Both a proactive and reactive security tool, auditing informs administrators of events that could be potentially dangerous and leaves a trail of accountability if a security infraction does occur. Auditing failed logon attempts, for instance, can warn of rogue users attempting to gain unauthorized access to the system. In addition to auditing normal system events, you can audit policy modification to keep a trail of when a specific event audit was disabled and by whom.
By default, auditing of all security categories is turned off. The administrator establishes an audit policy by determining which types of security events to audit. Based on the security needs of the organization, the administrator can also choose to audit access to individual objects.
The first step in establishing an audit policy is to determine which event categories should be audited. The following event categories are available for audit:
To select the event categories to audit, you must first determine whether the computer is a domain controller. If it is not, launch Computer Management from the Administrative Tools folder. In the Computer Management console tree, expand System Tools, Group Policy, Computer Configuration, Windows Settings, Security Settings, and Local Policies to reach Audit Policy.
If the computer is a domain controller, open the Active Directory Users and Computers snap-in, expand the domain's entry, click Action, and then click Properties. In the Group Policy tab, select the policy and click Edit. Then expand Computer Configuration, Windows Settings, Security Settings, and Local Policies, and then select Audit Policy.
Using either technique, selecting Audit Policy displays the auditable event categories in the right pane. To modify the policy for an event category, right-click that event and choose Security. Select the check box for auditing successful events or auditing failed attempts.
Once the Audit Object Access category is enabled in the Audit Policy item, members of the Administrators group can specify audit criteria for files, folders, network printers, and other objects. The audit criteria for an object include
Auditing of local files and folders is limited to NTFS partitions.
Examples of access types include viewing a folder's permissions, executing a file, and deleting an object. Follow these steps to select an object for auditing:
You'll find more detailed descriptions of auditing in Chapter 10.
The security log details audit information of events specified in your audit policy. Each time an auditable event occurs, it's added to the log file, where it can be filtered, sorted, searched for, or exported. The security log, along with the application and system logs, is located in Event Viewer and can be found in the Computer Management console tree by expanding System Tools, Event Viewer, and Security.
Each entry in the log contains critical information about the audited event, including whether the attempt failed or was successful, the date and time of the event, the event category and ID, and the audited user and computer. Additional information can be obtained for each entry by right-clicking the entry and choosing Properties.
The security log can be sorted by any of the fields listed in the display, such as user or date of event. Simply clicking a field header at the top of the pane causes the log events to be arranged in ascending order by that field. Clicking the field header again sorts the events in descending order. For even more efficiency, you can filter the log to show only those events you're interested in—for example, failed audits only. On the View menu, click Filter. In the Filter tab of the Security Properties dialog box that appears, select the event criteria to view and click OK.
Choose Find from the View menu to search through the displayed lists for specific events, such as all events with a certain event ID.
The security log has a defined maximum size. To set the size, right-click Security in Event Viewer and choose Properties. Edit the Maximum Log Size field, specifying the size in kilobytes. The options beneath this field specify how events are overwritten:
Presumably, all event categories specified in the event policy are relevant. Be careful that automatic event wrapping does not overwrite events more frequently than either log archival or manual log interrogation.
To archive the security log, right-click Security in Event Viewer and choose Save Log File As. Choose the path and filename for the file. If you save it as an event log file (with the extension .EVT), the file can be opened in Event Viewer at a later time.
More information on the settings for the security log as well as on other components in Event Viewer can be found in Chapter 10.