لطفا منتظر باشید ...
Publisher| AuditingConcepts |
operating
system activities as events (audit entries) in the Security log. A
typical event records which action was performed, who performed it,
whether the action succeeded or failed, which computer or user
initiated the action, and so on. To view audit events, use the Event
Viewer console in Administrative Tools.Auditing is generally performed for either security or resource usage
reasons. For example, by auditing failures of activities such as
logon attempts or attempts to access a restricted share on the
network, administrators can detect when unauthorized access is being
attempted and thus protect the security of their systems. And by
auditing successful attempts to access filesystem resources,
administrators can track patterns of usage so they can determine when
to upgrade their storage capacity.
Audit Policy
An audit policy is a type
of
security policy that specifies which
kinds of user and system activities are audited. Before you enable
auditing on a computer, you must configure the audit policy. You can
configure nine types of audit policy settings:
- Account logon events
A user is authenticated by the security database on the local machine
(if part of a workgroup) or by Active Directory on a domain
controller (if part of a domain).- Account management
An administrator creates, deletes, or modifies a user or group,
resets a password, or performs some similar action.- Directory service access
A user attempts to access an object in Active Directory.- Logon event
A user logs on or off from the local computer or creates or
terminates a network connection to the local computer. (This event is
always recorded on the computer being accessed by the user, whether
local or on the network.)- Object access
A user attempts to access a file, folder, or printer.- Policy change
A user changes a security setting, such as password options, user
rights, or the audit policy itself.- Privilege use
A user exercises a right to perform an action, such as modifying the
system time or taking ownership of a file.- Process tracking
An application performs some specific action (generally useful only
to the developer of the application).- System
A user shuts down or restarts the computer, or some other action
occurs that impacts security in general on the machine.
Note that two of these audit policy settings (Object access and
Directory service access) require specifying which objects (files,
folders, printers, Active Directory objects) you actually want to
audit and which type of auditing (read access, write access, object
creation, and so on) you want to perform on them. This is sometimes
called operations-based auditing because it involves specifying the
operations (read, write, create) you want to audit for selected
objects. For more information on how to audit object access, see
AuditingTasks .There are four possible ways to configure each of the nine audit
policy settings: no auditing, success only, failure only, or both
success and failure. For example, configuring the Logon event setting
for Success means that successful logons are recorded in the security
log but failed logons aren't. Table 4-3 summarizes the default for each audit policy setting.
Audit policy setting | Default |
|---|---|
Account logon events | Success |
Account management | Success (on domain controllers)No auditing (on member servers and workstations) |
Directory service access | No auditing |
Logon event | Success |
Object access | No auditing |
Policy change | No auditing |
Privilege use | No auditing |
Process tracking | No auditing |
System | No auditing |
Security Options for Auditing
You can configure three
additional security options relating
to auditing:
- Audit the access of global system objects
This option enables auditing of mutexes, semaphores, and other
obscure operating system objects.- Audit the use of backup and restore privilege
This can be useful as it generates an audit event for every file that
is backed up or restored on the system. For this to work, the Audit
privilege use setting must also be configured (see previous section).- Audit: Shut down system immediately if unable to log security audits
In a high-security environment, this option shuts down the system
when the Security log is full and overwriting of oldest events is
disabled. When the system shuts down, a stop screen (blue screen of
death) appears, displaying the message, "STOP:
C0000244 Audit Failed." Only administrators can log
on at this point, and they should back up and clear the Security log
immediately to resolve the situation.
