Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Vista

Group Policy Settings (part 4) - The Audit Policy

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
3/14/2011 10:16:35 PM

The Audit Policy

Auditing is a critical component of the security program for every company. You can configure systems to record what your users do (Success) and what your users attempt to do (Failure). Audit policies are defined within the Local Computer Policy (LCP) and within GPOs. The audit policy is located under Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy. You can configure nine audit policies, as shown in Figure 9.

Figure 9. Configuring the Object Access audit policy within a GPO.

Audited events get recorded in the Security log on the computer where the event occurs and can be reviewed in the Event Viewer on that computer. The Security logs (and any other types of events) from multiple Windows Vista computers can be forwarded to an Event Collector server.

Most of the audit policies require only the LCP or GPO settings configured to be effective. Two of the audit policies require some additional configuration in addition to the GPO audit policy settings to be effective. They are Directory Service Access and Object Access policies. The additional settings that are required reside on the properties of the objects being tracked by the audit policy and must be configured on the objects’ System Access Control List (SACL). (This may also be called the Security Access Control List—SACL.) The GPO turns on the auditing engine, and the SACL identifies specifically which users and which objects will be tracked.

You can access the SACL by following these steps:

1.
Right-click on the Files, Folders, Printers, or AD objects of interest and select Properties.

2.
Select the Security tab and click Advanced.

3.
Select the Auditing tab to access the SACL for these types of objects.

Tip

If the Security tab is not visible on AD objects, you must select View > Advanced Features from the menu to enable it.


On Registry objects, after enabling the Audit Object Access audit policy, right-click the desired Registry object and select Permissions. Click Advanced and select the Auditing tab. This is the SACL for Registry Keys, Values, and Data, as shown in Figure 10.

Figure 10. Configuring the System Access Control List (SACL) in the Registry.

Alert

The following is a review of what each audit policy setting accomplishes:

  • Audit Account Logon Events— Logs a user’s domain account logons on the domain controller (DC).

  • Audit Account Management— Logs changes to user objects in AD.

  • Audit Directory Service Access— Logs access to objects in AD. This audit policy setting requires the additional SACL configuration on the AD objects of interest.

  • Audit Logon Events— Logs a user’s local account logons on the local computer.

  • Audit Object Access— Logs access to Files, Folders, Printers, and Registry components (Keys, Values, and Data). This audit policy setting requires the additional SACL configuration on the objects of interest.

  • Audit Policy Change— Logs changes to user rights, auditing, or trust settings within GPOs.

  • Audit Privilege Use— Logs the use of rights that have been granted.

  • Audit Process Tracking— Logs actions of and interactions between applications.

  • Audit System Events— Logs shutdowns and events that affect the System or Security logs.

Understand the difference between the Audit Account Logon Events and the Audit Logon Events audit policies!

Other -----------------
- Group Policy Settings (part 1) - Desktop Settings & Software Deployment by GPO
- Group Policy Object Overview (part 2) - Applying GPOs to a Computer and User in an AD Environment
- Group Policy Object Overview (part 1) - Building a Local Computer Policy & The Domain Member Computer
- User Account Control (UAC)
- Troubleshoot Authentication Issues - SmartCards
- Configure and Troubleshoot Access to Resources (part 4) - Securing Network Traffic for Remote Desktop Protocol (RDP) Access
- Configure and Troubleshoot Access to Resources (part 3) - IPSec for Securing Network Traffic on the Local LAN
- Configure and Troubleshoot Access to Resources (part 2) - Printer Sharing
- Configure and Troubleshoot Access to Resources (part 1) - Permissions
- Windows Update (part 4) - Troubleshooting Updates
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server