<p/> <A NAME="564"><H1>Lesson 3: Implementing an Audit Policy</H1></A> <p/>Auditing is a powerful tool for tracking events that occur on computers in your organization. To implement auditing, you need to consider auditing requirements and set the audit policy. After you set an audit policy on a computer, you can implement auditing on files, folders, and printers.<p/> <font class=Quote>After this lesson, you will be able to</font> <p/>Set up auditing on files and folders.<p/>Set up auditing on printers.<p/> <p/><font class=Quote>Estimated lesson time: 25 minutes</font><p/><p/><A NAME="565"><h2>Configuring Auditing</H2></A> <p/>For computers running Windows 2000 Professional, you set up an audit policy for each individual computer.<p/><A NAME="566"><h2>Auditing Requirements</h2></A> <p/>The requirements to set up and administer auditing are as follows:<p/> <p/>You must have the Manage Auditing And Security Log user right for the computer where you want to configure an audit policy or review an audit log. By default, Windows 2000 grants these rights to the Administrators group.<p/>The files and folders to be audited must be on Microsoft Windows 2000 File System (NTFS) volumes.<p/> <A NAME="567"><h2>Setting Up Auditing</h2></A> <p/>Setting up auditing is a two-part process:<p/> <p/>Set the audit policy. The audit policy enables auditing of objects but doesn't activate auditing of specific objects.<p/>Enable auditing of specific resources. You specify the specific events to audit for files, folders, printers, and Active Directory objects. Windows 2000 then tracks and logs the specified events.<p/> <A NAME="568"><h2>Setting an Audit Policy</H2></A> <p/>The first step in implementing an audit policy is selecting the types of events that Windows 2000 audits. For each event that you can audit, the configuration settings indicate whether to track successful or failed attempts. You set audit policies in the Local Security Settings window, which you open by selecting Local Security Policy on the Administrative Tools menu.<p/>Table 16.1 describes the types of events that Windows 2000 can audit.<p/><font class=Quote>Table 16.1</font> Types of Events Audited by Windows 2000<p/><table cellpadding=5 width="95%"><tr> <th>Event</th><th>Description</th> </tr><tr> <td valign="top">Account Logon Events</td> <td valign="top">A domain controller received a request to validate a user account. (This is applicable only if your computer running Windows 2000 Professional joins a Windows 2000 domain.)</td> </tr><tr> <td valign="top">Account Management</td> <td valign="top">An administrator created, changed, or deleted a user account or group. A user account was renamed, disabled, or enabled, or a password was set or changed.</td> </tr><tr> <td valign="top">Directory Service Access</td> <td valign="top">A user gained access to an Active Directory object. You must configure specific Active Directory objects for auditing to log this type of event. (Active Directory directory services are available only if your computer running Windows 2000 Professional joins a Windows 2000 domain.)</td> </tr><tr> <td valign="top">Logon Events</td> <td valign="top">A user logged on or logged off, or a user made or canceled a network connection to the computer.</td> </tr><tr> <td valign="top">Object Access</td> <td valign="top">A user gained access to a file, folder, or printer. You must configure specific files, folders, or printers for auditing. Object access is auditing a user's access to files, folders, and printers.</td> </tr><tr> <td valign="top">Policy Change</td> <td valign="top">A change was made to the user security options, user rights, or audit policies.</td> </tr><tr> <td valign="top">Privilege Use</td> <td valign="top">A user exercised a right, such as changing the system time. (This doesn't include rights that are related to logging on and logging off.)</td> </tr><tr> <td valign="top">Process Tracking</td> <td valign="top">A program performed an action. This information is generally useful only for programmers who want to track details of program execution.</td> </tr><tr> <td valign="top">System Events</td> <td valign="top">A user restarted or shut down the computer, or an event occurred that affects Windows 2000 security or the security log. (For example, the audit log is full and Windows 2000 starts discarding entries.)</td> </tr></table><p/>To set an audit policy on a computer that is running Windows 2000 Professional, use the Local Security Settings window, as follows:<p/> <p/>Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.<p/>In the Local Security Settings window's console tree, double-click Local Policies, and then click Audit Policy.<p/>The console displays the current audit policy settings in the details pane, as shown in Figure 16.1.<p/><A HREF="'F16tk01x')"> </A> <p/><font class=Quote>Figure 16.1</font> Events that Windows 2000 can audit <p/>Select the type of event to audit, and then, on the Action menu, click Security.<p/>The Local Security Policy Setting dialog box appears for the selected event. Figure 16.2 shows the Local Security Policy Setting dialog box for Audit Logon Events, and Table 16.2 defines the fields available in the Local Security Policy Setting dialog box.<p/>Select the Success check box, the Failure check box, or both.<p/>Click OK.<p/>Restart your computer.<p/> <p/><font class=Quote>Figure 16.2</font> The Local Security Policy Setting dialog box for Audit Logon Events <p/> <p/><font class=Quote>Table 16.2</font> Local Security Policy Setting Dialog Box Fields<p/><table cellpadding=5 width="95%"><tr> <th>Field</th><th>Description</th> </tr><tr> <td valign="top">Effective Policy Setting</td> <td valign="top">Indicates whether or not auditing is turned on. <p/>No auditing indicates it is auditing this event.<p/>Failure indicates it is auditing failed attempts.<p/>Success indicates it is auditing successful attempts.<p/>Success, Failure indicates it is auditing all attempts.<p/></td> </tr><tr> <td valign="top">Local Policy Setting</td> <td valign="top">A check mark in the Success check box indicates that auditing is in effect for successful attempts. <p/>A check mark in the Failure check box indicates that auditing is in effect for failed attempts.<p/></td> </tr></table><p/>Once you have set the audit policy, remember that the changes that you make to your computer's audit policy don't take effect until you restart your computer.<p/><A NAME="569"><h2>Auditing Access to Files and Folders</H2></A> <p/>If security breaches are an issue for your organization, you can set up auditing for files and folders on NTFS partitions. To audit user access to files and folders, you must first set your audit policy to audit object access, which includes files and folders.<p/>Once you have set your audit policy to audit object access, you enable auditing for specific files and folders and specify which types of access, by which users or groups, to audit.<p/>You can enable auditing for specific files and folders as follows:<p/> <p/>On the Security tab in the Properties dialog box for a file or folder, click Advanced.<p/>On the Auditing tab, click Add, select the users for whom you want to audit file and folder access, and then click OK.<p/>In the Audit Entry dialog box, select the Successful check box or the Failed check box for the events that you want to audit. For a list of the events, see Figure 16.3.<p/>Table 16.3 describes when to audit these events.<p/>Click OK to return to the Access Control Settings dialog box.<p/>By default, any auditing changes that you make to a parent folder also apply to all child folders and all files in the parent and child folders.<p/>To prevent changes that are made to a parent folder from applying to the currently selected file or folder, clear the Allow Inheritable Auditing Entries From Parent To Propagate To This Object check box.<p/>Click OK.<p/> <p/><font class=Quote>Figure 16.3</font> Events that can be audited for files and folders <p/> <p/><font class=Quote>Table 16.3</font> User Events and What Triggers Them<p/><table cellpadding=5 width="95%"><tr> <th>Event</th><th>User activity that triggers the event</th> </tr><tr> <td valign="top">Traverse Folder/Execute File</td> <td valign="top">Running a program or gaining access to a folder to change directories</td> </tr><tr> <td valign="top">List Folder/Read Data</td> <td valign="top">Displaying the contents of a file or folder</td> </tr><tr> <td valign="top">Read Attributes<p/>Read Extended Attributes</td> <td valign="top">Displaying the attributes of a file or folder</td> </tr><tr> <td valign="top">Create Files/Write Data</td> <td valign="top">Changing the contents of a file or creating new files in a folder</td> </tr><tr> <td valign="top">Create Folders/Append Data</td> <td valign="top">Creating folders in the folder</td> </tr><tr> <td valign="top">Write Attributes<p/>Write Extended Attributes</td> <td valign="top">Changing attributes of a file or folder</td> </tr><tr> <td valign="top">Delete Subfolders And Files</td> <td valign="top">Deleting a file or subfolder in a folder</td> </tr><tr> <td valign="top">Delete</td> <td valign="top">Deleting a file or folder</td> </tr><tr> <td valign="top">Read Permissions</td> <td valign="top">Viewing permissions or the file owner for a file or folder</td> </tr><tr> <td valign="top">Change Permissions</td> <td valign="top">Changing permissions for a file or folder</td> </tr><tr> <td valign="top">Take Ownership</td> <td valign="top">Taking ownership of a file or folder</td> </tr></table><p/><A NAME="570"><h2>Auditing Access to Printers</H2></A> <p/>Audit access to printers to track access to sensitive printers. To audit access to printers, set your audit policy to audit object access, which includes printers. Then enable auditing for specific printers and specify which types of access to audit and which users will have access. After you select the printer, you use the same steps that you use to set up auditing on files and folders. You set up auditing on a printer, as follows:<p/> <p/>In the Properties dialog box for the printer, click the Security tab, and then click Advanced.<p/>On the Auditing tab, click Add, select the appropriate users or groups for whom you want to audit printer access, and then click OK.<p/>In the Apply Onto box in the Auditing Entry dialog box, select where the auditing setting applies.<p/>Under Access, select the Successful check box or the Failed check box for the events that you want to audit. (See Figure 16.4.)<p/>Click OK in the appropriate dialog boxes to exit.<p/> <p/><font class=Quote>Figure 16.4</font> Printer events that can be audited <p/> <p/>Table 16.4 describes audit events for printers and explains which action triggers the event to occur.<p/><font class=Quote>Table 16.4</font> Printer Events and What Triggers Them<p/><table cellpadding=5 width="95%"><tr> <th>Event</th><th>User activity that triggers the event</th> </tr><tr> <td valign="top">Print</td> <td valign="top">Printing a file</td> </tr><tr> <td valign="top">Manage Printers</td> <td valign="top">Changing printer settings, pausing a printer, sharing a printer, or removing a printer</td> </tr><tr> <td valign="top">Manage Documents</td> <td valign="top">Changing job settings; pausing, restarting, moving, or deleting documents; sharing a printer; or changing printer properties</td> </tr><tr> <td valign="top">Read Permissions</td> <td valign="top">Viewing printer permissions</td> </tr><tr> <td valign="top">Change Permissions</td> <td valign="top">Changing printer permissions</td> </tr><tr> <td valign="top">Take Ownership</td> <td valign="top">Taking printer ownership</td> </tr></table><p/><A NAME="571"><h2>Lesson Summary</H2></A> <p/>In this lesson, you learned that the first step in implementing an audit policy is selecting the types of events that Windows 2000 audits. You can select the events to audit for files and folders, and you can select the events you want to audit for printers. For each event that you can audit, the configuration settings indicate whether to track successful attempts, failed attempts, or both. You use the Local Security Settings window to set audit policies, and then you restart your computer to enable auditing.<p/>You also learned that you can set up auditing for access to files, folders, and printers on NTFS partitions. To do so, you must first set your audit policy to audit object access, which includes files, folders, and printers. Once you have set your audit policy to audit object access, you enable auditing for specific files, folders, and printers and specify which types of access, by which users or groups, to audit.<p/> - Microsoft Windows 1002000 Professional [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Microsoft Windows 1002000 Professional [Electronic resources] - نسخه متنی

Rick Wallace

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید






Lesson 3: Implementing an Audit Policy


Auditing is a powerful tool for tracking events that occur on computers in your organization. To implement auditing, you need to consider auditing requirements and set the audit policy. After you set an audit policy on a computer, you can implement auditing on files, folders, and printers.


After this lesson, you will be able to

Set up auditing on files and folders.

Set up auditing on printers.


Estimated lesson time: 25 minutes

Configuring Auditing


For computers running Windows 2000 Professional, you set up an audit policy for each individual computer.

Auditing Requirements


The requirements to set up and administer auditing are as follows:


You must have the Manage Auditing And Security Log user right for the computer where you want to configure an audit policy or review an audit log. By default, Windows 2000 grants these rights to the Administrators group.

The files and folders to be audited must be on Microsoft Windows 2000 File System (NTFS) volumes.


Setting Up Auditing


Setting up auditing is a two-part process:


Set the audit policy. The audit policy enables auditing of objects but doesn't activate auditing of specific objects.

Enable auditing of specific resources. You specify the specific events to audit for files, folders, printers, and Active Directory objects. Windows 2000 then tracks and logs the specified events.


Setting an Audit Policy


The first step in implementing an audit policy is selecting the types of events that Windows 2000 audits. For each event that you can audit, the configuration settings indicate whether to track successful or failed attempts. You set audit policies in the Local Security Settings window, which you open by selecting Local Security Policy on the Administrative Tools menu.

Table 16.1 describes the types of events that Windows 2000 can audit.

Table 16.1 Types of Events Audited by Windows 2000





















EventDescription
Account Logon Events A domain controller received a request to validate a user
account. (This is applicable only if your computer
running Windows 2000 Professional joins a Windows
2000 domain.)
Account Management An administrator created, changed, or deleted a user
account or group. A user account was renamed, disabled,
or enabled, or a password was set or changed.
Directory Service Access A user gained access to an Active Directory object. You
must configure specific Active Directory objects for
auditing to log this type of event. (Active Directory
directory services are available only if your computer
running Windows 2000 Professional joins a Windows
2000 domain.)
Logon Events A user logged on or logged off, or a user made or
canceled a network connection to the computer.
Object Access A user gained access to a file, folder, or printer. You
must configure specific files, folders, or printers for
auditing. Object access is auditing a user's access to
files, folders, and printers.
Policy Change A change was made to the user security options, user
rights, or audit policies.
Privilege Use A user exercised a right, such as changing the system
time. (This doesn't include rights that are related to
logging on and logging off.)
Process Tracking A program performed an action. This information is
generally useful only for programmers who want to
track details of program execution.
System Events A user restarted or shut down the computer, or an event
occurred that affects Windows 2000 security or the
security log. (For example, the audit log is full and
Windows 2000 starts discarding entries.)

To set an audit policy on a computer that is running Windows 2000 Professional, use the Local Security Settings window, as follows:


Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.

In the Local Security Settings window's console tree, double-click Local Policies, and then click Audit Policy.

The console displays the current audit policy settings in the details pane, as shown in Figure 16.1.


Figure 16.1 Events that Windows 2000 can audit

Select the type of event to audit, and then, on the Action menu, click Security.

The Local Security Policy Setting dialog box appears for the selected event. Figure 16.2 shows the Local Security Policy Setting dialog box for Audit Logon Events, and Table 16.2 defines the fields available in the Local Security Policy Setting dialog box.

Select the Success check box, the Failure check box, or both.

Click OK.

Restart your computer.


Figure 16.2 The Local Security Policy Setting dialog box for Audit Logon Events


Table 16.2 Local Security Policy Setting Dialog Box Fields







FieldDescription
Effective Policy Setting Indicates whether or not auditing is turned on.

No auditing indicates it is auditing this event.

Failure indicates it is auditing failed attempts.

Success indicates it is auditing successful attempts.

Success, Failure indicates it is auditing all attempts.

Local Policy Setting A check mark in the Success check box indicates that
auditing is in effect for successful attempts.

A check mark in the Failure check box indicates that
auditing is in effect for failed attempts.

Once you have set the audit policy, remember that the changes that you make to your computer's audit policy don't take effect until you restart your computer.

Auditing Access to Files and Folders


If security breaches are an issue for your organization, you can set up auditing for files and folders on NTFS partitions. To audit user access to files and folders, you must first set your audit policy to audit object access, which includes files and folders.

Once you have set your audit policy to audit object access, you enable auditing for specific files and folders and specify which types of access, by which users or groups, to audit.

You can enable auditing for specific files and folders as follows:


On the Security tab in the Properties dialog box for a file or folder, click Advanced.

On the Auditing tab, click Add, select the users for whom you want to audit file and folder access, and then click OK.

In the Audit Entry dialog box, select the Successful check box or the Failed check box for the events that you want to audit. For a list of the events, see Figure 16.3.

Table 16.3 describes when to audit these events.

Click OK to return to the Access Control Settings dialog box.

By default, any auditing changes that you make to a parent folder also apply to all child folders and all files in the parent and child folders.

To prevent changes that are made to a parent folder from applying to the currently selected file or folder, clear the Allow Inheritable Auditing Entries From Parent To Propagate To This Object check box.

Click OK.


Figure 16.3 Events that can be audited for files and folders


Table 16.3 User Events and What Triggers Them

























EventUser activity that triggers the event
Traverse Folder/Execute File Running a program or gaining access to a folder to change directories
List Folder/Read Data Displaying the contents of a file or folder
Read Attributes

Read Extended Attributes

Displaying the attributes of a file or folder
Create Files/Write Data Changing the contents of a file or creating new files in a folder
Create Folders/Append Data Creating folders in the folder
Write Attributes

Write Extended Attributes

Changing attributes of a file or folder
Delete Subfolders And Files Deleting a file or subfolder in a folder
Delete Deleting a file or folder
Read Permissions Viewing permissions or the file owner for a file or folder
Change Permissions Changing permissions for a file or folder
Take Ownership Taking ownership of a file or folder

Auditing Access to Printers


Audit access to printers to track access to sensitive printers. To audit access to printers, set your audit policy to audit object access, which includes printers. Then enable auditing for specific printers and specify which types of access to audit and which users will have access. After you select the printer, you use the same steps that you use to set up auditing on files and folders. You set up auditing on a printer, as follows:


In the Properties dialog box for the printer, click the Security tab, and then click Advanced.

On the Auditing tab, click Add, select the appropriate users or groups for whom you want to audit printer access, and then click OK.

In the Apply Onto box in the Auditing Entry dialog box, select where the auditing setting applies.

Under Access, select the Successful check box or the Failed check box for the events that you want to audit. (See Figure 16.4.)

Click OK in the appropriate dialog boxes to exit.


Figure 16.4 Printer events that can be audited


Table 16.4 describes audit events for printers and explains which action triggers the event to occur.

Table 16.4 Printer Events and What Triggers Them















EventUser activity that triggers the event
Print Printing a file
Manage Printers Changing printer settings, pausing a printer, sharing a printer,
or removing a printer
Manage Documents Changing job settings; pausing, restarting, moving, or
deleting documents; sharing a printer; or changing printer
properties
Read Permissions Viewing printer permissions
Change Permissions Changing printer permissions
Take Ownership Taking printer ownership

Lesson Summary


In this lesson, you learned that the first step in implementing an audit policy is selecting the types of events that Windows 2000 audits. You can select the events to audit for files and folders, and you can select the events you want to audit for printers. For each event that you can audit, the configuration settings indicate whether to track successful attempts, failed attempts, or both. You use the Local Security Settings window to set audit policies, and then you restart your computer to enable auditing.

You also learned that you can set up auditing for access to files, folders, and printers on NTFS partitions. To do so, you must first set your audit policy to
audit object access, which includes files, folders, and printers. Once you have
set your audit policy to audit object access, you enable auditing for specific
files, folders, and printers and specify which types of access, by which users or groups, to audit.

/ 156