Configuring Windows NT 4.0 Auditing Policies


Windows also allows you to set permissions on resources and audit their access. To secure the system, use the following:

  • User rights and permissions

  • NTFS file and directory access control lists (ACLs)

  • Passwords, groups, and interdomain trust relationships

To audit the system, you can configure the events that you want to track and then use the system's Event Viewer to examine the data collected by the system-auditing software.

Setting Up Events to Audit

To set up categories of events to be audited, run the User Manager for Domains utility and choose Policies, Audit. In Figure 43.1, you can see that the Audit Policy dialog box allows you to select which event category to audit and whether to audit successes or failures associated with each category.

Figure 43.1. Use the Audit Policy dialog box in the User Manager for Domains to configure events to audit.


If you do not want to audit any events, select the Do Not Audit radio button. If you do want to audit, select Audit These Events and check the Success and/or Failure options for each category. The types of events you can set up auditing for are as detailed here:

  • Logon and Logoff Tracks users logging in to the system. This also tracks network logins from remote systems.

  • File and Object Access Tracks file and directory access and sending of jobs to printers. This category requires you to further define the events for the file, directory, or printer that will be audited.

  • Use of User Rights Records when users make use of rights you grant to them when you set up their account with the User Manager for Domains.

  • User and Group Management Tracks changes to group accounts, such as creating, deleting, and renaming user groups and passwords.

  • Security Policy Changes Keeps track of changes to user rights, and audit or trust relationships.

  • Restart, Shutdown, and System Tracks when the system is shut down or restarted, and other events that relate to system security. This category also includes changes to the security event log on the system.

  • Process Tracking Records voluminous information about user processes, including when programs are executed, objects are accessed, and programs are exited.

In most cases, you won't want to select success and failure for every category in this list. For example, the data collected when you select Process Tracking can create a large event log file very quickly. You should probably turn on this event-logging mechanism only when you have a definite suspicion about a particular user's activities and then review and purge the log on a regular basis. Another category that can generate a lot of log-file data is the Use of User Rights category.

Other categories, such as users' logins, can be useful and do not take up a lot of space in the log files. The data collected for files and object accesses depends on the specific events you select to audit for them.

File and Directory Events

If you have selected to audit this event category, you need to use Windows NT Explorer to set the specific types of events to audit. To set up auditing on a directory or file, highlight it, right-click, and select Properties. Alternatively, you can highlight the file or directory and select File, Properties.

When the Properties sheet appears, select the Security tab and then click the Auditing button to see a display that looks as shown in Figure 43.2.

Figure 43.2. Use the Auditing button on the Security tab on the file or directory's properties sheet to set up events to audit.


These are the event types you can audit:

  • Read

  • Write

  • Execute

  • Delete

  • Change Permission

  • Take Ownership

However, because these will be audited by a user or group, you should first click the Add button to add a user or group of users. The Add Users and Groups dialog box (shown in Figure 43.3) displays the current list of user groups. You can use the Show Users button to display the individual users in each group. Select users or groups by highlighting them and clicking the Add button.

Figure 43.3. The Add Users and Groups dialog box allows you to select which users to audit.


Continue to select users and groups. Click OK when you are finished. After you return to the previous screen, highlight each user or group and select the events to audit for that file or directory on a peruser basis. You also can use the Remove button to remove the auditing configuration for a particular user or group.

You can select success or failure for events. For example, if you selected Success for the Read event type, every time an audited user was able to read this file, a record would be generated in the event log. If you selected Failure, each time an audited user tried to read the file, but did not have the correct access permissions, a record would be created in the event log file.

Printer Events

You select events to audit for printers in much the same way that you do for files and directories. However, instead of using the Windows NT Explorer, you use the properties sheet for the particular printer. You can get to the properties sheet by right-clicking the icon for a printer in the Printers folder. You can add or remove users by using the same type of dialog box. The events you can audit for printers are different and include the following:

  • Print

  • Full Control

  • Delete

  • Change Permissions

  • Take Ownership

Using the Windows NT 4.0 Event Viewer

The Event Viewer is a utility found in the Administrative Tools folder that can be used to display events from three different log files:

  • System

  • Security

  • Application

The System log file records certain system events, and the Application log file records events generated by many different applications that were coded to write event log messages. The Security log file is used to track events you have set up for auditing purposes. To start the Event Viewer choose Start, Programs, Administrative Tools, Event Viewer. Figure 43.4 shows the Event Viewer with the Security log file selected.

Figure 43.4. The Security log file can be viewed using the Event Viewer.


If the Event Viewer starts up with another log file displayed, such as the Application log file, choose Log, Security to change to the correct display.

This view shows the list of events currently in the log file. To get the detailed record for any event, double-click it. The Event Viewer does not have a reporting capability like the AUDITCON utility in NetWare (which you'll read about shortly). However, you can choose Log, Save As and save the data to either an ASCII text file or a comma-delimited file and use another utility, such as a spreadsheet, to perform further filtering or analysis on the data found here.

You also can change the log file settings by choosing Log, Log Settings. This allows you to set the maximum size the log can grow to, and whether to cycle around and overwrite older events when the file is full. From the Log menu you can also select to clear all the events in the log file, at which time you are prompted to save the current file in a backup file. This is something you should do on a regular basis, archiving the previous log files for a period consistent with the security policy in force at your site.




Upgrading and Repairing Networks
Upgrading and Repairing Networks (5th Edition)
ISBN: 078973530X
EAN: 2147483647
Year: 2006
Pages: 411

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net