Auditing is a general tool that has been around since the days of Windows NT. Auditing is very similar to Performance Monitor, in that it waits for a specific event to occur, and then reports on it within the Event Viewer. Instead of waiting for system performance events, auditing usually tracks the success or failure of system and security events. Traditionally, auditing was most frequently performed for user logon/logoff (to track tardy employees) and sensitive file access (to see who and how often file access occurred).

Auditing in Windows Server 2003 is configured in several different ways, all depending upon what needs to be audited, and where that object resides. Generally, the first step is to enable the specific type of auditing through the audit policy, which will usually begin the audit process at that point. Auditing is generally turned on through a security policy, which is another part of Group Policy. These security policies are generally accessed through Administrative Tools. The audit policy events include:

  • Audit Account Logon Events: Tracks user logon and logoff events.
  • Audit Account Management: Reports changes to user accounts
  • Audit Directory Service Access: Reports access and changes to the directory service. If the system is a member server, directory service is NTLM-based, and consists of user accounts and group policies.
  • Audit Logon Events: Reports success/failure of any local or remote access-based logon.
  • Audit Object Access: Reports file and folder access. Must be implemented here, and then the individual file/folder must be configured for auditing within its properties in order to fully enable this feature.
  • Audit Policy Change: Reports changes to group policies
  • Audit Privilege Use: Related to Audit Object Access: reports when permissions are utilized such as read, or full control.
  • Audit Process Tracking: Reports process and program failures. Not security related.
  • Audit System Events: Reports standard system events. Not security related.

To enable auditing locally in Windows Server 2003, open the Control Panel, Administrative Tools, and double click Local Security Policy. Expand Local Policies and select Audit Policy. Double click any of the available policy settings in the details pane and click Success and/or Failures.

If it becomes necessary to audit file or folder access, the audit policy must be changed, and then the file or folder must be flagged for auditing. From that point, items will appear in the Event Viewer. How the file or folder is accessed is also subject to auditing, and must be decided once auditing of the object is enabled.

[tags]administrative tools,group policy,windows server 2003 auditing,performance monitor,event viewer[/tags]