AuditingTasks

Before you can designate which objects to audit, you have to configure auditing. This section describes how to do this and related auditing tasks.

Configure Audit Policy

Audit policies can be configured on computers in several ways. For example, to configure auditing for standalone servers and workstations belonging to a workgroup:

Administrative Tools Local Security Policy Security Settings Local Policies Audit Policy double-click one of the nine audit policy settings select Success, Failure, both, or neither for no auditing

For computers belonging to a domain, you can do the same for each machine by using the Domain Controller Security Policy on domain controllers and the Local Security Policy on member servers and workstations. Alternatively, you can use Group Policy to configure auditing at the domain, OU, or site level For example, to configure an audit policy for a domain by editing an existing GPO, do the following:

Administrative Tools Active Directory Users and Computers right-click on the domain Properties Group Policy select a GPO Edit Computer Configuration Windows Settings Security Settings Local Policies Audit Policy, etc.

Configure Security Options for Auditing

The three security options for auditing discussed in AuditingConcepts are configured as follows :

Administrative Tools Local Security Policy Security Settings Local Policies Security Settings

All three are disabled by default.

Be sure to configure the Object access setting in your audit policy before auditing specific filesystem objects, or you'll get an error message.

Audit Active Directory Objects

First, configure your audit policy to enable Success and/or Failure auditing for Directory service access (see Configure Audit Policy earlier in this section) and then specify which AD objects you want to audit. For example, to audit access to the Users container in the mtit.local domain:

Open Active Directory Users and Computers View toggle Advanced Features on right-click on Users container Properties Security Advanced Auditing Add select user or group to audit OK select types of events to audit

Auditing access to Active Directory objects can result in a considerable performance hit on your domain controllers.

Audit Filesystem Objects

First, configure your audit policy to enable Success and/or Failure auditing for Object access (see Configure Audit Policy earlier in this section) and then specify which files or folders you want to audit (these must be on an NTFS volume). For example, if you want to audit access to the file C:\hello.txt , you can use Windows Explorer to enable auditing of the file as follows:

Windows Explorer right-click on C:\hello.txt Properties Security Advanced Auditing Add select user or group to audit OK specify types of events to audit

Configuring auditing on many individual files is a lot of work. It's almost always better to configure auditing on folders instead. You can specify that the audit settings be applied to:

• This folder only

• This folder, subfolders , and files

• This folder and subfolders

• This folder and files

• Subfolders and files only

• Subfolders only

• Files only

The default is to pass audit settings down the entire subtree of files and subfolders beneath the folder you are configuring, which is the typical choice.

Enable Auditing of Printers

To enable auditing of printers:

Start Settings Printers right-click on a printer Properties Security Advanced Auditing Add select a user or group to audit OK specify types of events to audit

Printer access can be audited for documents only, for the printer only, or for both.