Configure Auditing in XP

Before you start

Objectives: learn how to configure local auditing on XP machine.

Prerequisites: you have to know what is Windows Auditing in general.

Key terms: account, event, logon, local, configure, access, user, file, policy, enable, server, monitor, record, object, fail


Configuring Auditing

We will use Local Group Policy to configure auditing. Let’s go to Administrative Tools and open Local Security Policy. Under Security Settings we will browse to the Local Policies and then Audit Policy.

 Local Security Policy

Image 270.1 – Local Security Policy

The first step in configuring auditing is to select the event category that we want to track. In our example we will configure Audit account logon events policy. This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Because it is important to enable minimum auditing, we will only audit logon failures.

 Account Logon Events

Image 270.2 – Account Logon Events

To see generated events we will go to the Event Viewer, Security log. In our case, notice that we have a Failure Audit event in the list. Category of this event is Account Logon (as we set in Policy Editor). Type can be Failure or Success. If we double-click on that event we can see the details.

 Event Details

Image 270.3 – Event Details

Someone with the logon account named ‘Monika’ tried to log on to our computer.

File and Printer Auditing Configuration

To configure auditing for resource access we first must enable auditing in Group Policy, then define the resource, users and actions that we want to audit. Let’s enable Object Access auditing. We will enable both Success and Failure attempts.

 Object Access Policy

Image 270.4 – Object Access Policy

At this point no audit events will be created until we define specific objects we want to keep track of, and identify the users we want to monitor. In our case we want to monitor when the user ‘Kim Verson’ prints on our printer. We right-click our printer, select Properties, go to the Security tab, click the Advanced button and then select the Auditing tab.

 Auditing Tab

Image 270.5 – Auditing Tab

Here we need to add our user, Kim Verson. We want to monitor successful prints.

 Print Auditing Entry

Image 270.6 – Print Auditing Entry

Next, we have a folder that contains sensitive files. We already control access to that folder with NTFS permissions, and we want to know when someone tries to modify permissions for the folder or its files. In our case we will configure the Great Citations folder. We will right-click it, select Properties, select Security tab, click Advanced button, select Auditing tab, and click on the Add button.

Permissions

Image 270.7 – File Auditing Entry

This time we will add the Everyone group, because we want to monitor when someone tries to modify permissions. Notice that we can audit many different actions. Here we could also select to monitor the Take Ownership event. When we are finished, system will monitor only those events. Events with other users and files will be ignored.

Remember

We can use Local Group Policy editor to configure auditing on local machine. The first step in configuring auditing is to select the event category that we want to track. To see generated events we use Event Viewer, Security log section. To configure auditing for resource access we first must enable auditing in Group Policy, then define the resource, users and actions that we want to audit.