|
floating layer default test box
|
This is an exhaustive subject. Microsoft has created many layers and differing approaches, the implementation of which depends on your environment and requirements.
This guide is meant to be abbreviated steps for a generic situation, and is not all encompassing. The focus is on stand alone, or peer-to-peer systems, and does not include Active Directory specific detail.
Due to the amount of information available, many computer users either cannot find, or do not know where to look for, concise summaries. For areas that are not covered, and still apply to your situation, follow the links at the end of the page for more details.
Auditing
Ideally auditing should be configured to generate information on inappropriate use of the computer. Although it is possible the logs will not be reviewed on a regular basis, they can still be of use determining a sequence of historical events.
|
| Option | Setting | Purpose |
Audit account logon events | Success, Failure | To track who uses, or has attempted the computer with a local account |
Audit account management | Success, Failure | Changes, or attempted changes, to local account information. This can be useful to track the elevation of rights |
Audit logon events | Success, Failure | To track the remote access to the local machine |
Audit object access | Failure | Attempted use of local resources. To log success would generate enormous amounts of data. However it is possible to audit a resource (such as a file share) individually to monitor access. |
Audit policy change | Success | To track changes to user rights or local policies, such as the Audit policy |
Audit privilege use | Failure | Unsuccessful attempts to use elevated rights |
Audit process tracking | No Auditing | Not used unless special circumstances require close application monitoring. Even then, use with caution as it can generate a lot of log entries |
Audit system events | Success | Very useful for tracking unauthorized access and events like shutting the computer off |
|
To configure the local audit policy:
- Select Start, Programs, Administrative Tools.
- Click on the Local Security Policy icon.
- If not already displayed, click on Security Settings, Local Policies, and Audit Policy to display the policy settings.
- To change the setting click on the policy setting name and check the appropriate Success/Failure boxes.
- Exit the application. The settings are saved automatically.
To define an audit rule for a file or folder
- Locate the file or folder using Windows Explorer and select it.
- Click the File menu and select Properties.
- Click the Security tab, and then click the Advanced button.
- Click the Auditing tab.
- Click the Add button, and the Select User, Computer, or Group dialog box will display.
- Click the Object Types… button, and in the Object Types dialog box select the object types you want to find.
- Note: The User, Group, and Built-in security principal object types are selected by default.
- Click the Locations… button, and in the Location: dialog box select either your domain or local computer.
- In the Select User or Group dialog box, type the name of the group or user you want to audit. Then, in the Enter the object names to select dialog box, type Authenticated Users (to audit the access of all authenticated users) and click OK. The Auditing Entry dialog box will display.
- Determine the type of access you want to audit on the file or folder using the Auditing Entry dialog box.
- Note: Remember that each access may generate multiple events in the event log and cause it to grow rapidly.
- In the Auditing Entry dialog box, next to List Folder / Read Data, select Successful and Failed, and then click OK.
- The audit entries you have enabled will display under the Auditing tab of the Advanced Security Setting dialog box.
- Click OK to close the Properties dialog box.
|
▲Top of page
|
|
