Auditing File Access In Windows NT/2000/XP/2003
Last Updated: 23 Sep 2005
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***
File Auditing is a feature of NT Security that allows you
to establish which user account was responsible for what
activity on your NT4 or 2000/2003 machine or domain. By
default, no auditing is configured in NT4 or 2000, so you
will want to correct that right away. The defaults in
Windows Server 2003 tend to emphasize a greater security
consciousness than in previous versions of Windows.
You can manage your audit policy using the following
tools:
• USRMGR ................. Native Utility
• MMC (SECPOL.MSC) ....... Native Utility (Win2K and later)
• AUDITPOL ............... Resource Kit
OTHER UTILITIES
• ACCTINFO.DLL ........... Resource Kit -- Server 2003
Windows 2000 and 2003 provide even more categories for
auditing, as compared to NT4, and the new version of
AUDITPOL in the 2000 ResKit adds several parameters.
Group policy is the preferred mechanism for setting
Auditing in 2000, XP and 2003.
NT4 AUDITING
System : System events
Logon : Logon/Logoff events
Object : Object access
Privilege : Use of privileges
Process : Process tracking
Policy : Security policy changes
Sam : SAM changes
WIN2K AUDITING
System : System events
Logon : Logon/Logoff events
Object : Object access
Privilege : Use of privileges
Process : Process tracking
Policy : Security policy changes
Sam : SAM changes
Directory : Directory access
Account : Account logon events
CONFIGURATION
My auditing is configured as follows:
• System = Success and Failure
• Logon = Success and Failure
• Object Access = Failure
• Privilege Use = Failure
• Process Tracking = Failure
• Policy Change = Success and Failure
• Account Management = Success and Failure
• Directory Service Access = Success and Failure
• Account Logon = Success and Failure
SCRIPTING SAMPLES
You can change your Auditing configuration with the
following script:
*** Requires NT4 or higher PLUS Server ResKit ***
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auditpol %1 /ENABLE /system:ALL /logon:FAILURE /object:FAILURE /privilege:FAILURE /process:NONE /policy:ALL /sam:ALL /directory:FAILURE /account:FAILURE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ACCESSING AUDIT CONFIGURATION VIA GUI
• Windows 2000 and Later (excluding XP Home):
1. START --> RUN --> SECPOL.MSC
2. Expand "Local Security Settings"
3. Expand "Local Policies"
4. Select "User Rights Assignment"
3RD PARTY TOOLS
• http://www.foundstone.com/knowledge/free_tools.html
• http://www.pedestalsoftware.com/utilities/download_trials.asp
• http://www.chambet.com/tools.html
• http://www.greyware.com/software/logonmon/
WHITEPAPERS & TECH DOCUMENTS
• http://www.microsoft.com/downloads/details.aspx?FamilyID=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en
• http://www.microsoft.com/downloads/details.aspx?FamilyID=2D3E25BC-F434-4CC6-A5A7-09A8A229F118&DisplayLang=en
• http://www.microsoft.com/downloads/details.aspx?FamilyID=1B6ACF93-147A-4481-9346-F93A4081EEA8&DisplayLang=en
• http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccscg/w2kscgcb.mspx
• http://www.microsoft.com/windows2000/techinfo/planning/security/secdefs.asp
• http://msdn.microsoft.com/library/periodic/period00/ewn0054.htm
• http://support.microsoft.com/?KBID=248260
• http://support.microsoft.com/?KBID=221930
• http://support.microsoft.com/?KBID=170834
• http://support.microsoft.com/?KBID=151720
• http://support.microsoft.com/?KBID=140058
• http://support.microsoft.com/?KBID=163905
• http://support.microsoft.com/?KBID=174074
• http://support.microsoft.com/?KBID=140714
• http://KB.UltraTech-llc.com/Docs/?File=AuditingWin2K.pdf
• http://KB.UltraTech-llc.com/Docs/?File=AuditingWin2K.doc
• http://KB.UltraTech-llc.com/Docs/?File=Secure2000Pro.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ADDITIONAL SEARCH OPTIONS (MS KB)
• http://msdn.microsoft.com/
• http://www.microsoft.com/technet/
• http://www.microsoft.com/
EXACT PHRASE ........... "File Audit"
ALL WORDS .............. "Security Audit"
ALL WORDS .............. "Local Security Policy"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PERSONAL NOTES
• Sep 2005: Updated information on connecting via the
MMC in 2000 and above. Also added link to the Audit
resource provided by Ed Ziots
• Process Tracking is hideously disk intensive, so I
only configure it for purposes of an investigation,
otherwise it stays off. For the most part, I only
care about logon failures, but I *always* want to
be notified of policy changes.
• Once you enable Auditing, you should consider daily
archiving of your EventLogs and expand them to a
more reasonable size (say, 8MB or 16MB)
• Windows Server 2003 comes installed with more
(and better) security defaults, along with more
options for auditing.
• Group policy is the preferred mechanism for setting
Auditing in 2000, XP and 2003.
RELATED SCRIPTS (ALSO IN THIS ARCHIVE)
• http://KB.UltraTech-llc.com/Scripts/?File=SetAudit.BAT
RELATED TOPICS (ALSO IN THIS ARCHIVE)
• http://KB.UltraTech-llc.com/?File=NTRights.TXT
• http://KB.UltraTech-llc.com/?File=EventLog.TXT
• http://KB.UltraTech-llc.com/?File=SysLog.TXT
• http://KB.UltraTech-llc.com/?File=Perms.TXT
• http://KB.UltraTech-llc.com/?File=Scripting.TXT
• http://KB.UltraTech-llc.com/?File=Security.TXT
• http://KB.UltraTech-llc.com/?File=ResKit.TXT
• http://KB.UltraTech-llc.com/?File=ToolKit.TXT
• http://KB.UltraTech-llc.com/?File=Utils.TXT