Security |
The Event Viewer in Windows 2000 provides auditing information. Windows can be configured to audit certain events (such as when users are logged on), when they access resources (such as files), or when they attempt to use special privileges (such as the ability to debug an application or perform a data backup).
Auditing can be turned on and off by using the Computer Management tool and by selecting System Tools/Group Policy/Computer Configuration/Windows Settings/Local Policies/Auditing Policies.
For a server running IIS 5.0, it is recommended you audit by using the following: “Audit Events,” which is the event name you are interested in; “Audit success attempts,” which indicates that you are interested in successful events; and “Audit failed attempts,” which indicates that you are interested in failures when that event is performed. “On” means the event is being audited, while “off” means it is not. Table 9.2 provides examples for various events:
Table 9.2 Auditing Events in Windows 2000 Server
Audit Event | Audit Success Attempts | Audit Failed Attempts |
Account Logon | On | On |
Account Management | Off | On |
Directory Service Access | Off | On |
Logon | On | On |
Object Access | Off | Off |
Policy Change | On | On |
Privilege Use | Off | On |
Process Tracking | Off | Off |
System | Off | Off |
For example, it is quite normal to audit for successful and failed events You might want to see when users are logging on, as well as when people might be attempting to log on by guessing someone else’s password.
Note that in Windows 2000 Server there are two types of logon/logoff events: Account Logon/Logoff and Logon/Logoff.
For an excellent summary of how to audit logon events, see “Auditing User Authentication” at http://support.microsoft.com/support/kb/articles/q174/0/73.asp.