Security

Previous Topic Next Topic

Auditing in Windows 2000 Server

The Event Viewer in Windows 2000 provides auditing information. Windows can be configured to audit certain events (such as when users are logged on), when they access resources (such as files), or when they attempt to use special privileges (such as the ability to debug an application or perform a data backup).

Auditing can be turned on and off by using the Computer Management tool and by selecting System Tools/Group Policy/Computer Configuration/Windows Settings/Local Policies/Auditing Policies.

For a server running IIS 5.0, it is recommended you audit by using the following: “Audit Events,” which is the event name you are interested in; “Audit success attempts,” which indicates that you are interested in successful events; and “Audit failed attempts,” which indicates that you are interested in failures when that event is performed. “On” means the event is being audited, while “off” means it is not. Table 9.2 provides examples for various events:

Table 9.2   Auditing Events in Windows 2000 Server

Audit Event Audit Success Attempts Audit Failed Attempts
Account Logon On On
Account Management Off On
Directory Service Access Off On
Logon On On
Object Access Off Off
Policy Change On On
Privilege Use Off On
Process Tracking Off Off
System Off Off

For example, it is quite normal to audit for successful and failed events You might want to see when users are logging on, as well as when people might be attempting to log on by guessing someone else’s password.

Note that in Windows 2000 Server there are two types of logon/logoff events: Account Logon/Logoff and Logon/Logoff.

For an excellent summary of how to audit logon events, see “Auditing User Authentication” at http://support.microsoft.com/support/kb/articles/q174/0/73.asp.


© 1997-1999 Microsoft Corporation. All rights reserved.