You can use auditing to track selected activities of users and the system. Windows NT can record a range of event types—from a systemwide event, such as a user logging on, to an attempt by a particular user to read a specific file on an NTFS drive. Both successful and unsuccessful attempts to perform an action can be recorded.
To open the Audit Policy dialog box, click Audit on the Policies menu in User Manager for Domains. The audit policy determines the amount and type of security logging that Windows NT performs. When an audited event occurs, an entry is added to the Windows NT security log. The security log is viewed by using Event Viewer. Use the settings shown in Table 3.3 to specify what events will be audited.
Table 3.3 Auditing Options
For this event | Select | To audit | |
Log on and log off | Success | A user successfully logged on or off the workstation, or the user made an over-the-network connection to the local computer. | |
Failure | A user attempted, but was not allowed, to log on or off the workstation, or the user attempted and failed to make an over-the-network connection to the local computer. | ||
File and object access | Success | A user successfully accessed a directory, printer, or file that is set for auditing. | |
Failure | A user attempted, but failed, to access a directory, printer, or file that is set for auditing. | ||
Use of user rights | Success | A user successfully used a user right. (Rights relating to log on and log off are not included.) | |
Failure | A user attempted, but failed, to use a user right. | ||
User and group management | Success | A user or group account was successfully created, modified, or deleted, or a password was successfully set or changed. | |
Failure | There was an unsuccessful attempt to: · Create, modify, or delete a user or group account. · Set or change a password. | ||
Security policy changes | Success | A change was successfully made to the user rights or audit policies. | |
Failure | A change was attempted to the user rights or audit policies, but failed. | ||
Restart, shutdown, and system security | Success | A user successfully restarted or shut down the computer; or an event has occurred that affects system security. | |
Failure | A user attempted, but failed, to restart or shut down the computer. | ||
Process tracking | Success | Detailed tracking information for events such as successful program activation, some forms of handle duplication, indirect object access, and process exit. | |
Failure | Detailed tracking information for events such as failed program activation, some forms of handle duplication, indirect object access, and process exit. |
Before auditing can be established on objects, auditing for the events shown in Table 3.3 must be enabled through User Manager for Domains by a user with Administrator permissions. When auditing files, you must also use Windows NT Explorer to specify which files to audit and which type of file access events to audit. To do this, right-click a file or directory to display its properties, then click Security and click Auditing to specify auditing attributes.
You view audited events in Event Viewer. Internet Information Server generates entries in all three Event Viewer logs (System, Security, and Application). You can use Event Viewer entries to identify attempts to break into your intranet through your gateway or to detect attempted tampering with your Internet Information Server system.
For more information about auditing, see Windows NT Server Concepts and Planning.