Module 9: Auditing Resources and Events


NT Administration Notes
Introduction	Users	Groups	Admin
Shares	NTFS	Printing 1	Printing 2
Auditing	Monitoring	Backup

Module 9: Auditing Resources and Events

Introduction to Auditing

The audit entry shows the following:

The action performed
The user who performed the action
The date and time of the action

You can set up one audit policy for a domain to:

track the success and failure of events]

Examples:

when users logon

attempts by a specific user to open a specific file

changes to users and groups

changes to security policy

eliminate or minimize the risk of unauthorized use of resources

You use Event Viewer to view audited events that have been recorded in the security log
You can archive log files to track trends over time
You use the audit policy to select the types of security events that will be recorded for a domain. The events will then appear in the security log of the domain controllers.
On a computer running Windows NT Workstation or Server that is not a domain controller, the audit policy affects only the security log of that computer.

Planning an Audit Policy

When planning an audit policy, consider the following:

Determine events to audit.
Determine whether to audit success and/or failure of events.

In medium and high security networks you should track:

Success and failure of users logging in.
Use of resources.

Determine if you need to track trends. If so, you have to plan on archiving event logs.

Note: To much auditing can create excessive overhead on the system. If your server is heavily used, you may need to keep auditing to a minimum.

Implementing an Audit Policy

An audit policy is set on a computer-by-computer basis ==> audit policies are only set locally

Example: to audit User logon and changes made to user accounts on the PDC, you must set audit policy on PDC.

Events are recorded in the local computers security log, but can be viewed from any computer by a user with administrative privileges to the computer where the events occurred.

They can be viewed remotely with administrator privileges.

Auditing Requirements

Only administrators can set up auditing or files, directories and printers on Domain Controllers
On computers that aren't domain controllers, you must be a member of the administrators group ON THAT COMPUTER - Remember, audit policies are set up locally.
Members of the Administrators and Server Operators groups can view and archive security logs. By default, the user right "Manage Auditing and Security Log" is only granted to the Administrator's group.
You can only audit files and directories on NTFS volumes

Defining an Audit Policy

Select Audit in User Manager for Domains, Audit these Events. There are two choices Success or Failure. The events are:

Logon and Logoff --> user logged on or off.

File and Object Access --> user accessed directory, file or printer.

Use of User Rights --> user exercised a right.

User and Group Management --> user account or group was created, changed or deleted. This includes password changes

Security Policy Changes --> change was made to the user rights, audit or trust relationship policies

Restart, Shutdown and System --> user restarted or shut down the computer or an event has occurred that affects system security or the security log. (e.g. the audit log fills up and entries are discarded)

Process Tracking --> detailed tracking information for various events, such as program activation.

Auditing files and directories

Select folder or file in Windows NT Explorer and then click Properties in the File menu.

Select Security tab and then Auditing button.

For directory auditing, by default, auditing changes apply only to the directory and files, not sub folders. Make the following selections as needed:

Replace Auditing on Subdirectories - to have auditing on subdirectories too.

Replace Auditing on Existing Files - if you want to apply auditing changes to the directory only.

After this you can add users or groups and select in the Events to Audit box: ( know these baby)

Read

Write

Execute

Delete

Change Permission

Take Ownership

Auditing a Printer

Events to audit (success or failure):

Print --> printer usage. Useful for billing individual departments.
Full Control --> changes to job settings, pausing restarting, moving or deleting documents, sharing a printer or changing printer properties. Useful in high security environments.
Delete --> deleted print jobs. Useful in high security environments.
Change Permissions --> changes to printer permissions. Useful in medium and high security environments.
Take Ownership --> changes to printer ownership. Useful in medium and high security environments.

Using Event Viewer

Event Viewer provides info about errors, warnings, and successes or failure of a task.

Info is stored in three types of logs:

System --> contains errors, warnings or information generated by Windows NT. Selection of events is preset by Windows NT.

Security --> contains info about success and failure of audited events. Events are recorded as result of your audit policy.

Application --> contains error, warnings, or info generated by programs. Selection of events is preset by program developer.

Viewing Security Logs

Successful events have the key icon
Unsuccessful events have the lock icon

To view a log on a remote computer in another domain

The appropriate trust relationship must exist
Your Domain Admin Group must exist in the local Administrators group of the domain OR computer for which you want to view the log.

Locating Events

Click in Event Viewer on the View menu and click Filter Events or Find in the same menu. In Filter or Find dialog box select the criteria:

View From/View Through --> Filter only; for specifying data.
Types --> select the type of events.
Source --> specify software or component driver that logged the event.
Category --> select the classification of the event as defined by the Source.
User --> specify a user account
Computer --> specify an computer
Event ID --> shows an event number to identify the event
Description --> Find only; specify the text that would appear in the description of the event.

Archiving the Security Log

This is useful for tracking trends.
This helps you determine resource use and plan for growth.
In the Event Log Settings dialog box, you can control:

Size of the logs to archive (64 K to 4,194,240 K; default 512 K).
How are events recorded:

Overwrite Events as Needed
Overwrite Events Older than x Days
Do Not Overwrite Events (This requires that you clear the log manually)

In the Log menu you can select also Save As, Clear All Events, Open.

Best Practices

Audit the Everyone Group instead of the Users Group - this means anyone who can connect to the network is audited.

Top of page

Comments and suggestions? E-mail me at grantwilson21@yahoo.com I'm sorry, but I can't answer specific network-related, or exam-related questions.
Last Updated: August 6, 2001	Grant Wilson, Edmonton, AB Canada