Home  
  Microsoft  
  Practice Exams  
  TechNotes  
  Links  
  Forums  
  Blogs  
  Topsites  
  Search the Web  
  Watch free videos online  
     
  Subnet Calculator  
  Online Degrees  
  Exam Vouchers  
  Free Magazines  

   
70-270 Windows XP TechNotes
Auditing

Auditing

Windows XP auditing features allow you to audit events on the local computer and record them in the Event Viewer security log. Configuring auditing in Windows XP may require two steps. The first is always configuring an Audit Policy in Group Policy to specify which actions should be audited and recorded. The second is specifying which objects, users, and groups to audit. For example, if you want to audit all failed attempts to access a certain NTFS file or folder, you must set the Audit object access policy to ‘failure’ as shown in the screenshots below. You can start the Group Policy console by running gpedit.msc.

Windows XP offers the following audit policy:
Audit account logon events Audit users logging on or logging off to another computer using an account from this computer.
Audit account management Audit user account and group management.
Audit directory service
access
Audit access to objects in Active Directory. In addition to enabling this audit policy, you need to configure the specific objects you want to audit as well, just like with the Audit object access policy.
Audit logon events Audit users logging on or logging off to this computer.
Audit object access Audit access to files, folders, and printers.
Audit policy change Audit changes to local group policy, including user rights assignment and audit policy.
Audit privilege use Audit the use of user rights assignments
Audit process tracking Audit the actions of programs.
Audit system events Audit shut downs or restarts of the computer and events related to the Security log.

On the properties dialog of an Audit policy, you can enable success, failure or both.

You must be logged on as an administrator or as a member of the Administrators group to configure auditing. If you want non-administrators to be able to configure auditing and view the security log, you must grant them the Manage auditing and security log right in Group Policy.

After you enabled the audit policy Audit object access from the example earlier, you must specify which files and folders, or printers, to audit by using Windows Explorer. On the Security tab of a file or folder’s Properties, click the Advanced button. On the Auditing tab of the Advanced Security Settings dialog you can add the user or group whose actions you want to audit.

When you add a user or group, the Auditing Entry dialog box opens, allowing you to select Successful, Failed, or both for the actions you want to audit. If you enable these settings on a folder or volume, they will apply to subfolders and files as well, as shown below. Whether successful or failed access attempts are actually audited and logged depends on the setting of the audit policy.

When you configured auditing correctly and any of these events occur, they will be written to the Security log in the Event Viewer. Successful attempts will show up with a key icon and failed events will display a lock. You can double-click on an audit log entry to display additional details such as object names and locations.

To prevent the security log from becoming full and overwriting older entries you may need to reconfigure the Log Size setting on the Security Properties (right-click on Security under System Tools, Event Viewer in Computer Management). By default, the maximum log size is 512 KB and events older than 7 days are overwritten. When the maximum log size is reached and there are no events older than 7 days, new events will be discarded. Depending on how you configured the audit policy and how much objects and users you configured for auditing, you may have to increase the log size and/or change the number of days. You can choose to overwrite events as needed, or never overwrite events. The latter would also cause new events to be discarded when the maximum log size is reached. In a domain environment, these settings can be controlled by using Group Policy.

When you configure auditing on a large amount of clients, you should archive the event logs periodically and gather them on a central management console for example. Because checking the audit logs can be a tedious and time-consuming job, you should carefully plan the configuration of you audit policy. Especially try to avoid logging successful events for every insignificant action, as it will quickly fill up the security log.


Microsoft Virtualization Training Videos – Demand for Virtualization is escalating because it saves money, time, and makes testing and disaster recovery easier. Train Signal’s Microsoft Virtualization Course teaches you everything you need to know to utilize Virtual PC and Virtual Server!
 
Current related exam objectives for the 70-270 exam:

Configuring, Managing, and Troubleshooting Security

Configure, manage, and troubleshoot local user and group accounts.
- Configure, manage, and troubleshoot auditing.



Click here for the complete list of exam objectives.

Discuss this TechNote here Author: Johan Hiemstra




 
Featured Sponsors

TrainSignal - “Hands On” computer training for IT professionals. Network+ Training, MCSE, Cisco & more! Visit Train Signal’s free training site to get loads of Free Computer Training, videos, articles and practice exams.



 

All images and text are copyright protected, violations of these rights will be prosecuted to the full extent of the law.
2002-2011 TechExams.Net | Advertise | Disclaimer


All trademarks, including Microsoft, MCP, MCSE, MCSA, Windows XP etc. etc. are trademarks of their respective owners.