Windows Auditing

Issue

Auditing is a vital step in detecting system intrusions or malicious activity on your systems and network. The Windows Event Viewer does not log event entries in the security log unless you enabled auditing on the system.

Solution

Enable auditing on each Windows system on your network. After you enable auditing, you can choose which events to monitor, such as successful or failed logon attempts. In addition, certain files and directories can be audited on NTFS file systems for modifications or deletions.

To enable auditing on a computer running Windows XP or Windows 2000

1. Click Start, point to Settings, and then click Control Panel.
2. In Control Panel, double-click Administrative Tools, and then click Local Security Policy.
3. In Local Security Settings, double-click Local Policies, double-click Audit Policy, and then click the events that you want to audit. It is recommended that you audit the following events:

   Audit account logon events (Success, Failure)
   Audit account management (Success, Failure)
   Audit directory service access (Failure)
   Audit logon events (Success, Failure)
   Audit object access (Failure)
   Audit policy change (Success, Failure)
   Audit system events (Success, Failure)

1. Click Start, point to Programs, point to Administrative Tools, and then click User Manager.
2. Click the Audit logon events policy, and then click the events that you want to monitor. It is recommended that you audit the following events:

   Logon and Logoff (Success, Failure)
   File and Object Access (Failure)
   User and Group Management (Success, Failure)
   Security Policy Changes (Success, Failure)
   Restart, Shutdown, and System (Success, Failure)

To view the event logs, click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.

Additional Resources

Chapter 13 - Auditing Windows NT Security Features and Controls

⌐ 2002 Microsoft Corporation. All rights reserved.