Auditing is a powerful tool for tracking events that occur on computers in your organization. To implement auditing, you need to consider auditing requirements and set the audit policy. After you set an audit policy on a computer, you can implement auditing on files, folders, and printers.
For computers running Windows XP Professional, you set up an audit policy for each individual computer.
The requirements to set up and administer auditing are as follows:
Setting up auditing is a two-part process:
The first step in implementing an audit policy is selecting the types of events for Windows XP Professional to audit. For each event that you can audit, the configuration settings indicate whether to track successful or failed attempts. You set audit policies for a local computer in the Group Policy snap-in, which can be accessed by using the Microsoft Management Console (MMC) console and adding the Group Policy snap-in.
Table 12.1 describes the types of events that Windows XP Professional can audit.
Table 12.1?? Types of Events Audited by Windows XP Professional
To set an audit policy on a computer that is running Windows XP Professional, access the Group Policy snap-in, as follows:
In the Add/Remove Snap-In dialog box, notice that it contains Local Computer Policy, even though you added Group Policy. Group Policy for the local computer is referred to as Local Computer Policy.
The console displays the current audit policy settings in the details pane of the Local Computer Policy window, as shown in Figure 12.1.
For example, if you select Audit Logon Events and on the Action menu you click Properties, the Audit Account Logon Events Properties dialog box appears, as shown in Figure 12.2.
A check mark in the Success check box indicates that auditing is in effect for successful attempts. A check mark in the Failure check box indicates that auditing is in effect for failed attempts.
Once you have set the audit policy, remember that the changes that you make to your computer's audit policy don't take effect immediately unless you restart your computer.
If security breaches are an issue for your organization, you can set up auditing for files and folders on NTFS partitions. To audit user access to files and folders, you must first set your audit policy to audit object access, which includes files and folders.
When you set your audit policy to audit object access, you enable auditing for specific files and folders and specify which types of access, by which users or groups, to audit.
You can enable auditing for specific files and folders as follows:
If you do not have a Security tab on the Properties dialog box for your files and folders there are two things you should check:
Are your files and folders located on a partition formatted as NTFS?
If your computer is not a member of a domain, have you turned off Simple File Sharing? To stop using Simple File Sharing, click Start, right-click My Computer, and then click Explore. On the Tools menu, click Folder Options. Click the View tab, clear Use Simple File Sharing (Recommended), and click OK.
For a list of the events that can be audited for folders, see Figure 12.3.
Table 12.2 describes the user activity that triggers these events so you can determine when you should audit these events.
Table 12.2??User Events and What Triggers Them
Event | User activity that triggers the event |
---|---|
Traverse Folder/Execute File |
Running a program or gaining access to a folder to change directories |
List Folder/Read Data |
Displaying the contents of a file or a folder |
Read Attributes Read Extended Attributes |
Displaying the attributes of a file or folder |
Create Files/Write Data files |
Changing the contents of a file or creating new in a folder |
Create Folders/Append Data |
Creating folders in a folder |
Write Attributes Write Extended Attributes |
Changing attributes of a file or folder |
Delete Subfolders And Files |
Deleting a file or subfolder in a folder |
Delete |
Deleting a file or folder |
Read Permissions |
Viewing permissions for the file owner for a file or folder |
Change Permissions |
Changing permissions for a file or folder |
Take Ownership |
Taking ownership of a file or folder |
By default, any auditing changes that you make to a parent folder also apply to all child folders and all files in the parent and child folders.
Audit access to printers to track access to sensitive printers. To audit access to printers, set your audit policy to audit object access, which includes printers. Enable auditing for specific printers and specify which types of access to audit and which users will have access. After you select the printer, you use the same steps that you use to set up auditing on files and folders, as follows:
The Advanced Security Settings dialog box appears.
The options in the Apply Onto box for a printer are This Printer Only, Documents, and This Printer And Documents.
Table 12.3 describes audit events for printers and explains which user action triggers the event.
Table 12.3??Printer Events and What Triggers Them
The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."