Section 8.6: Audit Policies

An audit policy defines the types of security events that Windows XP Professional records in the security log on each computer. Windows XP Professional writes events to the security log on the computer on which the event occurs and allows you to track the events that you specify.

You use Event Viewer to view events that Windows XP Professional has recorded in the security log. You can also archive log files to track trends over time.

When you plan an audit policy, you must determine what you want to audit and the computers on which to set up auditing. Auditing is turned off by default. The types of events that you can audit include:

  • Accessing files and folders
  • Logging on and off
  • Shutting down a Windows XP Professional computer
  • Starting a Windows XP Professional computer
  • Changing user accounts and groups
  • Attempting to make changes to Active Directory objects if your Windows XP Professional computer is part of a domain

You can also determine whether to audit the success of events, the failure of events, or both. Tracking successful events can tell you how often Windows XP Professional or users access specific files, printers, or other objects, and you can use this information for resource planning. Tracking failed events can alert you to possible security breaches.

8.6.1: Configuring Auditing

For computers running Windows XP Professional, you set up an audit policyfor each individual computer. Toset up and administer auditing you must have the Manage Auditing And Security Log user right for the computer on which you want to configure an audit policy or review an audit log. These rights are granted to the Administrators group by default. Furthermore, you can only audit files and folders to NTFS volumes.

8.6.2: Setting up Auditing

Setting up auditing is a two-part process:

  • Set the audit policy. The audit policy enables auditing of objects but doesn't activate auditing of specific objects.
  • Enable auditing of specific resources. You designate the specific events to audit for files, folders, printers, and Active Directory objects. Windows XP Professional then tracks and logs the specified events.

8.6.2.1: Setting an Audit Policy

The first step in implementing an audit policy is selecting the types of events you want Windows XP Professional to audit. You set audit policies for a local computer in the Group Policy snap-in, which can be accessed by using the Microsoft Management Console (MMC) console and adding the Group Policy snap-in.

The types of events that Windows XP Professional can audit are:

  • Account Logon Events
  • Account Management
  • Directory Service Access
  • Logon Events
  • Object Access
  • Policy Changes
  • Privilege Use
  • Process Tracking
  • System Events

8.6.3: Auditing Access to Files and Folders

You can set up auditing for files and folders on NTFS partitions to audit user access to files and folders. However, you must first set your audit policy to audit object access, which includes files and folders.

When you set your audit policy to audit object access, you enable auditing for specific files and folders and specify which types of access, by which users or groups, to audit.

8.6.4: Auditing Access to Printers

Audit access to printers to track access to sensitive printers. To audit access to printers, set your audit policy to audit object access, which includes printers. Enable auditing for specific printers and specify which types of access to audit and which users will have access.

Information about events that are monitored by an audit policy are contained in the security log on the computer on which the event occurred. You can use Event Viewer to view these events from any computer if you have administrative privileges for the computer where the events occurred. To view the security log on a remote computer, open the MMC console and point Event Viewer to a remote computer.

8.6.5: Locating Events

When you first start Event Viewer, it displays all events that are recorded in the selected log. You can use the Filter command to change what appears in the log and to locate selected events. You can also search for specific events using the Find command.

Table 8.4: Options for Filtering and Finding Events

Option Description
Event Types The types of events to view.
Event Source The software or component driver that logged the event.
Category The type of event, such as a logon or logoff attempt or a system event.
Event ID An event number to identify the event. This number helps product support representatives to track events.
User A user logon name.
Computer A computer name.
From and To The date ranges for which to view events (Filter tab only).
Restore Defaults Clears any changes in this tab and restores all defaults.
Description The text that is in the description of the event (Find dialog box only).
Find Next Finds and displays the next occurrence defined by the Find Settings.