes files, folders, and printers. Once you have set your audit policy to audit object access, you enable auditing for specific files, folders, and printers and specify which types of access, by which users or groups, to audit.



MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 244

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net