Auditing and Troubleshooting

Previous page
Table of content
Next page

You can monitor logon activity in Windows 2000 Server and Windows XP Professional in a very detailed way by enabling success-and-failure auditing in the system s Audit policy.

Security Options

You can also monitor logon events. The following option is under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

  • Shut down system immediately if unable to log security audits. Determines whether the system turns off when it is unable to log security events. If this policy is enabled, the system halts if a security audit cannot be logged. Typically, an event fails to be logged when the security audit log is full, and the retention method specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days. By default, this policy is disabled.

Audit Policy

Monitoring logon attempts and account management activity can help you to identify when unwanted logons are taking place. The following audit policy options, which allow you to monitor these activities, can be found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

  • Audit account logon events. Governs auditing of each instance when a user logs on or logs off another computer than was used to validate the account. For domain controllers, this policy is defined in the Default Domain Controllers Group Policy object. The default setting is No auditing.

    If you define this policy setting, you can specify whether to audit successes and failures, or not to audit the event at all. Success auditing generates an audit entry when an account logon process is successful. Failure auditing generates an audit entry when an attempted account logon process fails. You can select No auditing by defining the policy setting and clearing the Success auditing and Failure auditing check boxes.

    You can use this policy to track logon attempts that occur on remote computers. For example, if Success auditing is enabled for account logon events on a domain controller, an entry is logged for each user who is validated against that domain controller even though the user is actually logging on to a workstation joined to the domain.

  • Audit account management. Determines whether the system audits each event of account management on a computer. Examples of account management events include:

    • A user account or group is created, changed, or deleted.

    • A user account is renamed, disabled, or enabled.

    • A password is set or changed.

  • By default, this value is set to No auditing in the Default Domain Controller Group Policy object and in the local policies of workstations and servers. If you define this policy setting, you can specify whether to audit successes or failures, or not to audit the event type at all. Success auditing generates an audit entry when any account management event is successful. Failure auditing generates an audit entry when any account management event fails. You can select No auditing by defining the policy setting and clearing the Success auditing and Failure auditing check boxes.

  • Audit logon events. Determines whether to audit each instance of a user logging on, logging off, or making a network connection to this computer. If you are auditing successful Audit account logon events on a domain controller, workstation logons do not generate logon audits. Only interactive and network logons to the domain controller itself generate logon events. Account logon events are generated on the local computer for local accounts and on the domain controller for network accounts. Logon events are generated where the logon occurs. By default, this value is set to No auditing in the Default Domain Controller Group Policy object and in the local policies of workstations and servers. If you define this policy setting, you can specify whether to audit successes or failures or not to audit the event at all. Success auditing generates an audit entry when a successful logon occurs. Failure auditing generates an audit entry when an attempted logon fails. You can select No auditing by defining the policy setting and clearing the Success auditing and Failure auditing check boxes.

Security Event Messages

Auditing logon attempts can generate numerous security events, depending on whether you are auditing successes or failures or both. You can view these audit events with Event Viewer, which maintains logs about program, security, and system events on your computer. The Event Log service starts automatically when you start Windows XP Professional.

To view the error messages generated by your audit events

  1. On the Start menu, click Control Panel.

  2. Click Performance and Maintenance, click Administrative Tools, and then click Event Viewer.

    or

    Start Event Viewer by installing it in a custom MMC console.

Event logs consist of a header, a description of the event, and optional additional data as shown in Figure 15-6.


Figure 15-6: Typical security event message

For more information about security event messages, see the appendix Security Event Messages in this book.



Previous page
Table of content
Next page
Microsoft Windows XP Professional Resource Kit 2003
Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 338
BUY ON AMAZON
Project Management JumpStart
VBScript Programmers Reference
An Introduction to Design Patterns in C++ with Qt 4
Twisted Network Programming Essentials
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
PMP Practice Questions Exam Cram 2
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy