70-270: MCSE Guide to Microsoft Windows XP Professional (MCSE/MCSA Guides)

Auditing allows you to track both user activities and Windows XP Professional activities, which are called events, on a computer. Through auditing, you can specify that Windows XP Professional writes a record of an event to the security log, which maintains a record of valid and invalid logon attempts and events related to creating, opening, or deleting files or other objects. An audit entry in the security log contains the following information:

• The action that was performed
• The user who performed the action
• The success or failure of the event and when the event occurred

After this lesson, you will be able to

• Describe the purpose of auditing
• Plan an audit strategy and determine which events to audit

Estimated lesson time: 15 minutes

Understanding Audit Policies

An audit policy defines the types of security events that Windows XP Professional records in the security log on each computer. The security log allows you to track the events that you specify.

Windows XP Professional writes events to the security log on the computer on which the event occurs. For example, any time someone tries to log on and the logon attempt fails, Windows XP Professional writes an event to the security log on that computer.

You can set up an audit policy for a computer to do the following:

• Track the success and failure of events, such as logon attempts by users, an attempt by a particular user to read a specific file, changes to a user account or to group memberships, and changes to your security settings
• Eliminate or minimize the risk of unauthorized use of resources

You use Event Viewer to view events that Windows XP Professional has recorded in the security log. You can also archive log files to track trends over time-for example, to determine the use of printers or files or to verify attempts at unauthorized use of resources.

Determining What to Audit

When you plan an audit policy, you must determine what you want to audit and the computers on which to set up auditing. Auditing is turned off by default. As you determine which computers to audit, you must also plan what to audit on each one. Windows XP Professional records audited events on each computer separately.

The types of events that you can audit include the following:

• Accessing files and folders
• Logging on and off
• Shutting down a computer running Windows XP Professional
• Starting a computer running Windows XP Professional
• Changing user accounts and groups
• Attempting to make changes to Active Directory objects (only if your Windows XP Professional computer is part of a domain)

After you have determined the types of events to audit, you must also determine whether to audit the success of events, the failure of events, or both. Tracking successful events can tell you how often Windows XP Professional or users access specific files, printers, or other objects, and you can use this information for resource planning.

Tracking failed events can alert you to possible security breaches. For example, if you notice several failed logon attempts by a certain user account, especially if they are occurring outside normal business hours, you can assume that an unauthorized person is attempting to break into your system.

Other guidelines in determining your audit policy include the following:

• Determine whether you need to track system usage trends. If so, plan to archive event logs. This will allow you to view how usage changes over time and will allow you to plan to increase system resources before they become a problem.
• Review security logs frequently. You should set a schedule and regularly review security logs because configuring auditing alone doesn't alert you to security breaches.
• Define an audit policy that is useful and manageable. Always audit sensitive and confidential data. Audit only those events that will provide you with meaningful information about your network environment. This minimizes usage of the computer's resources and makes essential information easier to locate. Auditing too many types of events can create excess overhead for Windows XP Professional.

Lesson Review

The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."

1. What is auditing?
2. What is an audit policy?
3. On a computer running Windows XP Professional, auditing is turned ______ (on/off) by default.
4. When you are auditing events on a computer running Windows XP Professional, where are the audited events being recorded?
5. When you are auditing events on a computer running Windows XP Professional, why would you track failed events?

Lesson Summary

• On a computer running Windows XP Professional, auditing helps ensure that your network is secure by tracking user activities and systemwide events.
• You set up an audit policy to specify which events to record.
• Windows XP Professional records audited events in the security log.
• You use Event Viewer to view the security log.
• In planning an audit policy, you must determine on which computers to set up auditing and what to audit on each one.
• You can audit the success of events, the failure of events, or both.