In Windows 2000 and XP, what is auditing and how do I use it?

In Windows 2000 and XP, auditing allows you to
track and record the activities of users, groups, and processes. It
is primarily used to diagnose performance problems and security risks,
and for expansion planning.

Enabling auditing

Auditing in general is enabled by default in Windows 2000 and XP. To
change the auditing options, follow the steps below:

1. From the Start menu, select Settings and then
   Control Panel. In the Control Panel, select
   Administrative Tools and then Local Security
Settings.
   
   
   
   
   
   
   
   Note: In Windows XP, the default desktop
   view and Start menu are quite different than they are in the Windows
   Classic View (e.g., in Windows 2000). Therefore, navigating
   to certain items may be different in XP; for example, the path from
   the Start menu to the Control Panel in the default XP view is simply
   Start, then Control Panel, whereas in the Classic
   View it is Start, then Settings, then Control
Panel. In the interest of broad applicability, most
   instructions in the Knowledge Base assume that you are using the
   Classic View. There are several steps you can take to switch from the
   Windows XP default view to the Windows Classic View.  For more
   information, see the Knowledge Base document In Windows XP, how do I switch to the Windows Classic View, Classic theme, or Classic Control Panel?
   
   
   
   
   
2. In the Local Security Settings window, click the
   + next to Local Policies and then click Audit
Policy.
   

This shows you the nine types of auditing you can do in Windows 2000
and XP. A description of each type is listed below:

• Account Logon Events: Tracks logins, logouts, and
  network connections
  
  
  
  
  
• Account Management: Tracks changes to accounts
  
  
  
  
  
• Directory Service Access: Tracks access to the
  Active Directory services
  
  
  
  
  
  
• Logon Events: Tracks logins, logouts, and network
  connections
  
  
  
  
  
• Object Access: Tracks access to files,
  directories, and other NTFS objects (including printers,
  because everything in Windows 2000 and XP is considered an object)
  
  
  
  
  
• Policy Change: Tracks changes to user rights,
  audit policies, and trusts
  
  
  
  
  
• Privilege Use: Tracks changes to user
  privileges
  
  
  
  
  
  
• Process Tracking: Tracks program activation and
  termination, and other object or process activity
  
  
  
  
  
• System Events: Tracks server
  shutdowns and restarts, and logs events affecting system policy
  

To enable Object Access auditing, you need to select the objects being
audited. To do this, right-click an object (e.g., a file, directory,
or printer). Select Properties, and then select the
Security tab. Click the Auditing button.  Different
events will be available depending on the type of object
selected. Auditing is available only for NTFS objects; FAT does not
allow for object auditing.

About this post

Posted: 2005-11-1
By: FortyPoundHead
Viewed: 1,824 times

Categories

Windows

Attachments

No attachments for this post

Comments

No comments have been added for this post.

You must be logged in to make a comment.