XP auditing features allow you to audit events on the local computer
and record them in the Event Viewer security log. Configuring
auditing in Windows XP may require two steps. The first is always
configuring an Audit Policy in Group Policy to specify
which actions should be audited and recorded. The second is specifying
which objects, users, and groups to audit. For example, if you want
to audit all failed attempts to access a certain NTFS file or folder,
you must set the Audit object access policy to ‘failure’
as shown in the screenshots below. You can start the Group Policy
console by running gpedit.msc.
XP offers the following audit policy:
account logon events
users logging on or logging off to another computer using an
account from this computer.
user account and group management.
access to objects in Active Directory. In addition to enabling
this audit policy, you need to configure the specific objects
you want to audit as well, just like with the Audit object
users logging on or logging off to this computer.
access to files, folders, and printers.
changes to local group policy, including user rights assignment
and audit policy.
the use of user rights assignments
the actions of programs.
shut downs or restarts of the computer and events related to
the Security log.
the properties dialog of an Audit policy, you can enable success,
failure or both.
must be logged on as an administrator or as a member of the Administrators
group to configure auditing. If you want non-administrators to be
able to configure auditing and view the security log, you must grant
them the Manage auditing and security log right in Group
you enabled the audit policy Audit object access from the
example earlier, you must specify which files and folders, or printers,
to audit by using Windows Explorer. On the Security tab
of a file or folder’s Properties, click the Advanced
button. On the Auditing tab of the Advanced Security
Settings dialog you can add the user or group whose actions
you want to audit.
When you add a user or group, the Auditing Entry dialog
box opens, allowing you to select Successful, Failed,
or both for the actions you want to audit. If you enable these settings
on a folder or volume, they will apply to subfolders and files as
well, as shown below. Whether successful or failed access attempts
are actually audited and logged depends on the setting of the audit
you configured auditing correctly and any of these events occur,
they will be written to the Security log in the Event
Viewer. Successful attempts will show up with a key icon and
failed events will display a lock. You can double-click on an audit
log entry to display additional details such as object names and
prevent the security log from becoming full and overwriting older
entries you may need to reconfigure the Log Size setting
on the Security Properties (right-click on Security
under System Tools, Event Viewer in Computer
Management). By default, the maximum log size is 512 KB and
events older than 7 days are overwritten. When the maximum log size
is reached and there are no events older than 7 days, new events
will be discarded. Depending on how you configured the audit policy
and how much objects and users you configured for auditing, you
may have to increase the log size and/or change the number of days.
You can choose to overwrite events as needed, or never overwrite
events. The latter would also cause new events to be discarded when
the maximum log size is reached. In a domain environment, these
settings can be controlled by using Group Policy.
you configure auditing on a large amount of clients, you should
archive the event logs periodically and gather them on a central
management console for example. Because checking the audit logs
can be a tedious and time-consuming job, you should carefully plan
the configuration of you audit policy. Especially try to avoid logging
successful events for every insignificant action, as it will quickly
fill up the security log.
related exam objectives for the 70-270 exam:
Managing, and Troubleshooting Security
manage, and troubleshoot local user and group accounts.
- Configure, manage, and troubleshoot auditing.