Keep track of what your system is doing -- it is one of the most important, but tedious, processes of good IT security management. Auditing, a process by which certain events that match some specified criteria trigger a log entry to the machine's event log, helps you take care of this critical management task. In this tip, I'll look at auditing and the event log and show you how to fine-tune each.
The many choices in Audit settings
Auditing controls and properties are modified through Group Policy Objects (GPOs) in Windows 2000, Windows XP and Windows Server 2003. Assuming your computer is participating in an Active Directory domain, you can find the domain auditing policy inside the Default Domain Policy in the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policies tree. Otherwise, you can view the Local Security Policy through the Administrative Tools applet in the Control Panel.
The settings for each GPO indicate what type of events and the type of results a log entry will be written into the event log. Here are the options for auditing policies:
You can configure individual objects to be audited by editing the system access control list (SACL) for any given object, which is much like assigning permissions, except it is indicating to Windows on what type of access an event log entry should be written. You can access the SACL for an object by clicking the Advanced button on the Security tab of the object's properties sheet. On the Auditing tab, you can click Add to include new auditing events for an object or click View/Edit to modify an existing auditing event. (Note: You can't audit objects on a FAT file system.)
Recommended items to audit
First a few things you should be aware of. One, too much auditing consumes large amounts of resources. Entries will be written every time a user moves a mouse (OK, that's
To continue reading for free, register below or login
To read more you must become a member of SearchEnterpriseDesktop.com
an exaggeration, but not much of one). Two, too much auditing tends to be overwhelming. Generally, since auditing provides no benefits if you don't view the audit entries, you're wasting resources without gaining any security advantage from overdoing the amount of events you audit. Be aware of and selective about what you choose to audit.
Here are a few events you'll want to take note of in particular:
Configuring event log policies
Similar to auditing policies, you'll find policies for configuring the event logs inside the Default Domain Policy in the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Event Log tree. Here are the options for event log policies:
To configure the event logs locally on a computer that does not participate in a domain, load the Event Viewer console (which is within the Control Panel and Administrative Tools) and then right-click each log in the left pane. You can set the log size options on this screen, including the maximum size and the actions Windows should take when that limit is reached.
About the author: Jonathan Hassell is author of Hardening Windows (Apress LP), and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book RADIUS (O'Reilly & Associates), is a guide to the RADIUS authentication protocol and offers suggestions for implementing RADIUS and overall network security. Ask Hassell a hardening Windows question today.
More information from SearchWindowsSecurity.com
Checklist: How to configure the audit policy
Tip: Configure Group Policy to prevent attacks
ATE: How do I set audit permissions to a folder by command prompt in NT 4.0?
