Auditing is a general tool that has been around since the days of Windows NT. The way auditing works is that it waits for a specific event to occur, and then reports on it within the Event Viewer.

Traditionally, auditing was most frequently performed for user logon/logoff (to track tardy employees) and sensitive file access (to see who and how often file access occurred). More recent enhancements to auditing allow the system to report on events such as changes to user accounts and permissions.

Auditing in Windows Vista is configured in several different ways, all depending upon what needs to be audited, and where those object resides. Generally, the first step is to enable the specific type of auditing through the audit policy, which will usually begin the audit process at that point. Auditing is turned on through the local security policy (or a group policy if you are in a domain). You can find the local security policy within the Administrative Tools. The types of events that can be audited includes:

  • Audit Account Logon Events: Tracks user logon and logoff events.
  • Audit Account Management: Reports changes to user accounts
  • Audit Directory Service Access: Reports access and changes to the directory service. If the system is a member server or XP system, directory service is NTLM-based, and consists of user accounts and group policies.
  • Audit Logon Events: Reports success/failure of any local or remote access-based logon.
  • Audit Object Access: Reports file and folder access. Must be implemented here, and then the individual file/folder must be configured for auditing within its properties in order to fully enable this feature.
  • Audit Policy Change: Reports changes to group policies
  • Audit Privilege Use: Related to Audit Object Access: reports when permissions are utilized such as read, or full control.
  • Audit Process Tracking: Reports process and program failures. Not security related.
  • Audit System Events: Reports standard system events. Not security related.

Any of the auditing options listed above can be enabled. Within the Local Security Policy, double click the appropriate option, such as Audit Policy Change, and click Success and/or Failure. Click OK to apply your changes.

If it becomes necessary to audit file or folder access, the Audit Object Access option must be enabled and then the file or folder must be flagged for auditing. From that point, related events will appear in the Event Viewer.

[tags]vista audit, process tracking, event viewer, audit object access, diana huggins[/tags]