Configuring Auditing of Access to Files, Printers, and Registry Keys

Configuring Auditing of Access to Files, Printers, and Registry Keys
If you want to audit use or attempted use of certain files, folders, printers, registry keys, or other objects, you must select Success, Failure, or both options in the Audit Object Access policy, as described in the preceding section. Then you must set auditing options for the particular objects you want to monitor, as described in the following paragraphs. (In general, it's best to select both Success and Failure in the Audit Object Access policy, and then be more selective when you configure auditing options for each object.)

NOTE
--------------------------------------------------------------------------------

Because you can't make Audit Object Access policy settings in Windows XP Home Edition, you won't be able to audit access to files, printers, and other objects. Even if you know the trick to bypass Simple File Sharing (boot into Safe Mode), which would allow you to make audit settings for an object, those settings have no effect without the high-level policy in place.
Windows can audit a variety of events and can audit different events for different users. You must be logged on as a member of the Administrators group (or the Manage Auditing And Security Log right must have been assigned to your logon account) to set up auditing of objects.

NOTE
--------------------------------------------------------------------------------

If you want to audit access to files or folders, those objects must be stored on an NTFS volume; FAT volumes do not support auditing.
Use the Security tab in the properties dialog box for a file, folder, printer, or registry key to display the audit settings for that object. You can specify the users and groups whose access to the selected object you want to audit; and for each user and group, you can specify which types of access should generate entries in the Security log. You should audit the minimum number of accesses necessary to accomplish your logging goal. For instance, if you want to audit changes to permissions, the only access you need to audit is Write Permissions.

To set up auditing for object access, follow these steps:

If you haven't done so already, visit Local Security Settings to enable auditing. Be sure to set the Audit Object Access policy to track both success and failure. (See the preceding section, Enabling Security Auditing.)
If you use Windows XP Professional and your computer is not a member of a domain, choose Tools, Folder Options in Windows Explorer. Click the View tab and then clear the Use Simple File Sharing (Recommended) check box. Click OK. Disabling Simple File Sharing allows the Security tab to appear when you look at the properties dialog box for a file, folder, or printer. (You can skip this step if you're configuring auditing for a registry key.)
NOTE
--------------------------------------------------------------------------------

After you make the appropriate audit settings for various objects (as described in the following steps), you can restore Simple File Sharing by returning to Folder Options and selecting the same check box. Although the Security tab will no longer be visible in the properties dialog box for files, folders, and printers, the audit settings you have made remain in effect.
Display the Security tab for the object, as follows:
For a file or folder, right-click the object in Windows Explorer and choose Properties. In the properties dialog box, click the Security tab.
For a printer, right-click the printer in the Printers folder (in Control Panel) and choose Properties. In the properties dialog box, click the Security tab.
For a registry key in Windows XP, right-click the key in Registry Editor (that is, a folder icon in the tree pane—not a registry value in the right pane) and choose Permissions.
For a registry key in Windows 2000, open Regedt32.exe (not Regedit.exe), select the key, and choose Security, Permissions.

Click the Advanced button to open the Advanced Security Settings dialog box (in Windows 2000, the Access Control Settings dialog box).
Click the Auditing tab. For each object, you can specify different audit settings for different users.

Click Add to add a new user or group, or select an existing user or group and then click Edit to change its audit settings.
If you click Add, the Select User Or Group dialog box appears. You enter the names of user accounts or security groups the same way you do on the Security tab. (For details, see Setting NTFS Permissions Through Windows Explorer.) Click OK.

In the Auditing Entry dialog box, select the types of access you want to audit for the selected user or group.
The types of access you can audit for success or failure are the same types of access for which you can set permissions; specifically, the list of auditing permissions matches the object's list of special permissions. Figure 20-2 shows the options for different object types.

For information about special permissions for files and folders, see Basic and Advanced Permissions.

If you select the Successful check box for a specific type of access, Windows generates a Security log record containing (among other information) the date and time of each successful use of the specified file or folder by the specified user or group. Similarly, if you select the Failed check box, Windows generates a Security log record each time the specified user or group unsuccessfully attempts to access the specified file or folder.


Figure 20-2. The types of access you can audit are the same as those for which you can set permissions. For each type of access, you can audit successful accesses, failed attempts, or both.
If you're making audit settings for an object other than a file, select the scope of the objects you want to audit from the Apply Onto list. Click OK.
On the Auditing tab of the Advanced Security Settings dialog box, you can select inheritance options. These options work exactly like (but independent of) the comparable options on the Permissions tab. For more information, see Applying Permissions to Subfolders Through Inheritance.
TIP
--------------------------------------------------------------------------------

Change audit settings for multiple objects in one fell swoop

You can change audit settings for multiple files or folders (but not printers or registry keys) simultaneously. If you select more than one file or folder in Windows Explorer before you click the Security tab in the properties dialog box, the changes you make affect all the selected files or folders. If the existing security settings are not the same for all the items in your selection, a message appears, asking whether you want to reset the audit settings for the entire selection.