1

Introduction to Auditing

• Auditing allows you to track

• User activities.• Microsoft Windows 2000 activities.

• Windows 2000 records events in the security log.

• The security log maintains a record of

• Valid and invalid logon attempts.• Events related to creating, opening, or deleting

files or other objects.

2

Using an Audit Policy

• An audit policy defines the types of security events recorded.

• An event is written to the security log on the computer where it occurs.

• An audit policy for a computer can• Track the success and failure of events.• Minimize the risk of unauthorized use of

resources.

3

Audit Policy Guidelines

• Determine which computers need auditing.

• Auditing is turned off by default.

• Plan what to audit on each computer.

4

Events You Can Audit

• Accessing files and folders

• Logging on and off

• Shutting down and restarting a computer

• Changing user accounts and groups

• Attempting to make changes to objects in directory services

5

Auditing Successful Events, Failed Events, or Both

• Tracking successful events helps you determine• How often Windows 2000 or users gain access

to specific objects• Resource planning

• Tracking failed events helps you determine • Security breaches• Attempted security breaches

6

Additional Audit Policy Guidelines

• Determine if you need to track trends of system use.

• Plan frequent security log reviews.

• Define a useful and meaningful audit policy.

• Audit resource access by using the Everyone group.

7

Configuring Auditing

• Auditing requirements• You must have the Manage Auditing And

Security Log user right.• The files and folders to be audited must be on

NTFS volumes.

• Setting up auditing• Set the audit policy.• Enable auditing of specific resources.

8

Setting an Audit Policy

9

The Local Security Policy Dialog Box

10

Auditing Access to Files and Folders

• Security breaches are an issue.

• After you set up your audit policy to audit object access• Enable auditing for specific files and folders.• Specify which types of access to audit.

11

Events That Can Be Audited for Files and Folders

12

Auditing Access to Printers

• Track sensitive printers.

• Set your audit policy to audit object access.

• Enable auditing for specific printers.• Specify which users will have access.• Specify which type of access to audit.

13

Printer Events That Can Be Audited

14

Understanding Windows 2000 Logs

• Use Event Viewer to view Windows 2000 logs.

• By default, Event Viewer has three logs:• Application log.• Security log.• System log.

15

Viewing Security Logs

16

Locating Events

17

Managing Audit Logs

• You can control the size of the event log.• The size of each log can be from 64 KB to 4 GB.• The default size of a log is 512 KB.

• You can specify what to do when the log is full.• Overwrite Events As Needed.• Overwrite Events Older Than X Days.• Do Not Overwrite Events (Clear Log Manually).

18

Archiving Logs

• Keep logs for a specified period of time to track security-related information.

• Configure archived logs in Event Viewer.• Save Log File As• Clear All Events• New Log View