Networking / Beginners

Auditing a System

All Windows 2000 systems should have system auditing turned on. The audit policy on a system is established by using the Local Security Settings tool. Select the event that you wish to audit and double-click to bring up the configuration window. The audit policy should be set according to the organization's security policy. Generally, it is a good idea to capture the following events:

  • Audit Account Logon Events, success and failure
  • Audit Account Management, success and failure
  • Audit Logon Events, success and failure
  • Audit Object Access, failure
  • Audit Policy Change, success and failure
  • Audit Privilege Use, failure
  • Audit System Events, success and failure

NOTE: Audit Object Access may generate a significant amount of audit entries even if only the failure event is turned on. Monitor a new system carefully to make sure the event logs are not filling up because of this.

[Previous] [Contents] [Next]