Implementing Auditing
After you have set up security on a Windows system by setting permissions on the folders and files, configuring user rights, and placing users in the appropriate groups, you should make sure that the security of the operating system is effective. To monitor what is happening on the system, you enable auditing. Auditing is a feature that notifies you when certain things happen on the system. For example, you may want to be notified if someone fails to log on to the system with a correct username and password because this could be someone trying to guess the password of the account.
To effectively work with the auditing feature in Windows, there are two steps:
- Enable auditing: You must first enable auditing. To enable auditing, you simple choose what events you wish to audit. The nice thing about auditing in Windows is that you choose which events you care to know about.
- Review the audit log: After you have enabled auditing, you need to ensure that you monitor the log regularly for any security-related issues. For example, if you notice a failure to log on over and over for the same account, then that is an indication that an account is being hacked.
The following sections offer more details about these two steps.
Enabling auditing
To enable auditing in Windows 2000/XP/2003, modify the Local Security Policy:
- Choose Start → Control Panel.
- In the Control Panel, choose Performance and Maintenance and then Administrative Tools, located at the bottom of the window.
- In the Administrative Tools, double-click Local Security Policy to start the Local Security Policy console.
- In the Local Security Policy console, expand Local Policies and then
highlight Audit Policy.
You will notice a list of events that you can enable auditing for on the right side of the screen, called the Details pane:- Audit Account Logon: Any remote users who are authenticated by this
user account database are audited. This is the event to enable auditing
on a domain controller.
A domain controller is a server in a Microsoft network environment that holds all the user accounts for an entire network. In the corporate world, users log on to the network, not a particular machine, which means that the logon request is sent to the domain controller where the user name and password are checked against a database. The database that holds the user accounts on a domain controller is known as the active directory database. - Audit Account Management: Records an event in the log for any user account changes, such as any new accounts that are built, modified, or deleted.
- Audit Logon Events: Record the fact that the user logged on from this station, whether or not the account was authenticated from this system.
- Audit Object Access: Audits access to a specific folder, file, or printer.
After you enable Object Access Auditing, you need to go to the Security page in the properties of a file, folder, or printer and click the Advanced button. Click the Auditing tab and choose which users and which permissions to audit for. You must perform this step on any folder, file, or printer you wish to audit. - Audit Policy Change: Notification of any change to the security policy.
- Audit Privilege Use: Logs when a user takes advantage of any rights you have given that user. For example, if you gave Bob the right to perform backups, you want to know when he actually performs a backup.
- Audit Process Tracking: This event will notify you when a process starts or exits.
- Audit System Events: Notification of system-related actions, such as restarting or shutting the system down. You may want to be aware when the system is restarted, especially on server operating systems.
- Audit Account Logon: Any remote users who are authenticated by this
user account database are audited. This is the event to enable auditing
on a domain controller.
- To enable auditing on one of these events, double-click the event and then choose whether you want to audit the success of that event or the failure.