Networking / Beginners

Auditing a System

All Windows 2000 systems should have system auditing turned on. The audit policy on a system is established by using the Local Security Settings tool. Select the event that you wish to audit and double-click to bring up the configuration window. The audit policy should be set according to the organization's security policy. Generally, it is a good idea to capture the following events:

  • Audit Account Logon Events, success and failure
  • Audit Account Management, success and failure
  • Audit Logon Events, success and failure
  • Audit Object Access, failure
  • Audit Policy Change, success and failure
  • Audit Privilege Use, failure
  • Audit System Events, success and failure

NOTE: Audit Object Access may generate a significant amount of audit entries even if only the failure event is turned on. Monitor a new system carefully to make sure the event logs are not filling up because of this.

[Previous] [Contents] [Next]

In this tutorial:

  1. Windows 2000 Security Issues
  2. Setting up the System
  3. Local Security Policy Settings
  4. Logon Message
  5. LAN Manager Authentication Level
  6. System Configuration
  7. File Systems
  8. Network
  9. Account Settings
  10. USER MANAGEMENT
  11. Setting File Permissions
  12. System Management
  13. Analysis
  14. Configuration
  15. Validation
  16. Export
  17. Auditing a System
  18. Log Files
  19. Looking for Suspicious Signs
  20. Missing Log Files or Gaps in the Log Files
  21. Unknown Processes