Auditing Tasks |
Before you can designate which objects to audit, you have to configure auditing. This section describes how to do this and related auditing tasks.
Audit policies can be configured on computers in several ways. For example, to configure auditing for standalone servers and workstations belonging to a workgroup:
Administrative Tools Local Security Policy Security Settings Local Policies Audit Policy double-click one of the nine audit policy settings select Success, Failure, both, or neither for no auditing
For computers belonging to a domain, you can do the same for each machine by using the Domain Controller Security Policy on domain controllers and the Local Security Policy on member servers and workstations. Alternatively, you can use Group Policy to configure auditing at the domain, OU, or site level For example, to configure an audit policy for a domain by editing an existing GPO, do the following:
Administrative Tools Active Directory Users and Computers right-click on the domain Properties Group Policy select a GPO Edit Computer Configuration Windows Settings Security Settings Local Policies Audit Policy, etc.
The three security options for auditing discussed in AuditingConcepts are configured as follows :
Administrative Tools Local Security Policy Security Settings Local Policies Security Settings
All three are disabled by default.
|
First, configure your audit policy to enable Success and/or Failure auditing for Directory service access (see Configure Audit Policy earlier in this section) and then specify which AD objects you want to audit. For example, to audit access to the Users container in the mtit.local domain:
Open Active Directory Users and Computers View toggle Advanced Features on right-click on Users container Properties Security Advanced Auditing Add select user or group to audit OK select types of events to audit
|
First, configure your audit policy to enable Success and/or Failure auditing for Object access (see Configure Audit Policy earlier in this section) and then specify which files or folders you want to audit (these must be on an NTFS volume). For example, if you want to audit access to the file C:\hello.txt , you can use Windows Explorer to enable auditing of the file as follows:
Windows Explorer right-click on C:\hello.txt Properties Security Advanced Auditing Add select user or group to audit OK specify types of events to audit
Configuring auditing on many individual files is a lot of work. It's almost always better to configure auditing on folders instead. You can specify that the audit settings be applied to:
This folder only
This folder, subfolders , and files
This folder and subfolders
This folder and files
Subfolders and files only
Subfolders only
Files only
The default is to pass audit settings down the entire subtree of files and subfolders beneath the folder you are configuring, which is the typical choice.
To enable auditing of printers:
Start Settings Printers right-click on a printer Properties Security Advanced Auditing Add select a user or group to audit OK specify types of events to audit
Printer access can be audited for documents only, for the printer only, or for both.