Windows 7 / Getting Started

Auditing Resource Access

After enabling the object access policy, the administrator can make auditing changes through the property pages of a file, folder, or the Registry. If the object access policy is enabled for both success and failure, the administrator will be able to audit both successes and failures for a file, folder, or the Registry.

NOTE: Monitoring both success and failure resource access can place additional strain on the system.

After object access auditing is enabled, you can easily monitor access to resources such as folders, files, and printers.

Auditing Files and Folders

The network administrator can tailor the way Windows 2008 audits files and folders through the property pages for those files or folders. Keep in mind that the more files and folders that are audited, the more events that can be generated, which can increase administrative overhead. Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following:

  1. In Windows Explorer, right-click the file or folder to audit and select Properties.
  2. Select the Security tab and then click the Advanced button.
  3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button.
  4. Click the Add button to display the Select User or Group window.
  5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names button to verify the name.
  6. Click OK to open the Auditing Entries window.
  7. In the Auditing Entry window, select which events to audit for successes or failures.
  8. Click OK four times to exit.
NOTE: This step assumes that the audit object access policy has been enabled.

When the file or folder is accessed, an event is written to Event Viewer's security log. The category for the event is Object Access. An Object Access event is shown in the following security log message:

Log Name: 	Security
Source: 	Microsoft-Windows-Security-Auditing
Date: 		10/13/2007 5:48:01 PM
Event ID: 	4663
Task Category: 	File System
Level: 		Information
Keywords: 	Audit Success
User: 		N/A
Computer: 	DC1.companyabc.com
Description:
An attempt was made to access an object.

Subject:
	Security ID: COMPANYABC\administrator
	Account Name: administrator
	Account Domain: COMPANYABC
	Logon ID: 0x3ec60

Object:
	Object Server: Security
	Object Type: File
	Object Name: C:\Data\Private\CONFIDENTIAL.txt
	Handle ID: 0xb8

Process Information:
	Process ID: 0xe48
	Process Name: C:\Windows\System32\notepad.exe

Access Request Information:
	Accesses: ReadData (or ListDirectory)

	Access Mask: 0x1

You can see the administrator accessed the file CONFIDENTIAL.txt at 5:48:01 p.m. and even that the program Notepad was used.

Auditing Printers

Printer auditing operates on the same basic principles as file and folder auditing. In fact, the same step-by-step procedures for configuring file and folder auditing apply to printers. The difference lies in what successes and failures can be audited. These events include the following:

  • Print
  • Manage printers
  • Manage documents
  • Read permissions
  • Change permissions
  • Take ownership

These events are stored in Event Viewer's security log, as are all audit events. To audit a printer, do the following:

  1. In the Printers Control Panel applet, right-click the printer to audit, and select Properties.
  2. Select the Security tab and then click the Advanced button.
  3. In the Advanced Security Settings window, select the Auditing tab, and click the Edit button.
  4. Click the Add button to display the Select User or Group window.
  5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names button to verify the name.
  6. Click OK to open the Auditing Entries window.
  7. In the Auditing Entry window, select which events to audit for successes or failures. The objects to audit will be different than the auditing available for files and folders, as the printer is a different class of object.
  8. Click OK three times to exit.

Now access to the printer will generate security log events, depending on the events that were selected to be audited.

[Previous] [Contents] [Next]

In this tutorial:

  1. Windows Server 2008 Management and Maintenance
  2. Initial Configuration Tasks
  3. Managing Windows Server 2008 Roles and Features
  4. Server Manager
  5. Server Manager Diagnostics Page
  6. Server Manager Reliability and Performance Monitor
  7. Server Manager Configuration Page
  8. Server Manager Storage Page
  9. Auditing the Environment
  10. Auditing Resource Access
  11. Managing Windows Server 2008 Remotely
  12. Server Manager Command-Line Tool
  13. Using Common Practices for Securing and Managing Windows Server 2008
  14. Keeping Up with Service Packs and Updates
  15. Maintaining Windows Server 2008
  16. Running the Domain Controller Diagnosis Utility