Enabling Security Auditing

Enabling Security Auditing
Unlike the other logs that appear in Event Viewer, the Security log is disabled by default in Windows XP Professional and Windows 2000. No events are written to the Security log until you enable auditing, which you do via Local Security Settings. (In Windows XP Home Edition, security auditing is enabled for certain events. Because Home Edition doesn't include Local Security Settings, you cannot change which events are audited unless you use a tool like Auditpol.exe, which is included in the Windows 2000 Resource Kit.) Even if you set up auditing for files, folders, or printers, as explained later in this chapter, the events you specify aren't recorded unless you also enable auditing by setting a high-level audit policy in Local Security Settings.

NOTE
--------------------------------------------------------------------------------

To enable auditing, you must be logged on with an account that has the Manage Auditing And Security Log privilege. By default, only members of the Administrators group have this privilege. For information about privileges, see Exploring User Rights.
To enable auditing, follow these steps:

In Control Panel, open Administrative Tools, Local Security Policy. (If you use Category view in Windows XP, you'll find Administrative Tools under Performance And Maintenance.) Alternatively, you can type secpol.msc at a command prompt.
In the console tree, select Security Settings\Local Policies\Audit Policy.
Double-click each policy for which you want to enable auditing, and then select Success, Failure, or both. Figure 20-1 shows the properties dialog box for an audit policy.

Figure 20-1. You enable auditing using the Local Security Settings console.
Figure 20-1 also shows the types of activities you can audit. Some, such as account management and policy change, provide an audit trail for administrative changes. Others, such as logon events and object access, help you monitor who is attempting to use your system. Still others, including system events and process tracking, can assist you in locating problems with your system. Table 20-1 provides more details.

Table 20-1. Audit Policies for Security Events
Policy Description
Audit account logon events
Account logon events occur when a user attempts to log on or log off across the network, authenticating to a local user account.

Audit account management
Account management events occur when a user account or security group is created, changed, or deleted; when a user account is renamed, enabled, or disabled; or when a password is set or changed.

Audit directory service access
Directory service access events occur when a user attempts to access an Active Directory object. (If your computer is not part of a Windows domain, these events won't occur.)

Audit logon events
Logon events occur when a user attempts to log on or log off a workstation interactively.

Audit object access
Object access events occur when a user attempts to access a file, folder, printer, registry key, or other object that is set for auditing.

Audit policy change
Policy change events occur when a change is made to user rights assignment policies, audit policies, trust policies, or password policies.

Audit privilege use
Privilege use events occur when a user exercises a user right (other than logon, logoff, and network access rights, which trigger other types of events).

Audit process tracking
Process tracking includes events such as program activation, handle duplication, indirect object access, and process exit. Although this policy generates a large number of events to wade through, it can provide useful information, such as which program a user used to access an object.

Audit system events
System events occur when a user restarts or shuts down the computer or when an event affects the system security or the Security log.


NOTE
--------------------------------------------------------------------------------

In Windows XP Home Edition, account logon, account management, logon, policy change, and system events are audited for both successful incidents and failed attempts. You cannot enable auditing for directory service access, object access, privilege use, or process tracking events, or disable the categories that are already enabled, without additional tools.
Local Security Settings has some additional policies that affect auditing, but they're not in the Audit Policy folder. Instead, look to the Security Settings\Local Policies\ Security Options folder for these policies:

Audit: Audit the user of Backup and Restore privilege. Enable this policy if you want to know when someone uses a backup program to back up or restore files. To make this policy effective, you must also enable Audit Privilege Use in the Audit Policy folder.
Audit: Shut down system immediately if unable to log security audits. For details about this extreme security policy, see the sidebar Ensuring That You Don't Miss Any Security Events.
Audit: Audit the access of global system objects. This policy affects auditing of obscure objects (mutexes and semaphores, for example) that aren't used in most home and small business networks; you can safely ignore it.
NOTE
--------------------------------------------------------------------------------

In Windows 2000, the word "Audit:" does not precede the policy names.