2.4. Implementing Auditing
After you set up security on a Windows system by setting permissions on the folders and files, configuring user rights, and placing users in the appropriate groups, make sure that the security of the OS is effective. To monitor what is happening on the system, you enable auditing, which notifies you when certain things happen on the system. For example, you might want to be notified if someone fails to log on to the system, using a correct username and password — this could be someone trying to guess the password of the account.
To effectively work with the auditing feature in Windows, there are two steps:
You must first enable auditing. Simply choose what events you wish to audit. The nice thing about auditing in Windows is that you choose which events you care to know about.
Review the audit log.
After you enable auditing, ensure that you monitor the log regularly for any security-related issues. For example, if you notice a failure to log on over and over for the same account, that is an indication that an account is being hacked.
The following sections offer more details about these two steps.
2.4.1. Enabling auditing
To enable auditing in Windows, modify the Local Security Policy:
Choose StartControl Panel.
In the Control Panel, choose Performance and Maintenance (XP) or System and Maintenance (Vista) and then Administrative Tools, located ...