Configuring Auditing in Windows 7

Before you start

Objectives: Learn how to enable auditing in Windows 7, and how to select auditing entries in folder properties.

Prerequisites: you have to know what auditing is.

Key terms: auditing, Windows 7, configuration


 Group Policy

In order to manage auditing, the first thing we have to do is go to our Group Policy editor.  To do that we can enter “gpedit.msc” in search, and open the gpedit program.  Next, we have to navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.

 1 gpedit

gpedit

Here we can see all auditing policies. In our case we will try to audit files and folders. For that we will select the “Audit object access” policy and select the Success and Failure options.

 2 Audit Object Access

Audit Object Access

The next step is to select the folder which we want to audit. For this demo, we have created C:\Docs folder. Inside of Docs we will have Admin Data and User Data folders. We have configured security settings in a way that all users can create data in User Data folder, but they can’t delete them.

 3 Docs

Docs Folder

Now let’s go to the Properties of the User Data folder, then Security tab > Advanced button, and then the Auditing tab. Click the Continue button to in order to see auditing properties.

 4 Auditing

Auditing

Here we will click the Add button, and enter the Authenticated Users object.

 5 Adding Object

Auditing Object

When we click OK, we will be asked to select auditing entries. In our examples we will select Successful and Failed Delete options.

6 Auditing Entries

Auditing Entries

Now that we have set up auditing, we have to wait for our users to take actions. After some time, we can check Event Viewer to see if there were successful or failed auditing events. All audit events are stored in the Windows Logs > Security. In our case we have loged on with user Kim Verson, and tried to delete a file in User Data folder, so let’s see how we can find this in Event Viewer. In our case we had to use Filter and Find option to find appropriate entry shown on the picture below.

 7 Kim Verson

Kim Verson Entry

In the details of the event we can see that the user Kim Verson tried to delete a file from User Data folder, but that action was restricted. As you can see, there are many more auditing events listed. Be sure to check out at least some of them.

Advanced Auditing Features

When compared to previous versions of Windows, in Windows 7 we have some more advanced auditing options. To check them out we have to go to Group Policy editor > Windows Settings > Advanced Audit Policy Configuration. Here we have more granular control of our auditing options.

 8 Advanced Auditing

Advanced Auditing

Advanced Auditing can give us better view of what’s going on our computer.