Windows NT includes auditing features you can use to collect information about how your system is being used. These features also allow you to monitor events related to system security, to identify any security breaches, and to determine the extent and location of any damage. The level of audited events is adjustable to suit the needs of your organization. Some organizations need little auditing information, while others are willing to trade some performance and disk space for detailed information they can use to analyze their system.
Note
When you enable auditing, remember that there is a small performance overhead for each audit check the system performs.
Windows NT can track events related to the operating system itself and to individual applications. Each application can define its own auditable events. Definitions of these events are added to the Registry when the application is installed on your Windows NT computer.
Audit events are identified to the system by the event source-module name (which corresponds to a specific event type in the Registry) and an event ID.
The security log in Event Viewer can list events by category and by event ID. The following categories of events are listed in the security log. (Those in parentheses are found in the Audit Policy dialog box in User Manager.)
Table 2.4 Security Events that can be audited
Category | Meaning |
Account Management (User and Group Management) | These events describe high-level changes to the user-accounts database, such as User Created or Group Membership Change. Potentially, a more detailed, object-level audit is also performed. (See the "Object Access" category, below). |
Detailed Tracking (Process Tracking) | These events provide detailed subject-tracking information, such as program activation, handle duplication, and indirect object access. |
Logon/Logoff | These events describe a single logon or logoff attempt, whether successful or unsuccessful. Included in each logon description is an indication of what type of logon (that is, interactive, network, or service)was requested or performed. |
Object Access | These events describe both successful and unsuccessful accesses to protected objects. |
Policy Change | These events describe high-level changes to the security policy database, such as assignment of privileges or logon capabilities. Potentially, a more detailed, object-level audit is also performed. (See the "Object Access" category, above). |
Privilege Use | These events describe both successful and unsuccessful attempts to use privileges. The category also includes information about when some special privileges are assigned. These special privileges are audited only at assignment time, not at the time of use. |
System Event (System) | These events indicate something occurred that affects the security of the entire system or audit log. |
For more information about auditing security events, see "Windows NT Security" in the Microsoft Windows NT Workstation Resource Guide, and "Monitoring Events" in the Microsoft Windows NT Server 4.0 Concepts and Planning Guide.