Monitoring Audit Events

In order to enable auditing on Windows XP Professional, two steps must be performed. The first step is to enable one or more audit policies, as previously described. Enabling audit policies turns on the ability to perform auditing on the computer. It does not actually cause any audit activity to begin. The second step to enabling auditing is to access individual Windows XP resources and configure them as audited resources.

Turning Auditing On for Specific Windows Resources

The following procedure outlines the steps involved in turning on auditing for a specific Windows resource such as a file, folder, or printer.

  1. Locate a Windows resource, right-click on it and select Properties. The resource's Properties dialog appears.

  2. Select the Security property sheet.

  3. Click on Advanced. The Advanced Security Setting for dialog appears.

  4. Select the Auditing property sheet, as shown in Figure 9.20.

    click to expand
    Figure 9.20: Configuring audit settings for the selected resource

  5. Click on Add. The Select User or Group dialog appears.

  6. Select a user or group to audit and click on OK. The Auditing Entry for dialog appears, as shown in Figure 9.21.

    click to expand
    Figure 9.21: Configuring detailed audit settings

  7. Specify how auditing is to be applied by selecting an audit option from the Apply onto drop-down list.

  8. Select what types of audit events to report (such as Successful and/or Failed).

  9. Click on OK twice.

Audit events are recorded in one of three event logs maintained by Windows XP Professional called the Security event log. This log can be viewed and administered using the Event Viewer snap-in or the Event Viewer extension found in the Computer Management console.

Note 

For information on how to administer Windows XP event logs, refer to "Managing Windows XP Event Logs" in Chapter 10, "Microsoft Management Consoles."

The following procedure outlines the steps required to open the Security Event log using the Event Viewer extension found in the Computer Management console.

  1. Click on Start and then right-click on My Computer and select Manage. The Computer Management console appears.

  2. To view a Security event log located on a remote computer, right-click on Computer Management, select Connect to another computer, specify the computer's name or IP address, and click on OK.

  3. Expand the System Tool node in the console tree.

  4. Expand the Event Viewer node on the console tree.

  5. Select the Security node. If auditing has been enabled and configured for specific Windows resources, a list of security and audit events is displayed, as demonstrated in Figure 9.22.

    click to expand
    Figure 9.22: Accessing the records stored in Windows XP's Security event log

Two types of events are recorded to the Security event log, as shown below.

  • Success Audit. Represents a successful audit event, such as a successful user login

  • Failure Audit. Represents a failed audit event, such as a failed user login

The Windows XP Security event log also associates an icon with each type of security event, making event types easy to identify. A yellow key icon represents a Success Audit event, whereas a yellow padlock icon represents a Failed Audit event. To view the contents of a particular event, double-click on it. The event's Properties dialog appears and displays detailed information about the event, as demonstrated in Figure 9.23.

click to expand
Figure 9.23: Examining a successful logon event record



Microsoft Windows XP Professional Administrator's Guide
Microsoft Windows XP Professional Administrators Guide
ISBN: 1931841969
EAN: 2147483647
Year: 2005
Pages: 358

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net