Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Vista

Group Policy Settings (part 4) - The Audit Policy

3/14/2011 10:16:35 PM

The Audit Policy

Auditing is a critical component of the security program for every company. You can configure systems to record what your users do (Success) and what your users attempt to do (Failure). Audit policies are defined within the Local Computer Policy (LCP) and within GPOs. The audit policy is located under Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy. You can configure nine audit policies, as shown in Figure 9.

Figure 9. Configuring the Object Access audit policy within a GPO.

Audited events get recorded in the Security log on the computer where the event occurs and can be reviewed in the Event Viewer on that computer. The Security logs (and any other types of events) from multiple Windows Vista computers can be forwarded to an Event Collector server.

Most of the audit policies require only the LCP or GPO settings configured to be effective. Two of the audit policies require some additional configuration in addition to the GPO audit policy settings to be effective. They are Directory Service Access and Object Access policies. The additional settings that are required reside on the properties of the objects being tracked by the audit policy and must be configured on the objects’ System Access Control List (SACL). (This may also be called the Security Access Control List—SACL.) The GPO turns on the auditing engine, and the SACL identifies specifically which users and which objects will be tracked.

You can access the SACL by following these steps:

1.
Right-click on the Files, Folders, Printers, or AD objects of interest and select Properties.

2.
Select the Security tab and click Advanced.

3.
Select the Auditing tab to access the SACL for these types of objects.

Tip

If the Security tab is not visible on AD objects, you must select View > Advanced Features from the menu to enable it.


On Registry objects, after enabling the Audit Object Access audit policy, right-click the desired Registry object and select Permissions. Click Advanced and select the Auditing tab. This is the SACL for Registry Keys, Values, and Data, as shown in Figure 10.

Figure 10. Configuring the System Access Control List (SACL) in the Registry.

Alert

The following is a review of what each audit policy setting accomplishes:

  • Audit Account Logon Events— Logs a user’s domain account logons on the domain controller (DC).

  • Audit Account Management— Logs changes to user objects in AD.

  • Audit Directory Service Access— Logs access to objects in AD. This audit policy setting requires the additional SACL configuration on the AD objects of interest.

  • Audit Logon Events— Logs a user’s local account logons on the local computer.

  • Audit Object Access— Logs access to Files, Folders, Printers, and Registry components (Keys, Values, and Data). This audit policy setting requires the additional SACL configuration on the objects of interest.

  • Audit Policy Change— Logs changes to user rights, auditing, or trust settings within GPOs.

  • Audit Privilege Use— Logs the use of rights that have been granted.

  • Audit Process Tracking— Logs actions of and interactions between applications.

  • Audit System Events— Logs shutdowns and events that affect the System or Security logs.

Understand the difference between the Audit Account Logon Events and the Audit Logon Events audit policies!

Other -----------------
- Group Policy Settings (part 1) - Desktop Settings & Software Deployment by GPO
- Group Policy Object Overview (part 2) - Applying GPOs to a Computer and User in an AD Environment
- Group Policy Object Overview (part 1) - Building a Local Computer Policy & The Domain Member Computer
- User Account Control (UAC)
- Troubleshoot Authentication Issues - SmartCards
- Configure and Troubleshoot Access to Resources (part 4) - Securing Network Traffic for Remote Desktop Protocol (RDP) Access
- Configure and Troubleshoot Access to Resources (part 3) - IPSec for Securing Network Traffic on the Local LAN
- Configure and Troubleshoot Access to Resources (part 2) - Printer Sharing
- Configure and Troubleshoot Access to Resources (part 1) - Permissions
- Windows Update (part 4) - Troubleshooting Updates
- Windows Update (part 3) - Windows Server Update Services Server (WSUS)
- Windows Update (part 2) - Automatic Updates
- Windows Update (part 1) - Manual Updates
- Windows Defender and Other Defenses Against Malware
- Windows Firewall
- Troubleshoot Security Configuration Issues (part 2) - Securing Data in Storage with Encrypting File System & Securing Computers with the Security Configuration and Analysis Tool
- Troubleshoot Security Configuration Issues (part 1) - The Windows Security Center & Securing the Operating System and Data in Storage with BitLocker
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 4) - Digital Certificates
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 3) - Cookie-Handling & ActiveX Opt-In
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 2) - Internet Explorer’s Protected Mode
 
 
Most view of day
- Windows Phone 8 : Configuring Basic Device Settings - Backing Up Your Phone (part 4) - Determining Backup Quality for Your Photos and Videos
- Maintaining Dynamics GP : Maintaining updated code by rolling out Service Packs with Client Updates
- Windows Small Business Server 2011 : Adding a Terminal Server - Configuring RemoteApps (part 2) - Deploying with .rdp and .msi files
- Using Micrsosft Outlook 2010 with SharePoint and OCS : Using SharePoint Document Libraries in Outlook
- Maintaining Desktop Health : Using Task Scheduler (part 2) - Task Scheduler Security, Task Scheduler User Interface
- Microsoft Visio 2010 : Creating Web Pages from Visio Drawings (part 2) - Exploring Visio-Generated Web Pages
- Managing Windows Licensing and Activation : Managing Volume License Activation (part 2) - Leveraging MAK activation, Comparing KMS and MAK activation
- SQL Server 2008 R2 : Creating and Managing Stored Procedures - Deferred Name Resolution
- Microsoft Excel 2010 : Protecting and Securing a Workbook - Marking a Workbook as Read-Only
- System Center Configuration Manager 2007 : Configuring Desired Configuration Management
Top 10
- Sharepoint 2013 : Working with the CSOM (part 6) - Working with the JavaScript client object model - Creating, reading, updating, and deleting in the JavaScript client object model
- Sharepoint 2013 : Working with the CSOM (part 5) - Working with the JavaScript client object model - Handling errors
- Sharepoint 2013 : Working with the CSOM (part 4) - Working with the JavaScript client object model - Returning collections
- Sharepoint 2013 : Working with the CSOM (part 3) - Working with the managed client object model - Creating, reading, updating, and deleting
- Sharepoint 2013 : Working with the CSOM (part 2) - Working with the managed client object model - Handling errors
- Sharepoint 2013 : Working with the CSOM (part 1) - Understanding client object model fundamentals
- Windows Phone 8 : Configuring Mailbox Settings (part 5) - Configuring Automatic Replies
- Windows Phone 8 : Configuring Mailbox Settings (part 4) - Lightening the Display,Changing the Mailbox Sync Settings
- Windows Phone 8 : Configuring Mailbox Settings (part 3) - Message Signatures, Blind CCing Yourself
- Windows Phone 8 : Configuring Mailbox Settings (part 2) - Unlinking Mailboxes, Conversation View
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro