1 chapter overview planning an audit policy implementing an audit policy using event viewer
TRANSCRIPT
1
Chapter Overview
Planning an Audit Policy Implementing an Audit Policy Using Event Viewer
2
Auditing
Auditing is a network security tool that lets you track User activities Microsoft Windows XP Professional events
Windows XP Professional can record events in the security log. Valid and invalid logon attempts Events related to creating, opening, or
deleting files or other objects
3
Using an Audit Policy An audit policy defines the types of
events recorded in the security log. Windows XP Professional writes events
to the security log on the computer where the event occurs.
You can set up an audit policy for a computer to Track the success and failure of events Minimize the risk of unauthorized use of
resources
4
Determining What to Audit
Determine which computers need auditing. Auditing is turned off by default.
Plan what to audit on each computer.
5
Selecting Events to Audit
Accessing files and folders Logging on and off Shutting down and restarting a
computer Changing user accounts and groups Attempting to make changes to objects
in the Active Directory service
6
Auditing Successful Events and Failed Events
Tracking successful events Tells you how often Windows XP
Professional or users access objects Helps you plan resources
Tracking failed events Alerts you to security breaches Identifies frequent failed logon attempts
7
Auditing Policy Guidelines
Determine if you need to track system usage trends.
Review security logs frequently. Define a useful, meaningful, and
manageable audit policy.
8
Configuring Auditing
Auditing requirements You must have the Manage Auditing And
Security Log user right. The files and folders to be audited must be
on NT file system (NTFS) volumes. Setting up auditing is a two-part
process. Set the audit policy. Enable auditing of specific resources.
9
Setting an Audit Policy
10
Auditing Access to Files and Folders
If security breaches are an issue, set up auditing for files and folders on an NTFS volume.
Set up your audit policy to audit object access, and then Enable auditing for specific files and folders Specify which types of access to audit
11
Events That Can Be Audited for Files and Folders
12
Auditing Access to Printers
Audit access to printers to track access to sensitive printers.
Set your audit policy to audit object access.
Enable auditing for specific printers. Specify the type of access to audit. Specify which users will have access.
13
Printer Events That Can Be Audited
14
Understanding Windows XP Professional Logs
Use Event Viewer to view Windows XP Professional logs.
By default, Event Viewer contains three logs: Application log Security log System log
15
Viewing Security Logs Type column: shows successful events (with a key icon) and
unsuccessful events (with a lock icon) Date column: shows the date the event occurred Time column: shows the time the event occurred Source column: shows the software that recorded the event
(it can be an application or a component of the system) Category column: shows the type of event, such as object
access, account management, directory service access, or logon events
Event column: shows the EventID User column: lists the user who succeeded or failed in the
security access attempt Computer column: shows the computer the event occurred
on
16
Locating Events
17
Managing Logs
You can control the maximum size of the logs. The default size is 512 KB. The maximum size is 64 KB to 4 GB.
You can specify what to do when a log is full. Overwrite events as needed. Overwrite events older than x days. Do not overwrite events.
18
Archiving Logs
Keep logs for a specified period to track security-related information over time.
Configure logs in Event Viewer. Archive the log. Clear the log. View an archived log.
19
Chapter Summary Auditing helps ensure that your network is secure
by tracking user activities and system-wide events. Windows XP Professional records audited events in
the security log. In planning an audit policy, you must decide on
which computers to set up auditing and what to audit on each one.
After you set your audit policy to audit object access, you can enable auditing for specific files, folders, and printers and specify which types of access to audit.
20
Chapter Summary (Cont.) You must have the Manage Auditing And
Security Log user right for the computer on which you want to configure an audit policy or review an audit log.
You use the Group Policy snap-in to set audit policies.
You use Event Viewer to view the contents of the Windows XP Professional logs.
Windows XP Professional has the following three logs by default: the application log, the security log, and the system log.
21
Chapter Summary (Cont.)
You use the Filter and Find commands in Event Viewer to easily locate specific events or types of events.
You view the security log on a remote computer by opening the MMC console and pointing Event Viewer to the remote computer.
You manage the Windows XP Professional logs by archiving them (to allow you to track trends over time) and by controlling the size of the log files.