Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

Before you can designate which objects to audit, you have to
configure auditing. This section describes how to do this and related
auditing tasks.

Configure Audit Policy

Audit policies can be configured

on
computers in several ways. For example, to configure auditing for
standalone servers and workstations belonging to a workgroup:

Administrative Tools Local Security Policy Security Settings Local Policies Audit Policy double-click one of the nine audit policy settings select Success, Failure, both, or neither for no auditing

For computers belonging to a domain, you can do the same for each
machine by using the Domain Controller Security Policy on domain
controllers and the Local Security Policy on member servers and
workstations. Alternatively, you can use Group Policy to configure
auditing at the domain, OU, or site level For example, to configure
an audit policy for a domain by editing an existing GPO, do the
following:

Administrative Tools Active Directory Users and Computers right-click on the domain Properties Group Policy select a GPO Edit Computer Configuration Windows Settings Security Settings Local Policies Audit Policy, etc.

Configure Security Options for Auditing

The three security options


for auditing discussed in

AuditingConcepts are configured as
follows:

Administrative Tools Local Security Policy Security Settings Local Policies Security Settings

All three are disabled by default.

Be sure to configure the Object access setting in your audit policy before auditing specific filesystem objects, or you'll get an error message.

Audit Active Directory Objects

First, configure your audit policy


to
enable Success and/or Failure auditing for Directory service access
(see

Configure Audit Policy earlier in this
section) and then specify which AD objects you want to audit. For
example, to audit access to the Users container in the

mtit.local domain:

Open Active Directory Users and Computers View toggle Advanced Features on right-click on Users container Properties Security Advanced Auditing Add select user or group to audit OK select types of events to audit

Auditing access to Active Directory objects can result in a considerable performance hit on your domain controllers.

Audit Filesystem Objects

First, configure your audit
policy

to enable Success and/or Failure
auditing for Object access (see

Configure Audit Policy
earlier in this section) and then specify which files or
folders you want to audit (these must be on an NTFS volume). For
example, if you want to audit access to the file

C:\hello.txt , you can use Windows Explorer to
enable auditing of the file as follows:

Windows Explorer right-click on

C:\hello.txt Properties Security Advanced Auditing Add select user or group to audit OK specify types of events to audit

Configuring auditing on many individual files is a lot of work.
It's almost always better to configure auditing on
folders instead. You can specify that the audit settings be applied
to:

• This folder only

• This folder, subfolders, and files

• This folder and subfolders

• This folder and files

• Subfolders and files only

• Subfolders only

• Files only

The default is to pass audit settings down the entire subtree of
files and subfolders beneath the folder you are configuring, which is
the typical choice.

Enable Auditing of Printers

To enable auditing of

printers:

Start Settings Printers right-click on a printer Properties Security Advanced Auditing Add select a user or group to audit OK specify types of events to audit

Printer access can be audited for documents only, for the printer
only, or for both.