کد:
http://forum.persiannetworks.com/f78/t32701.html
Audit Policy
The audit policy is stored within the Group Policy Object. If you navigate to Computer Configuration: Windows Settings: Security Settings: Local Policies, you will find the nine items you can audit. These nine items correspond to the
categories you will see when you review the security logs. These items are:
- Account logon
- Account management
- Directory service access
- Logon events
- Object access
- Policy change
- Privilege use
- Process tracking
- System events
Audit Categories
Account Logon: a domain controller received a request to authenticate a user account
Account management: tracks changes to user accounts. Records when an account is created, changed, delete, renamed, disabled, enabled, or password was set or changed. Records when a group is created, changed, or deleted.
Directory service access: a user accesses an Active Directory object. You must configure specific AD objects to log this type of event.
Logon events: creates entries when a user logs on or logs off. Also creates entries when a user makes or cancels a network connection to the computer (or server).
Object access: logs when a user accesses a file, folder, or printer. You must configure specific files, folders, or printers for auditing.
Policy change: a change was made to the user security options, user rights, or audit policies.
Privilege use: creates entries when a user exercises a right.
Process tracking: tracks when a program performs an action. Typically used by programmers for troubleshooting as it creates a large number of events in the security logs.
System events: a user restarts or shuts down the computer. Also records any events affecting the security logs.
Setting up Auditing
The first step in setting up auditing is determining which of the categories you want to audit for successes, failures, or both. Once you have determined your audit requirements, take these steps to configure auditing:
- Open the Group Policy Object Editor for the Group Policy you want to change.
- Navigate to Computer Configuration: Windows Settings: Security Settings: Local Policies.
- Double-click the audit policy setting you want to change.
- You have several options. You can leave the option undefined, you can define it and check neither box, or you can define the option and check one or the other box, or both. Once you have changed the setting, click OK.
- Change each of the settings required.
Auditing Active Directory Objects
You may require that Active Directory Objects be audited. To audit these objects:
- Open Active Directory Users and Computers.
- Select the object you want to audit. In our example, we are going to choose the Detroit Organizational Unit.
- Right-click on the object and select Properties.
- Click on the Security tab.
- Click the Advanced button.
- Click on the Auditing tab.
- Click on the Add button.
- Enter the name of the group you wish to audit and click OK.
- Select the options you wish to audit. Select Successful or Failed or both to audit those items.
- Click OK when you have selected all of the items you wish to audit.
- Click OK to close the Advanced window.
- Click OK to close the Properties window.
Auditing is now configured for the objects you selected. In our example, we are auditing when a member of PCSupport creates an account. We created a test account, and saw this entry appear in our Security log:
Auditing Files and Folders
In addition to Active Directory Objects, you can also audit drives, files, and folders.
You may have very sensitive folders for groups like Legal or HR that you need to track when certain events occur. To setup auditing on a file or folder:
- Navigate to the folder you need to audit. Right-click on the folder and select Properties.
- Click on the Security tab.
- Click on Advanced.
- Click on the Auditing tab.
- Click Add to add a group or user to audit.
- Select the Access items you wish to audit.
- Click OK.
- Click OK to close the Advanced Security Settings window.
- Click OK to close the Properties window.
If you have "Audit object access" turned on in your Audit policy, you will now see entries in your
Security Log when individuals in the groups you selected perform tasks you are auditing.
Auditing is a great tool to track security events on your network and servers