File and object access auditing not enabled

Risk Level: Low risk vulnerability  Low

Check or Attack Name: Object Audit
Platforms: Windows NT
Description:

File and Object Access Auditing is not enabled. Auditing tracks access to files, directories, registry keys, and other objects (such as printers). Auditing of these events must be enabled both by the security descriptor on the object and in the auditing settings. These events appear in the Event Viewer Security Log.
Remedy:

Enable File and Object Access Auditing and edit the auditing settings for selected directories, files, or other objects.

Note: Object auditing is available only to NTFS objects, not FAT objects. Auditing object access demands large amounts of computing overhead, especially if the object monitored (such as a file or directory) is frequently accessed.

To implement File and Object Access Auditing at the system level, follow these steps:

  1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
  2. Select the user account from the list.
  3. From the Policies menu, select Audit to display the Audit Policy dialog box.
  4. Choose Audit these events. The audit choices are enabled.
  5. From the File and Object Access field, select the Failure check box or the Success check box.
  6. Click OK.

Note: File and Object Access auditing will produce numerous log entries, most of which are benign. In addition, auditing several objects can degrade system performance. Auditing only occurs on objects that have been marked for auditing. To audit events, implement File and Object Access Auditing at the object level, follow these steps:

  1. Using My Computer or Windows NT Explorer, go to the object that you want to audit.
  2. Right-click the object and select Properties to display the Properties dialog box.
  3. Click the Security tab.
  4. Click Auditing to display the File Auditing, Directory Auditing, or Printer Auditing dialog box.
  5. Select one of these choices:
    • To add a new user or group name, click Add. Add the names from the Add Users and Groups dialog box.
    • To modify auditing, select the name and the Success and Failure audits that are required for your security policy.
    • To remove auditing, select the name and click Remove.
  6. Click OK twice to apply the changes.
References:
X-Force Logo
Know Your Risks