Auditing System Resources


Auditing is the best way to track what's happening on your Windows Server 2003 systems. You can use auditing to collect information related to resource usage, such as file access, system logon, and system configuration changes. Any time an action occurs that you've configured for auditing, the action is written to the system's security log, where it's stored for your review. The security log is accessible from Event Viewer.

Note

For most auditing changes, you'll need to be logged on using an account that's a member of the Administrators group or be granted the Manage Auditing And Security Log right in Group Policy.


Setting Auditing Policies

Auditing policies are essential to ensure the security and integrity of your systems. Just about every computer system on the network should be configured with some type of security logging. You configure auditing policies with Group Policy. Through Group Policy, you can set auditing policies for an entire site, domain, or organizational unit. You can also set policies for an individual workstation or server.

Once you access the Group Policy container you want to work with, you can set auditing policies by completing the following steps:

  1. As shown in Figure 14-12, access the Audit Policy node by working your way down through the console tree. Expand Computer Configuration, Windows Settings, Security Settings, and Local Policies. Then select Audit Policy.

    Figure 14-12. Set auditing policies using the Audit Policy node in Group Policy.

    graphics/f14ap12.jpg

  2. The auditing options are:

    • Audit Account Logon Events Tracks events related to user logon and logoff .

    • Audit Account Management Tracks account management by means of Active Directory Users And Computers. Events are generated any time user, computer, or group accounts are created, modified, or deleted.

    • Audit Directory Service Access Tracks access to Active Directory. Events are generated any time users or computers access the directory.

    • Audit Logon Events Tracks events related to user logon, logoff, and remote connections to network systems.

    • Audit Object Access Tracks system resource usage for files, directories, shares, printers, and Active Directory objects.

    • Audit Policy Change Tracks changes to user rights, auditing, and trust relationships.

    • Audit Privilege Use Tracks the use of user rights and privileges, such as the right to back up files and directories.

      Note

      The Audit Privilege Use policy doesn't track system access “related events, such as the use of the right to log on interactively or the right to access the computer from the network. You track these events with Logon and Logoff auditing.


    • Audit Process Tracking Tracks system processes and the resources they use.

    • Audit System Events Tracks system startup, shutdown, and restart, as well as actions that affect system security or the security log.

  3. To configure an auditing policy, double-click its entry or right-click and select Security. This opens a properties dialog box for the policy.

  4. Select Define These Policy Settings, and then select either the Success check box or the Failure check box, or both. Success logs successful events, such as successful logon attempts. Failure logs failed events, such as failed logon attempts.

  5. Click OK when you're finished.

Auditing Files and Folders

If you configure a group policy to enable the Audit Object Access option, you can set the level of auditing for individual folders and files. This allows you to control precisely how folder and file usage is tracked. Auditing of this type is available only on NTFS volumes .

You can configure file and folder auditing by completing the following steps:

  1. In Windows Explorer, right-click the file or folder to be audited , and then, from the shortcut menu, select Properties.

  2. Select the Security tab and then click Advanced.

  3. In the Access Control Settings dialog box, select the Auditing tab, shown in Figure 14-13.

    Figure 14-13. Once you audit object access, you can use the Auditing tab to set auditing policies on individual files and folders.

    graphics/f14ap13.jpg

  4. If you want to inherit auditing settings from a parent object, ensure that Allow Inheritable Permissions From The Parent To Propagate To This Object is selected.

  5. If you want child objects of the current object to inherit the settings, select Replace Auditing Entries .

  6. Use the Auditing Entries list box to select the users, groups, or computers whose actions you want to audit. To remove an account, select the account in the Auditing Entries list box, and then click Remove.

  7. To add specific accounts, click Add, and then use the Select User, Computer, Or Group dialog box to select an account name to add. When you click OK, you'll see the Auditing Entry For ... dialog box, shown in Figure 14-14.

    Figure 14-14. Use the Auditing Entry For dialog box to set auditing entries for a user, computer, or group.

    graphics/f14ap14.jpg

    Tip

    If you want to audit actions for all users, use the special group Everyone. Otherwise, select the specific user groups or users, or both, that you want to audit.


  8. As necessary, use the Apply Onto drop-down list box to specify where objects are audited.

  9. Select the Successful or Failed check boxes, or both, for each of the events you want to audit. Successful logs successful events, such as successful file reads. Failed logs failed events, such as failed file deletions. The events you can audit are the same as the special permissions listed in Table 14-5 ”except you can't audit synchronizing of offline files and folders.

  10. Choose OK when you're finished. Repeat this process to audit other users, groups, or computers.

Auditing Active Directory Objects

If you configure a group policy to enable the Audit Directory Service Access option, you can set the level of auditing for Active Directory objects. This allows you to control precisely how object usage is tracked.

To configure object auditing, follow these steps:

  1. In Active Directory Users And Computers, access the container for the object.

  2. Right-click the object to be audited, and then, from the shortcut menu, select Properties.

  3. Select the Security tab, and then click Advanced.

  4. In the Access Security Settings dialog box, select the Auditing tab. To inherit auditing settings from a parent object, make sure that Allow Inheritable Permissions From The Parent To Propagate To This Object is selected.

  5. Use the Auditing Entries list box to select the users, groups, or computers whose actions you want to audit. To remove an account, select the account in the Auditing Entries list box and then click Remove.

  6. To add specific accounts, click Add, and then use the Select User, Computer, Or Group dialog box to select an account name to add. When you click OK, the Auditing Entry For dialog box is displayed.

  7. Use the Apply Onto drop-down list box to specify where objects are audited.

  8. Select the Successful or Failed check boxes, or both, for each of the events you want to audit. Successful logs successful events, such as successful file reads. Failed logs failed events, such as failed file deletions.

  9. Choose OK when you're finished. Repeat this process to audit other users, groups, or computers.



Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
ISBN: 735622450
EAN: N/A
Year: 2003
Pages: 141

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net