Keeping track of what your system is doing is one of the most important, but tedious, processes of good IT security management. In this section, I’ll look at the tools to audit events that happen on your system and the utilities used to view them.
Auditing controls and properties are modified through GPOs in Windows 2000, Windows XP, and Windows Server 2003. Assuming your computer is participating in an Active Directory domain, you can find the domain auditing policy inside the Default Domain Policy, in the Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policies tree. Otherwise, you can view the Local Security Policy through the Administrative Tools applet in the Control Panel.
The settings for each GPO indicate on what type of events and on what type of result a log entry will be written. Here are the options for auditing policies.
Writes an entry when domain users log on to the system
Indicates when user accounts are added, modified, or deleted
Audits when queries and other communications with Active Directory are made
Writes an entry when local users log on to the system
Indicates when certain files, folders, or other system objects are opened, closed, or otherwise “touched”
Audits when local policies (such as the Local Security Policy) and their associated objects are changed ...