Using Auditing and the Event Log
Keeping track of what your system is doing is one of the most important, but tedious, processes of good IT security management. In this section, I'll look at the tools to audit events that happen on your system and the utilities used to view them.
Auditing controls and properties are modified through GPOs in Windows 2000, Windows XP, and Windows Server 2008. Assuming your computer is participating in an Active Directory domain, you can find the domain auditing policy inside the Default Domain Policy, in the Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policies tree. Otherwise, you can view the Local Security Policy through the Administrative Tools applet in the Control Panel.
The settings for each GPO indicate on what type of events and on what type of result a log entry will be written. Here are the options for auditing policies:
- Audit account logon events
Writes an entry when domain users authenticate against a domain controller
- Audit account management
Indicates when user accounts are added, modified, or deleted
- Audit directory service access
Audits when queries and other communications with Active Directory are made
- Audit logon events
Writes an entry when local users access a resource on a particular computer
- Audit object access
Indicates when certain files, folders, or other system objects are opened, closed, or otherwise "touched"
- Audit policy change
Audits when local policies (such as the Local Security Policy) ...
Get Windows Server 2008: The Definitive Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.