Lesson 3: Implementing an Audit Policy
Auditing is a powerful tool for tracking events that occur on computers in your organization. To implement auditing, you need to consider auditing requirements and set the audit policy. After you set an audit policy on a computer, you can implement auditing on files, folders, and printers.
After this lesson, you will be able to
Set up auditing on files and folders.Set up auditing on printers.
Estimated lesson time: 25 minutes
Configuring Auditing
For computers running Windows 2000 Professional, you set up an audit policy for each individual computer.
Auditing Requirements
The requirements to set up and administer auditing are as follows:
You must have the Manage Auditing And Security Log user right for the computer where you want to configure an audit policy or review an audit log. By default, Windows 2000 grants these rights to the Administrators group.The files and folders to be audited must be on Microsoft Windows 2000 File System (NTFS) volumes.
Setting Up Auditing
Setting up auditing is a two-part process:
Set the audit policy. The audit policy enables auditing of objects but doesn't activate auditing of specific objects.Enable auditing of specific resources. You specify the specific events to audit for files, folders, printers, and Active Directory objects. Windows 2000 then tracks and logs the specified events.
Setting an Audit Policy
The first step in implementing an audit policy is selecting the types of events that Windows 2000 audits. For each event that you can audit, the configuration settings indicate whether to track successful or failed attempts. You set audit policies in the Local Security Settings window, which you open by selecting Local Security Policy on the Administrative Tools menu.Table 16.1 describes the types of events that Windows 2000 can audit.Table 16.1 Types of Events Audited by Windows 2000
Event | Description |
---|---|
Account Logon Events | A domain controller received a request to validate a user account. (This is applicable only if your computer running Windows 2000 Professional joins a Windows 2000 domain.) |
Account Management | An administrator created, changed, or deleted a user account or group. A user account was renamed, disabled, or enabled, or a password was set or changed. |
Directory Service Access | A user gained access to an Active Directory object. You must configure specific Active Directory objects for auditing to log this type of event. (Active Directory directory services are available only if your computer running Windows 2000 Professional joins a Windows 2000 domain.) |
Logon Events | A user logged on or logged off, or a user made or canceled a network connection to the computer. |
Object Access | A user gained access to a file, folder, or printer. You must configure specific files, folders, or printers for auditing. Object access is auditing a user's access to files, folders, and printers. |
Policy Change | A change was made to the user security options, user rights, or audit policies. |
Privilege Use | A user exercised a right, such as changing the system time. (This doesn't include rights that are related to logging on and logging off.) |
Process Tracking | A program performed an action. This information is generally useful only for programmers who want to track details of program execution. |
System Events | A user restarted or shut down the computer, or an event occurred that affects Windows 2000 security or the security log. (For example, the audit log is full and Windows 2000 starts discarding entries.) |
Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.In the Local Security Settings window's console tree, double-click Local Policies, and then click Audit Policy.The console displays the current audit policy settings in the details pane, as shown in Figure 16.1.
Figure 16.1 Events that Windows 2000 can audit
Select the type of event to audit, and then, on the Action menu, click Security.The Local Security Policy Setting dialog box appears for the selected event. Figure 16.2 shows the Local Security Policy Setting dialog box for Audit Logon Events, and Table 16.2 defines the fields available in the Local Security Policy Setting dialog box.Select the Success check box, the Failure check box, or both.Click OK.Restart your computer.
Figure 16.2 The Local Security Policy Setting dialog box for Audit Logon Events
Table 16.2 Local Security Policy Setting Dialog Box Fields
Field | Description |
---|---|
Effective Policy Setting | Indicates whether or not auditing is turned on. No auditing indicates it is auditing this event.Failure indicates it is auditing failed attempts.Success indicates it is auditing successful attempts.Success, Failure indicates it is auditing all attempts. |
Local Policy Setting | A check mark in the Success check box indicates that auditing is in effect for successful attempts. A check mark in the Failure check box indicates that auditing is in effect for failed attempts. |
Auditing Access to Files and Folders
If security breaches are an issue for your organization, you can set up auditing for files and folders on NTFS partitions. To audit user access to files and folders, you must first set your audit policy to audit object access, which includes files and folders.Once you have set your audit policy to audit object access, you enable auditing for specific files and folders and specify which types of access, by which users or groups, to audit.You can enable auditing for specific files and folders as follows:
On the Security tab in the Properties dialog box for a file or folder, click Advanced.On the Auditing tab, click Add, select the users for whom you want to audit file and folder access, and then click OK.In the Audit Entry dialog box, select the Successful check box or the Failed check box for the events that you want to audit. For a list of the events, see Figure 16.3.Table 16.3 describes when to audit these events.Click OK to return to the Access Control Settings dialog box.By default, any auditing changes that you make to a parent folder also apply to all child folders and all files in the parent and child folders.To prevent changes that are made to a parent folder from applying to the currently selected file or folder, clear the Allow Inheritable Auditing Entries From Parent To Propagate To This Object check box.Click OK.
Figure 16.3 Events that can be audited for files and folders
Table 16.3 User Events and What Triggers Them
Event | User activity that triggers the event |
---|---|
Traverse Folder/Execute File | Running a program or gaining access to a folder to change directories |
List Folder/Read Data | Displaying the contents of a file or folder |
Read AttributesRead Extended Attributes | Displaying the attributes of a file or folder |
Create Files/Write Data | Changing the contents of a file or creating new files in a folder |
Create Folders/Append Data | Creating folders in the folder |
Write AttributesWrite Extended Attributes | Changing attributes of a file or folder |
Delete Subfolders And Files | Deleting a file or subfolder in a folder |
Delete | Deleting a file or folder |
Read Permissions | Viewing permissions or the file owner for a file or folder |
Change Permissions | Changing permissions for a file or folder |
Take Ownership | Taking ownership of a file or folder |
Auditing Access to Printers
Audit access to printers to track access to sensitive printers. To audit access to printers, set your audit policy to audit object access, which includes printers. Then enable auditing for specific printers and specify which types of access to audit and which users will have access. After you select the printer, you use the same steps that you use to set up auditing on files and folders. You set up auditing on a printer, as follows:
In the Properties dialog box for the printer, click the Security tab, and then click Advanced.On the Auditing tab, click Add, select the appropriate users or groups for whom you want to audit printer access, and then click OK.In the Apply Onto box in the Auditing Entry dialog box, select where the auditing setting applies.Under Access, select the Successful check box or the Failed check box for the events that you want to audit. (See Figure 16.4.)Click OK in the appropriate dialog boxes to exit.
Figure 16.4 Printer events that can be audited
Table 16.4 describes audit events for printers and explains which action triggers the event to occur.Table 16.4 Printer Events and What Triggers Them
Event | User activity that triggers the event |
---|---|
Printing a file | |
Manage Printers | Changing printer settings, pausing a printer, sharing a printer, or removing a printer |
Manage Documents | Changing job settings; pausing, restarting, moving, or deleting documents; sharing a printer; or changing printer properties |
Read Permissions | Viewing printer permissions |
Change Permissions | Changing printer permissions |
Take Ownership | Taking printer ownership |
Lesson Summary
In this lesson, you learned that the first step in implementing an audit policy is selecting the types of events that Windows 2000 audits. You can select the events to audit for files and folders, and you can select the events you want to audit for printers. For each event that you can audit, the configuration settings indicate whether to track successful attempts, failed attempts, or both. You use the Local Security Settings window to set audit policies, and then you restart your computer to enable auditing.You also learned that you can set up auditing for access to files, folders, and printers on NTFS partitions. To do so, you must first set your audit policy to
audit object access, which includes files, folders, and printers. Once you have
set your audit policy to audit object access, you enable auditing for specific
files, folders, and printers and specify which types of access, by which users or groups, to audit.