Auditing lets you track specific events that occur on your computer. For example, you can track when users log on and off. The way auditing works is that it waits for a specific event to occur, such as an unsuccessful logon, and then reports on it within the Event Viewer.
Auditing is configured through the local security policy. To open the local security policy, click Start, type secpol.msc and press Enter. Within the Local Security Policy, expand Local Policies and click Audit Policy. The various events that you can audit are listed in the Details pane. In Windows 7, you can audit the following types of events:
- Audit Account Logon Events – Tracks user logon and logoff events.
- Audit Account Management – Reports changes to user accounts
- Audit Directory Service Access – Reports access and changes to the directory service. If the system is a member server or XP system, directory service is NTLM-based, and consists of user accounts and group policies.
- Audit Logon Events – Reports success/failure of any local or remote access-based logon.
- Audit Object Access – Reports file and folder access. Must be implemented here, and then the individual file/folder must be configured for auditing within its properties in order to fully enable this feature.
- Audit Policy Change – Reports changes to group policies
- Audit Privilege Use – Related to Audit Object Access: reports when permissions are utilized such as read, or full control.
- Audit Process Tracking – Reports process and program failures. Not security related.
- Audit System Events – Reports standard system events. Not security related.
Any of the auditing options listed above can be enabled. Simply double click the appropriate option, such as Audit Policy Change, and click Success and/or Failure. Click OK to apply your changes.