Windows NT Server Auditing
Audit Policy
These policies are set using the "User Manager". Success or failure of the following events may be logged:
- Logon and logoff
- Object and file access
- Changes to security policies
- Use of user rights
- Group and user management
- System shutdown and restart
- Starting applications (process tracking)
To perform directory service database auditing requires auditing of "User and Group Management".
File Auditing
The "User Manager for Domains" administrative tool is used to enable system wide file auditing. The file system to be autided must be on an NTFS file system. There is not an auditing service for performing system auditing. Under the menu item, policies, audit, the below events may be selected. Failure and success of the following file events may be audited:
- Read
- Write
- Execute
- Delete
- Change Permissions
- Take Ownership
After file and object auditing is enabled, auditing must be set up in the individual share folders for:
- Users and groups whose actions are to be audited.
- The actions listed above that you want audited.
Viewing the Audit Log
Use the administrative tool, "Event Viewer" to view the logs. Select the menu item "Log" and "Security".
|