The Windows auditing subsystem was introduced in the earliest Microsoft Windows versions. It provides the ability to report auditing events for kernel- and user-mode applications and components.

In this chapter you will find information about legacy and advanced auditing settings, Windows auditing group policy settings related to auditing, auditing subsystem architecture, and security event structure.

Legacy Auditing Settings

Legacy auditing was the only available security auditing mechanism on pre-Vista Windows systems. It was not as agile as the new advanced auditing introduced in Windows Vista, but still was able to perform its function.

Legacy auditing settings can be configured using Windows group policy settings. No built-in command-line tools, such as auditpol, were available in the pre-Vista systems for configuring local auditing settings. But the auditpol tool was a part of the Windows 2000, XP, and 2003 resource kits. The auditusr command-line tool was included in pre-Vista operating systems, but it was a tool for configuring per-user auditing settings only. See Chapter 10 for more information about per-user auditing.

Group policy settings for legacy auditing categories are located under the Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ node. You can view and edit local group policy settings using the gpedit.msc management console. Figure 2-1 shows an example of legacy auditing group ...