AuditingConcepts |
Auditing records user and operating system activities as events (audit entries) in the Security log. A typical event records which action was performed, who performed it, whether the action succeeded or failed, which computer or user initiated the action, and so on. To view audit events, use the Event Viewer console in Administrative Tools.
Auditing is generally performed for either security or resource usage reasons. For example, by auditing failures of activities such as logon attempts or attempts to access a restricted share on the network, administrators can detect when unauthorized access is being attempted and thus protect the security of their systems. And by auditing successful attempts to access filesystem resources, administrators can track patterns of usage so they can determine when to upgrade their storage capacity.
An audit policy is a type of security policy that specifies which kinds of user and system activities are audited . Before you enable auditing on a computer, you must configure the audit policy. You can configure nine types of audit policy settings:
A user is authenticated by the security database on the local machine (if part of a workgroup) or by Active Directory on a domain controller (if part of a domain).
An administrator creates, deletes, or modifies a user or group , resets a password, or performs some similar action.
A user attempts to access an object in Active Directory.
A user logs on or off from the local computer or creates or terminates a network connection to the local computer. (This event is always recorded on the computer being accessed by the user, whether local or on the network.)
A user attempts to access a file, folder, or printer.
A user changes a security setting, such as password options, user rights, or the audit policy itself.
A user exercises a right to perform an action, such as modifying the system time or taking ownership of a file.
An application performs some specific action (generally useful only to the developer of the application).
A user shuts down or restarts the computer, or some other action occurs that impacts security in general on the machine.
Note that two of these audit policy settings (Object access and Directory service access) require specifying which objects (files, folders, printers, Active Directory objects) you actually want to audit and which type of auditing (read access, write access, object creation, and so on) you want to perform on them. This is sometimes called operations-based auditing because it involves specifying the operations (read, write, create) you want to audit for selected objects. For more information on how to audit object access, see AuditingTasks .
There are four possible ways to configure each of the nine audit policy settings: no auditing, success only, failure only, or both success and failure. For example, configuring the Logon event setting for Success means that successful logons are recorded in the security log but failed logons aren't. Table 4-3 summarizes the default for each audit policy setting.
Audit policy setting | Default |
---|---|
Account logon events | Success |
Account management | Success (on domain controllers) No auditing (on member servers and workstations) |
Directory service access | No auditing |
Logon event | Success |
Object access | No auditing |
Policy change | No auditing |
Privilege use | No auditing |
Process tracking | No auditing |
System | No auditing |
You can configure three additional security options relating to auditing:
This option enables auditing of mutexes , semaphores, and other obscure operating system objects.
This can be useful as it generates an audit event for every file that is backed up or restored on the system. For this to work, the Audit privilege use setting must also be configured (see previous section).
In a high-security environment, this option shuts down the system when the Security log is full and overwriting of oldest events is disabled. When the system shuts down, a stop screen (blue screen of death) appears, displaying the message, "STOP: C0000244 Audit Failed." Only administrators can log on at this point, and they should back up and clear the Security log immediately to resolve the situation.