Auditing
From Proprofs
You are here: Home > Schools > Microsoft Certification > WikiHome > 70-270 Study Guide
|
|
|
Contents |
[edit section] Auditing in Windows XP
If you've ever owned a car before, you know that cars require check-ups, maintenance, and other service even after you purchase the car. The same is true with computers - although they generally work well and are predictable, they can encounter problems from time to time and require your careful eye to remain working properly. Previously, we’ve covered performance logs – today, we will cover account auditing, a form of checking-up on security and accounts.
The most important thing to understand about auditing is that it is used to monitor account activity. If you were in charge of physical security for, say, a large building, you would be expected to record when people attempt to enter without proper credentials or take things that do not belong to them. The same basic principle applies to Windows XP. Auditing allows the administrator of the computer to monitor things like unsuccessful login attempts, logons, and failed access attempts. It is important that you understand that auditing is related to account security – if you do not understand this, you will not answer the auditing questions correctly.
[edit section] Setting up Auditing
Now that you have a clearer idea about what auditing is, let’s take a look at how it works in Windows XP. Auditing is managed via the Group Policy and Computer Management MMC consoles. Auditing policy is adjusted via Group Policy whereas auditing logs are viewed through Computer Management.
[edit section] Auditing Policy via Group Policy
To change auditing policy, go to the Group Policy MMC under Administrative Tools in the Control Panel. Audit Policy is located under “Local Policies” in the tree and contains several options for monitoring, including:
- Account logon events: Audits users logging onto other computers from the local machine
- Logon events: Local logon attempts
- Account management: Changes in account/group settings
- Object access: Access to local resources
- Policy change: Changes to Group Policy
- Process tracking: Program actions
- System events: Shutdowns and restarts
Note that you can choose to audit success, failure, or both. A success is when an event occurs without an access error; a failure is when an event occurs with some kind of access error.
[edit section] Auditing Object Access
As we noted before, it is possible to audit object access from Windows XP. If the “Audit object access” policy setting is enabled, object access can be audited if and only if the object is configured to be audited. To configure an object for access auditing (monitoring), go to the properties dialogue for the object and choose the Auditing tab. Then, select if you wish for that object to be audited by adding an Auditing entry. Note that auditing is enabled on a“per user or group” basis.
[edit section] Monitoring Security/ Accessing Audit Logs
Once you have successfully implemented auditing in Windows XP, you can check the results from the Computer Management MMC, found in Administrative Tools of the Control Panel. Go to the “Event Viewer” tree entry and then to the “Security” events. All of the related auditing events will be listed in some order (you can change the order using the column arrows at the top) and it will be indicated what the audit is related to. If you wish to extend the life time of audit entries, you must configure Log Size under the Security Properties dialogue, found by going to Security in System Tools. Note that for computers with many auditing entries, it may be desirable for you to archive old entries in order to maintain security and available disk space.
[edit section] Moving Forward
Since auditing was the last topic covered, we’ll spend the next few lessons reviewing for the exam. Take the following quick review and see how much you have learned.
[edit section] Quick Review
1. Which of the following audit policy settings would you enable to monitor attempts by users to logon to other computers from the local computer?
a. Audit Logon events
b. Audit Account logon events
c. Audit Policy change
d. Audit Privilege Use
e. Audit System events
2. You enable “Object access” auditing for a disk drive, but you do not see any failed read access attempts from a particular new user. Which of the following is the appropriate corrective action?
a. Delete the user’s account and then re-create it with the same access details
b. Enable Success next to “Full Control” in the Auditing Entry for that user
c. Enable Fail next to the “Read attributes” in the Auditing Entry for that user
d. Enable Fail next to the “List folders/read data” in the Auditing Entry for that user
e. Enable Fail next to the “Full Control” in the Auditing Entry for that user
3. Where would you go to monitor system security events?
a. Access Control List
b. Security in Event Viewer
c. System in Event Viewer
d. Device Manager
e. Central System Security Hive
[edit section] Answers
1. “Audit account logon events” monitors attempts to logon to remote computer from a local computer. The answer is B.
2. To make sure that failed read access is recorded, choose the option of monitoring “Failure” in the class “List folders / READ DATA.” The answer is D.
3. Security in the Event Viewer shows all of the auditing log information.
Top 5 Contributors to this article
|
|||||
