SecurityLesson+5

Auditing is Windows' name for logging -- that is, recording certain activities to a file on the computer that can be held for some time. =What Can I Audit?=


 * Account Management: e.g. Did an Admin mess with accounts? Did users change passwords?
 * Logon Events: Mostly obvious, but e.g. Did a user make a network connection to another computer?
 * Object Access: Files, folders, and printers. You can configure what stuff to watch.
 * Policy Change: All this security auditing stuff along with security policy.
 * Privilege Use: User uses certain rights like changing the clock.
 * Process Tracking: A program did something. Useful to programmers as a debugging tool. Not so useful to sysadmins.
 * System Events: Mostly restarts and shutdowns.

=What is Required to Audit?=

Any user with the "Manage Auditing and Security Log" user right.

An NTFS volume.

=Turning On Audit: How Do I Audit?=

Auditing is controlled out of Local Security Policy: Start > Control Panel > Performance and Maintenance > Administrative Tools > Local Security Policy.

In Local Security Policy: Security Settings > Local Policies > Audit Policies

=Configuring Resources: Auditing Files and Folders=

Two step process: First, turn on this type of auditing in the Local Security Policy area (see section above), then configure it.


 * 1) Open a file explorer
 * 2) Right click file or folder and choose Properties
 * 3) Select Security Tab and click Advanced button
 * 4) Click Auditing tab. If there's no auditing tab, it's because you didn't turn on auditing files and folders. Go turn it on in Local Security Policy.
 * 5) Click the Add button, select the users you want to audit

=Audit Mini-Quiz=


 * 1) What is auditing?
 * 2) What is an audit policy?
 * 3) When you are auditing events on a computer running Windows XP Professional, where are the audited events being recorded?
 * 4) What are the requirements to set up and administer auditing?
 * 5) What are the two steps to setting up auditing?
 * 6) By default, any auditing changes that you make to a parent folder (are/are not) inherited by all child folders and all files in the parent and child folders.