The following excerpt is from Chapter 6 of the MCSE Exam Cram 2 book "Designing security for a Microsoft Windows Server 2003 network" written by Ed Tittel, courtesy of Sams Publishing. Click to purchase, check out the complete book excerpt series or go straight to the practice exam if you think you're ready to be tested.
Analyzing auditing requirements
You need to be selective when auditing anything on a computer. Remember that auditing consumes resources. Furthermore, if you audit too much, the review of the security logs consumes a tremendous amount of human resources. Having said that, you can audit specific files and folders to determine who is accessing or changing information in them. Remember that all auditing is local; therefore, you have to set the auditing policy on the computer on which you want the auditing to occur. This can be accomplished through the Local Security Policy settings on the computer or through Group Policy, as shown in Figure 6.7.
Figure 6.7: You can set the audit policy for a computer through the Local Security Policy settings of the computer itself or through Group Policy.
You need to be familiar with the following settings in regard to auditing files and folders:
- Auditing object access
- Setting auditing entries on the resource
Auditing object access
This setting combines with the individual audit setting on the SACL of the file, folder, Registry key, or other resource on which you have applied audit settings. If you select this setting, the system examines the SACLs of all resources to determine whether auditing is required.
Setting auditing entries on the resource
After you have set the audit policy to Audit Object Access, you can then set the resources themselves to be audited. You can determine which users or groups you will audit for each resource. In this way, you can create an audit report that gives you the information that you need without having so much information so as to become unusable.
You can set the audit entries in the Advanced options of the Security tab for the object to be audited, as shown in Figure 6.8. This creates a SACL that the system automatically tracks and uses to create the entries for you in the security log of Event Viewer. If you choose, you can audit an entire hierarchy of folders by allowing the audit entries to propagate from the parent object to the child objects.
Figure 6.8: You can set audit entries in the Advanced options of the Security tab.
Click for the next excerpt in this series: Designing an access control strategy for the Registry
Click for the book excerpt series or purchase the book here.
This was first published in October 2004