Auditing is a powerful capability used for tracking events on computers. To implement auditing, you need to meet the auditing requirements and set the audit policy. After you set an audit policy on a computer, you can implement auditing on files, folders, and printers.
After this lesson, you will be able to
Estimated lesson time: 25 minutes
For computers running Windows 2000 Professional, you set up an audit policy for each individual computer.
The following are the requirements to set up and administer auditing:
Setting up auditing is a two-part process:
The first step in implementing an audit policy is selecting the types of events that Windows 2000 audits. For each event that you can audit, the configuration settings indicate whether to track successful or failed attempts. You set audit policies in the Local Security Settings window, which you open by selecting Local Security Policy on the Administrative Tools menu.
Table 7.8 describes the types of events that Windows 2000 can audit.
Table 7.8 Types of Events Audited by Windows 2000
Event | Description |
---|---|
Account Logon Events | A domain controller received a request to validate a user account. (This is applicable only if your computer running Windows 2000 Professional joins a Windows 2000 domain.) |
Account Management group. | An administrator created, changed, or deleted a user account or A user account was renamed, disabled, or enabled, or a password was set or changed. |
Directory Service Access | A user gained access to an Active Directory object. You must configure specific Active Directory objects for auditing to log this type of event. (Active Directory directory services are available only if your computer running Windows 2000 Professional joins a Windows 2000 domain.) |
Logon Events | A user logged on or logged off, or a user made or canceled a network connection to the computer. |
Object Access | A user gained access to a file, folder, or printer. You must configure specific files, folders, or printers for auditing. Object access is auditing a user's access to files, folders, and printers. |
Policy Change | A change was made to the user security options, user rights, or audit policies. |
Privilege Use | A user exercised a right, such as changing the system time. (This doesn't include rights that are related to logging on and logging off.) |
Process Tracking | A program performed an action. This information is generally useful only for programmers who want to track details of program execution. |
System Events | A user restarted or shut down the computer, or an event occurred that affects Windows 2000 security or the security log. (For example, the audit log is full and Windows 2000 starts discarding entries.) |
Follow these steps to set an audit policy on a computer that is running Windows 2000 Professional:
The console displays the current audit policy settings in the details pane, as shown in Figure 7.7.
Figure 7.7 Events that Windows 2000 can audit
The Local Security Policy Setting dialog box appears for the selected event. Figure 7.8 shows the Local Security Policy Setting dialog box for Audit Logon Events, and Table 7.9 defines the fields available in the Local Security Policy Setting dialog box.
Figure 7.8 The Local Security Policy Setting dialog box for Audit Logon Events
Table 7.9 Local Security Policy Setting Dialog Box Fields
Field | Description |
---|---|
Effective Policy Setting | Indicates whether or not auditing is turned on. No auditing indicates it is auditing this event. Failure indicates it is auditing failed attempts. Success indicates it is auditing successful attempts. Success, Failure indicates it is auditing all attempts. |
Local Policy Setting | A check mark in the Success check box indicates that auditing is in effect for successful attempts. A check mark in the Failure check box indicates that auditing is in effect for failed attempts. |
Once you have set the audit policy, remember that the changes that you make to your computer's audit policy don't take effect until you restart your computer.
If security breaches are an issue for your organization, you can set up auditing for files and folders on NTFS partitions. To audit user access to files and folders, you must first set your audit policy to audit access to objects, which includes files and folders.
Once you have set your audit policy to audit access to objects, you enable auditing for specific files and folders and specify which types of access, by which users or groups, to audit.
Follow these steps to enable auditing for specific files and folders:
Figure 7.9 Events that can be audited for files and folders
Table 7.10 describes when to audit these events.
By default, any auditing changes that you make to a parent folder also apply to all child folders and all files in the parent and child folders.
Table 7.10 User Events and What Triggers Them
Event | User activity that triggers the event |
---|---|
Traverse Folder/Execute File | Running a program or gaining access to a folder to change directories |
List Folder/Read Data | Displaying the contents of a file or folder |
Read Attributes Read Extended Attributes | Displaying the attributes of a file or folder |
Create Files/Write Data | Changing the contents of a file or creating new files in a folder |
Create Folders/Append Data | Creating folders in the folder |
Write Attributes Write Extended Attributes | Changing attributes of a file or folder |
Delete Subfolders And Files | Deleting a file or subfolder in a folder |
Delete | Deleting a file or folder |
Read Permissions | Viewing permissions or the file owner for a file or folder |
Change Permissions | Changing permissions for a file or folder |
Take Ownership | Taking ownership of a file or folder |
Audit access to printers to track access to sensitive printers. To audit access to printers, set your audit policy to audit access to objects, which include printers. Then enable auditing for specific printers and specify which types of access to audit and which users will have access. After you select the printer, you use the same steps that you use to set up auditing on files and folders.
Follow these steps to set up auditing on a printer:
Figure 7.10 Printer events that can be audited
Table 7.11 describes what user activities trigger events for printers.
Table 7.11 Printer Events and What Triggers Them
Event | User activity that triggers the event |
---|---|
Printing a file | |
Manage Printers | Changing printer settings, pausing a printer, sharing a printer, or removing a printer |
Manage Documents | Changing job settings; pausing, restarting, moving, or deleting documents; sharing a printer; or changing printer properties |
Read Permissions | Viewing printer permissions |
Change Permissions | Changing printer permissions |
Take Ownership | Taking printer ownership |
In this lesson, you learned that the first step in implementing an audit policy is selecting the types of events that Windows 2000 audits. You can select the events to audit for files and folders, and you can select the events you want to audit for printers. For each event that you can audit, the configuration settings indicate whether to track successful attempts, failed attempts, or both. You use the Local Security Settings window to set audit policies, and then you restart your computer to enable auditing.
You also learned that you can set up auditing for access to files, folders, and printers on NTFS partitions. To do so, you must first set your audit policy to audit access to objects, which includes files, folders, and printers. Once you have set your audit policy to audit object access, you enable auditing for specific files, folders, and printers and specify which types of access, by which users or groups, to audit.