11.2. Enabling Auditing

Problem

You want to enable auditing to track certain types of activity that can be useful should you need to backtrack later to determine the cause of security-related issues (e.g., user accidentally deleted, account being compromised).

Solution

Using a graphical user interface

  1. Open the Local Security Policy snap-in.

  2. In the left pane, expand Local Policies Audit Policy.

  3. In the right pane, double-click the setting you want to enable, and check the box beside Success and/or Failure depending on the types of events you want to audit.

You can force new auditing settings to be applied by running the secedit command on Windows 2000 or the gpupdate command on Windows Server 2003.

Run the following command on Windows 2000:

> secedit /refreshpolicy machine_policy

And run this command on Windows Server 2003:

> gpupdate /target:computer

Discussion

Windows supports auditing of various account- and system-related events, which can be invaluable when troubleshooting a security incident. You can enable auditing of nine different types of access on a local server. You can also configure these settings via an Active Directory group policy, which overrides any local settings that you've defined. After auditing has been configured, audit messages are created in the Security event log.

The big question is: which audit settings should you enable? If you turned on everything, your server would start flooding your Security event log and ultimately it wouldn't be very useful. In fact, there ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.