Section 10.2: Auditing

You can track both user activities and system activities, which are called events, on a computer through auditing and you can specify that Windows Server 2003 write a record of an event to the security log. The security log maintains a record of valid and invalid logon attempts and events related to creating, opening, or deleting files or other objects. An audit entry in the security log contains information about:

• The action that was performed

• The user who performed the action

• The success or failure of the event

• When the event occurred

10.2.1: Using an Audit Policy

An audit policy defines the types of security events that Windows Server 2003 records in the security log on each computer and allows you to specify the events that you want to track.

10.2.2: Using Event Viewer to View Security Logs

You can use Event Viewer to view the security logs that Windows Server 2003 recorded events in. You can also archive log files to track trends over time.

Note: You must have the Manage Auditing And Security Log user right for the computer where you want to configure an audit policy or review an audit log. By default, Windows Server 2003 grants these rights to the Administrators group. Furthermore, the files and folders to be audited must reside on NTFS volumes.

10.2.3: Setting Up Auditing

To set up auditing in Windows Server 2003 you must perform two steps:

• Set the audit policy, which enables auditing of objects but does not activate auditing of the specific objects.

• Enable auditing of specific resources, which could be for files, folders, printers, or Active Directory objects.

Windows Server 2003 will then tracks and logs the specified events.

To set an audit policy on a computer that is running Windows Server 2003, use the Local Security Settings window:

• Click on the START button

• Point to ALL PROGRAMS

• Click on ADMINISTRATIVE TOOLS

• Click on LOCAL SECURITY POLICY

• Expand the local policies node

• Then click the audit policy node

• Select the Type of Event that you want to audit

• Click on the ACTION menu

• Click SECURITY

• Select the success check box, the failure check box, or both

• Click OK

• Restart the computer

Note: Changes made to a computer's audit policy do not take effect until the computer is restarted.

10.2.4: Auditing Object Access

In Windows Server 2003, objects include Registry keys, printers, computers, files and folders. Each object has a security information object, which is called the security descriptor, attached to it. The security descriptor contains information about the groups or users that can access an object, and the types of access, i.e., the permissions, granted to those groups or users. This part of the security descriptor is called the Discretionary Access Control List (DACL). In other words, the DACL is the part of the security descriptor that grants or denies access to the object to groups or users.

The security descriptor also contains the auditing information for the object. This part of the descriptor is called the System Access Control List (SACL). The SACL describes the auditing activity on a group basis. You can specify the audit permissions for objects that are in the inheritance tree using the SACL. This enables all child objects to inherit the audit policy from their parent objects.

10.2.4.1: Auditing Access to Files and Folders

You can set up auditing for files and folders on NTFS partitions to track security breaches. To audit user access to files and folders, you must first set your audit policy to audit object access, which includes files and folders. Once you have set your audit policy to audit object access, you enable auditing for specific files and folders and specify which types of access, by which users or groups, to audit.

• Click on the START button

• Point to PROGRAMS

• Point to ACCESSORIES

• Open WINDOWS EXPLORER

• Browse to the File or Folder you want to audit

• Right-click the File or Folder

• Click PROPERTIES on the popup menu

• Click on the security tab

• Click on ADVANCED

• Click on the auditing tab

• Click ADD

• Select the Users or User Groups for whom you want to audit file and folder access

• Click OK

• Select the successful check box and/or the failed check box for the events that you want to audit

• Click OK in the appropriate dialog boxes to exit

Note: Any auditing changes that you make to a parent folder are applied to all child folders and all files in the parent and child folders. To prevent changes that are made to a parent folder from applying to the currently selected file or folder, clear the Allow Inheritable Auditing Entries From Parent To Propagate To This Object check box.

10.2.4.2: Auditing Access to Printers

To audit access to printers you must set your audit policy to audit object access. Object access includes printers. Then enable auditing for specific printers and specify which types of access to audit and which users will have access. To audit a printer:

• Click on the START button

• Point to SETTINGS

• Open PRINTERS

• Right-click on the PRINTER you want to audit

• Click PROPERTIES on the popup menu

• Click on the security tab

• Click on ADVANCED

• Click on the auditing tab

• Click ADD

• Select the Users or User Groups for whom you want to audit printer access

• Click OK

• Select the successful check box and/or the failed check box for the events that you want to audit

• Click OK in the appropriate dialog boxes to exit