Auditing
Windows 2000
A
uditing provides a means of tracking all events in
Windows 2000 to monitor system access and ensure
system security.
Auditing Overview
In Windows 2000, auditing provides a means of tracking events
and is an important facet of security for individual computers
as well as the enterprise. As described in other chapters
(notably Chapter 6, which covers the Event Viewer), Microsoft
defines an event as any significant occurrence in the operating
system or an application that requires users (particularly
administrators) to be notified. Events are recorded in event
logs that you can manage with the Event Viewer console
snap-in.
Auditing enables you to track specific events. More specifi-
cally, auditing enables you to track the success or failure of
specific events. For example, you might audit logon attempts,
tracking who succeeds in logging on (and when) and who fails
at logging on. Or, you might audit object access on a given
folder or file, tracking who uses it and the tasks they perform
on it. You can track an overwhelming variety of events in
Windows 2000, as you’ll learn a little later in the chapter.
Windows 2000 provides several categories of events you can
audit. The following list describes these event categories:
✦ Account Logon Events: Track user logon and logoff via a
user account.
✦ Account Management: Track when a user account or
group is created, changed, or deleted; a user account is
renamed, enabled, or disabled; or a password is set or

changed.
19
19
CHAPTER
✦✦✦✦
In This Chapter
Auditing Overview
Configuring Auditing
Examining the
Audit Reports
Enabling Auditing—
Some Case Studies
✦✦✦✦
4667-8 ch19.f.qc 5/15/00 2:08 PM Page 709
710
Part V ✦ Availability Management
✦ Directory Service Access: Track access to the Active Directory.
✦ Logon Events: Track non-local authentication events such as network use of a
resource or a remote service logging on using the local System account.
✦ Object Access: Track when objects are accessed and the type of access per-
formed. For example, track use of a folder, file, printer, and so on. Configure
auditing of specific events through the object’s properties (such as the
Security tab for a folder or file).
✦ Policy Change: Track changes to user rights or audit policies.
✦ Privilege Use: Track when a user exercises a right other than those associ-
ated with logon and logoff.
✦ Process Tracking: Track events related to process execution such as program
execution.
✦ System Events: Track such system events as restart, startup, shutdown, or
events that affect system security or the security log.

Within each category, you’ll find several different types of events—some common
and some specific to the objects or events being edited. For example, when you
audit registry access, the events are very specific to the registry. So rather than
cover every possible event that can be audited, this chapter explains how to enable
and configure auditing, and looks at specific cases and how auditing improves secu-
rity and monitoring in those cases.
Configuring Auditing
Configuring auditing can be either a one- or two-step process, depending on the
type of events for which you’re configuring auditing. For all but object access,
enabling auditing simply requires that you define the audit policy for the given
audit category. You have an additional step for object access auditing, however,
that is configuring auditing of specific objects. For example, enabling auditing for
the policy Audit object access doesn’t actually cause any folders or files to be
audited. Instead, you have to configure each folder or file individually for auditing.
Enabling Audit Policies
Before you begin auditing specific events, you need to enable auditing of that
event’s category. You configure auditing through the computer’s local security pol-
icy, group policy, or both. If domain audit policies are defined, they override local
audit policies. This chapter assumes you’re configuring auditing through the local
security policy. If you need to configure auditing through group policies, use the
Domain Security Policy console to enable auditing.
4667-8 ch19.f.qc 5/15/00 2:08 PM Page 710
711
Chapter 19 ✦ Auditing Windows 2000
To configure auditing through the local security policy, open the Security Policy
console snap-in by choosing Start➪ Programs➪ Administrative Tools➪ Local
Security Policy. Open the Security Settings/Local Policies/Audit Policy branch. As
Figure 19-1 illustrates, each audit policy category appears with its local setting and
effective setting. The effective setting reflects the application of group policies,
if any.

Figure 19-1: Use either the local security policy or domain policy
to enable auditing.
Double-click a policy to display its settings (Figure 19-2). You can enable auditing of
both success and failure of events in the selected category. Using the logon exam-
ple given previously, for example, you might audit successful logon to track who
is using a given system and when. You might track unsuccessful logon to track
attempts at unauthorized use of a system. Select Success, Failure, or both, as
desired, and then click OK.
Figure 19-2: Select the types of events
(success or failure) for which you want to
enable auditing.
4667-8 ch19.f.qc 5/15/00 2:08 PM Page 711
712
Part V ✦ Availability Management
After you configure each category as desired, close the Security Policy console. See
the next section if you’re configuring auditing of object access. Otherwise, audit
events will begin appearing in the Security log. Make sure you configure the
Security log’s size and overflow behavior to accommodate the audit events.
Auditing Object Access
The second step in configuring object access auditing is to enable auditing on the
individual objects you want to monitor, such as folders, files, registry keys, and so
on. You typically configure the objects where you find them in the UI, such as
Explorer for folders and files, the Printers folder for printers, and Regedt32 for the
registry keys. The types of events you can audit for a given object depend on the
object itself. Events for file access, for example, are different to events for registry
key access.
See Chapter 23 for more information on controlling and monitoring printer access.
To configure auditing for a folder or file, open Explorer and locate the object. Right-
click the object and choose Properties to view its property sheet. Click Security➪
Advanced to open the Access Control Settings dialog box. Click the Auditing tab to

show the Auditing page, then click Add. Select a user, computer, or group that you
want to audit, and click OK. Windows 2000 displays an object dialog box that lists
the events you can audit for the selected object (Figure 19-3).
Figure 19-3: Select Successful or Failed as
desired to configure auditing for each event
type.
Note
4667-8 ch19.f.qc 5/15/00 2:08 PM Page 712
713
Chapter 19 ✦ Auditing Windows 2000
Select Successful for a given event if you want to record successful completion of
the event. Select Failed to monitor failed attempts. The option “Apply these audit-
ing entries to objects and/or containers within this container only” applies auditing
to only the contents of the selected container (such as the files in the selected
folder). The contents of subfolders are audited unless this option is selected.
As you’re defining the audit policy for a selected object, keep in mind that you
could potentially generate a huge number of events in the Security log. Unless you
have a specific reason to audit success on a given event, you should consider only
auditing failure to reduce traffic to the log and load on the computer. Auditing
failed access is typically most useful for tracking attempts at unauthorized access.
After you’re satisfied with the audit event selections, click OK. Repeat the process
to add other users, groups, or computers to the list. On the Access Control Settings
dialog box (Figure 19-4), you’ll find two options that control how auditing entries
are affected by the parent object and affect child objects:
Figure 19-4: Use the Auditing
page of the Access Control
Settings dialog box to configure
auditing for a selected object.
✦ Allow inheritable auditing entries from parent to propagate to this object.
Select this option if you want auditing properties to be inherited by the cur-

rent object from its parent object. Deselect this option to prevent audit prop-
erties from being inherited.
✦ Reset auditing entries on all child objects and enable propagation of
inheritable auditing entries. Select this option to clear and audit properties
configured within child objects (such as subfolders) and to allow the audit
properties for the current object to propagate to child objects.
Caution
4667-8 ch19.f.qc 5/15/00 2:08 PM Page 713
714
Part V ✦ Availability Management
Close the object’s property sheets when you’ve finished defining the audit policy
for the object. Auditing will begin immediately.
Examining the Audit Reports
As explained previously, Windows 2000 records audited events to the Windows
2000 Security log. You can use the Event Viewer console snap-in to view the event
logs, save logs as log files for future viewing, and save the logs in either tab- or
comma-delimited formats.
Using the Event Viewer
You can use the Event Viewer console snap-in to view and manage the event logs.
In addition to the Security log, you can manage the Application and System logs, as
well as any additional logs created by Windows 2000 services or applications. By
default, the Event Viewer displays the logs dynamically, meaning new events are
added to a log as you’re viewing it. You also can save a log to disk to use as a bench-
mark or simply to archive a log before clearing it. Figure 19-5 shows the Security log
in the Event Viewer.
Figure 19-5: You can browse the Security log (and others) using the
Event Viewer.
For detailed information on the Event Viewer console snap-in, including how to
save logs and configure log behavior, see Chapter 5.
Cross-

Reference
4667-8 ch19.f.qc 5/15/00 2:08 PM Page 714
715
Chapter 19 ✦ Auditing Windows 2000
Using Other Tools
The Event Viewer provides the means through which you configure the event logs
as well as view them. Because you can save a log to a text file, however, you can use
other applications to view a log. For example, you might save a log to a comma-
delimited file so you can import the file into Microsoft Access or other database
application to create a database you can easily organize by event ID, source, and so
on. Or, you might export the data to a text file, and import it into a word processor
to create a report. Just make sure you pick an application that can import tab- or
comma-delimited files and export the log files in the appropriate format. See also
Chapter 20 for information on using the Alert services of the Performance Logs and
Alerts console.
A handful of other third-party tools exist for viewing a system’s log files. One in
particular worth considering is RippleTech’s LogCaster. Providing a mechanism to
manage the event logs is just a small part of what LogCaster does. It not only pro-
vides a unified interface for viewing the event logs, but it also serves as an excellent
warning system for administrators. LogCaster provides real-time monitoring of the
event logs, services, TCP/IP devices, performance counters, and ASCII logs. It pro-
vides automatic delivery of alerts through a variety of mechanisms including pag-
ing, e-mail, ODBC, SNMP, and others. When a given event occurs, you can have
LogCaster automatically notify you regardless of where you are. Whether you’re
tracking system performance, want to be notified of audit events, or want to be
warned of a possible system intrusion, you’ll find LogCaster an excellent resource.
You can locate RippleTech on the Internet at
www.rippletech.com.
Enabling Auditing
Although you could audit every event, doing so wouldn’t be practical because

you’d place an undue load on the system and either end up with an enormous log
file or spend all your time worrying about archiving the logs. The following sections
examine some specific situations and how you might employ auditing.
Leaving Auditing Off
The first option is to leave auditing off altogether, and this is not a bad option in
some situations. If you’re not concerned with security, there’s no real reason to
enable or perform auditing. Turning off auditing reduces system overhead and
helps simplify log management. However, most organizations will or should be
concerned with security at least to some degree, so this option might not fit your
needs.
4667-8 ch19.f.qc 5/15/00 2:08 PM Page 715
716
Part V ✦ Availability Management
Turning All Auditing On
At the other end of the auditing spectrum is complete auditing. If you’re very con-
cerned about security or shooting for C2 security certification, this might be an
option. However, bear in mind that your system will probably generate a huge num-
ber of events requiring very active management of the security log. As an alterna-
tive to full logging, consider logging only failure events and not success events.
Auditing Problem Users
Certain users, for one reason or another, can become an administrator’s worst
nightmare. In some cases, it’s through no fault of the user, but is instead due to
problems with the user’s profile, account, and so on. In other cases, the user can be
at fault, frequently using the wrong password, incorrectly typing the account name,
trying to log on during periods when they are not allowed to, or even trying to
access resources for which they have no permissions (or need). In these situations,
you’ll want to monitor events associated with the given user and might even need
to retain the information for counseling or termination purposes.
Which types of events you audit for a given user or group depends on the problem
area. For example, audit account logon events if the user has trouble logging on or

attempts to log on during unauthorized hours. Track object access to determine
when a user or group is attempting to access a given resource such as a folder
or file. Tailor other auditing to specific tasks and events generated by the user
or group.
Auditing Administrators
Auditing administrators is a good idea, not only to keep track of what administra-
tors are doing, but also to detect unauthorized use of administrative privileges.
Keep in mind, however, that auditing impacts system performance. In particular,
you should consider auditing account logon events, account management, policy
change, and privilege use of an administrator only if you suspect an individual.
Rather, control administrators by delegating through the wise use of groups and
organizational units.
Auditing Critical Files and Folders
One very common use for auditing is to track access to important folders and files.
In addition to tracking simple access, you probably will want to track when users
make or attempt to make specific types of changes to the object such as Change
Permissions and Take Ownership. This helps you monitor changes to a folder or file
that could affect security.
4667-8 ch19.f.qc 5/15/00 2:08 PM Page 716
717
Chapter 19 ✦ Auditing Windows 2000
Summary
Auditing enables you to monitor events associated with specific users, groups, ser-
vices, and so on. These events are recorded to the Security log. The ability to moni-
tor these events is not only useful for troubleshooting, but also is an important tool
for monitoring and managing security. You can keep tabs on the actions of specific
users or groups and monitor attempts at unauthorized access to the system or its
resources.
Configuring auditing for most types of events is a one-step process. You configure
the policy for Success, Failure, or both in the local or group security policy under

Security Settings\Local Policies\Audit Policy. Configuring auditing of object access,
such as monitoring access to folders/files, printers, or the registry, requires the
additional step of configuring auditing on each object to be monitored.
✦✦✦
4667-8 ch19.f.qc 5/15/00 2:08 PM Page 717
4667-8 ch19.f.qc 5/15/00 2:08 PM Page 718