Members-only Printer-friendly version

Auditing

Windows XP auditing features allow you to audit events on the local computer and record them in the Event Viewer security log. Configuring auditing in Windows XP may require two steps. The first is always configuring an Audit Policy in Group Policy to specify which actions should be audited and recorded. The second is specifying which objects, users, and groups to audit. For example, if you want to audit all failed attempts to access a certain NTFS file or folder, you must set the Audit object access policy to ‘failure’ as shown in the screenshots below. You can start the Group Policy console by running gpedit.msc.

On the properties dialog of an Audit policy, you can enable success, failure or both.

You must be logged on as an administrator or as a member of the Administrators group to configure auditing. If you want non-administrators to be able to configure auditing and view the security log, you must grant them the Manage auditing and security log right in Group Policy.

After you enabled the audit policy Audit object access from the example earlier, you must specify which files and folders, or printers, to audit by using Windows Explorer. On the Security tab of a file or folder’s Properties, click the Advanced button. On the Auditing tab of the Advanced Security Settings dialog you can add the user or group whose actions you want to audit.

When you add a user or group, the Auditing Entry dialog box opens, allowing you to select Successful, Failed, or both for the actions you want to audit. If you enable these settings on a folder or volume, they will apply to subfolders and files as well, as shown below. Whether successful or failed access attempts are actually audited and logged depends on the setting of the audit policy.

When you configured auditing correctly and any of these events occur, they will be written to the Security log in the Event Viewer. Successful attempts will show up with a key icon and failed events will display a lock. You can double-click on an audit log entry to display additional details such as object names and locations.

To prevent the security log from becoming full and overwriting older entries you may need to reconfigure the Log Size setting on the Security Properties (right-click on Security under System Tools, Event Viewer in Computer Management). By default, the maximum log size is 512 KB and events older than 7 days are overwritten. When the maximum log size is reached and there are no events older than 7 days, new events will be discarded. Depending on how you configured the audit policy and how much objects and users you configured for auditing, you may have to increase the log size and/or change the number of days. You can choose to overwrite events as needed, or never overwrite events. The latter would also cause new events to be discarded when the maximum log size is reached. In a domain environment, these settings can be controlled by using Group Policy.

When you configure auditing on a large amount of clients, you should archive the event logs periodically and gather them on a central management console for example. Because checking the audit logs can be a tedious and time-consuming job, you should carefully plan the configuration of you audit policy. Especially try to avoid logging successful events for every insignificant action, as it will quickly fill up the security log.