Before you start
Objectives: learn how to configure local auditing on XP machine.
Prerequisites: you have to know what is Windows Auditing in general.
Key terms: account, event, logon, local, configure, access, user, file, policy, enable, server, monitor, record, object, fail
Configuring Auditing
We will use Local Group Policy to configure auditing. Let’s go to Administrative Tools and open Local Security Policy. Under Security Settings we will browse to the Local Policies and then Audit Policy.
Image 270.1 – Local Security Policy
The first step in configuring auditing is to select the event category that we want to track. In our example we will configure Audit account logon events policy. This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Because it is important to enable minimum auditing, we will only audit logon failures.
Image 270.2 – Account Logon Events
To see generated events we will go to the Event Viewer, Security log. In our case, notice that we have a Failure Audit event in the list. Category of this event is Account Logon (as we set in Policy Editor). Type can be Failure or Success. If we double-click on that event we can see the details.
Image 270.3 – Event Details
Someone with the logon account named ‘Monika’ tried to log on to our computer.
File and Printer Auditing Configuration
To configure auditing for resource access we first must enable auditing in Group Policy, then define the resource, users and actions that we want to audit. Let’s enable Object Access auditing. We will enable both Success and Failure attempts.
Image 270.4 – Object Access Policy
At this point no audit events will be created until we define specific objects we want to keep track of, and identify the users we want to monitor. In our case we want to monitor when the user ‘Kim Verson’ prints on our printer. We right-click our printer, select Properties, go to the Security tab, click the Advanced button and then select the Auditing tab.
Image 270.5 – Auditing Tab
Here we need to add our user, Kim Verson. We want to monitor successful prints.
Image 270.6 – Print Auditing Entry
Next, we have a folder that contains sensitive files. We already control access to that folder with NTFS permissions, and we want to know when someone tries to modify permissions for the folder or its files. In our case we will configure the Great Citations folder. We will right-click it, select Properties, select Security tab, click Advanced button, select Auditing tab, and click on the Add button.
Image 270.7 – File Auditing Entry
This time we will add the Everyone group, because we want to monitor when someone tries to modify permissions. Notice that we can audit many different actions. Here we could also select to monitor the Take Ownership event. When we are finished, system will monitor only those events. Events with other users and files will be ignored.
Remember
We can use Local Group Policy editor to configure auditing on local machine. The first step in configuring auditing is to select the event category that we want to track. To see generated events we use Event Viewer, Security log section. To configure auditing for resource access we first must enable auditing in Group Policy, then define the resource, users and actions that we want to audit.