Monitoring Windows NT Security Events

You enable auditing from the User Manager Auditing Policy dialog box. Through auditing, you can track Windows NT Workstation security events. You can specify that an audit entry is to be written to the security event log whenever certain actions are performed or files are accessed. The audit entry shows the action performed, the user who performed it, and the date and time of the action. You can audit both successful and failed attempts at actions, so the audit trail can show who actually performed actions on the network and who tried to perform actions that are not permitted.

Events are not audited by default. If you have Administrator permission, you can specify what types of system events are audited through User Manager. The Audit policy determines the amount and type of security logging Windows NT Workstation performs. For file and object access, you can then specify which files and printer to monitor, which types of file and object access to monitor, and for which users or groups. For example, when File and Object Access auditing is enabled, you can use the Security tab in a file or folder's Properties dialog box (accessed through Windows NT Explorer) to specify which files are audited and what type of file access is audited for those files.

Note

You can audit file and folder access on only Windows NT File System (NTFS) drives.

Because the security log is limited in size, select the events to be audited carefully, and consider the amount of disk space you are willing to devote to the security log. The maximum size of the security log is defined in Event Viewer.

Note

When administering domains, the Audit policy applies to the security log of the primary and backup domain controllers in the domain because they share the same Audit policy. When administering a computer running Windows NT Workstation or a computer running Windows NT Server as a member server, this policy applies only to the security log of that computer.

The following table describes the types of events that can be audited.

Type of event

Description

Logon and Logoff

A user logged on or off or made a network connection.

File and Object Access

A user opened a directory or a file that is set for auditing in File Manager, or a user sent a print job to a printer that is set for auditing in Print Manager.

Use of User Rights

A user used a user right (except those rights related to logon and logoff).

User and Group Management

A user account or group was created, changed, or deleted. A user account was renamed, disabled, or enabled; or a password was set or changed.

Security Policy Changes

A change was made to the User Rights, Audit, or Trust Relationships policies.

Restart, Shutdown, and System

A user restarted or shut down the computer, or an event has occurred that affects system security or the security log.

Process Tracking

These events provided detailed tracking information for things like program activation, some forms of handle duplication, indirect object accesses, and process exit.