Windows Auditing

Issue

Auditing is a vital step in detecting system intrusions or malicious activity on your systems and network. The Windows Event Viewer does not log event entries in the security log unless you enable auditing on the system.

Solution

Enable auditing on each Microsoft® Windows® operating system on your network. After you enable auditing, you can choose which events to monitor, such as successful or failed logon attempts. In addition, certain files and directories can be audited on NTFS file systems for modifications or deletions. View the links under the Additional Resources section below for more information on configuring audit policies.

Instructions

To enable auditing on a computer running Windows Server 2003, Windows XP, or Windows 2000

  1. Open the Control Panel.
  2. In Control Panel, double-click Administrative Tools, and then click Local Security Policy.
  3. In Local Security Settings, double-click Local Policies, double-click Audit Policy, and then click the events that you want to audit. We recommend that you audit the following events:

    4. Audit account logon events (Success, Failure)

    Audit account management (Success, Failure)

    Audit directory service access (Failure)

    Audit logon events (Success, Failure)

    Audit object access (Failure)

    Audit policy change (Success, Failure)

    Audit system events (Success, Failure)


To enable auditing on a computer running Windows NT® 4.0

  1. Click Start, point to Programs, point to Administrative Tools, and then click User Manager.
  2. Click the Audit logon events policy, and then click the events that you want to monitor. We recommend that you audit the following events:

    3. Logon and Logoff (Success, Failure)

    File and Object Access (Failure)

    User and Group Management (Success, Failure)

    Security Policy Changes (Success, Failure)

    Restart, Shutdown, and System (Success, Failure)


To view the event logs, click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.

Additional Resources

Chapter 3 - Audit Policy (Threats and Countermeasures Guide)

Chapter 9 - Auditing and Intrusion Detection (Securing Windows 2000 Server)

Windows Server 2003: Auditing Security Events Best Practices


©2002-2004 Microsoft Corporation. All rights reserved.