Microsoft KB Archive/325898

= How to set up and manage operation-based auditing for Windows Server 2003, Enterprise Edition =

Article ID: 325898

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

-



This article was previously published under Q325898





SUMMARY
This article describes how to set up and manage operation-based auditing in Windows Server 2003 Enterprise Edition. When you use operation-based auditing, you can audit operations on files and folders. This means that you can audit certain operations (for example, Write operations) and audit access to objects. Operation-based auditing is set up when you turn on object access auditing on a file or folder. Object access events and operations such as Write operations are recorded in the security log.

Operation-based audits are categorized as object audits, and they are logged as an event ID 567 in the security log. These audits are generated the first time an operation is performed. You can set up only files and folders to generate operation audits.

For the local computer
 Click Start, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy. In the console tree, go to the following location, and then click Audit Policy:

Security Settings\Local Policies \Audit Policy

 In the details pane, double-click an event category for which you want to change the auditing policy settings. Perform one or both of the following tasks, and then click OK.  To audit successful attempts, click to select the Success check box. To audit unsuccessful attempts, click to select the Failure check box.</ul> </li></ol>

Notes
 * To perform this procedure, you must be a member of the Administrators group on the local computer.
 * If the computer is joined to a domain, members of the Domain Admins group may be able to perform this procedure.
 * To make sure that you maintain a secure environment, consider using the run as command to perform this procedure.
 * If you are in the domain controller, you may have to edit the Default Domain policy on the domain.

For domain controllers or a workstation that has the Administration Tools pack installed
<ol> Click Start, point to Programs, point to Administrative Tools, and then click Domain Controller Security Policy.</li> In the console tree, go to the following location, and then click Audit Policy:

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy

</li> In the details pane, double-click an event category for which you want to change the auditing policy settings.</li> If you are defining auditing policy settings for this event category for the first time, click to select the Define these policy settings check box.</li> Perform one or both of the following tasks, and then click OK. <ul> To audit successful attempts, click to select the Success check box.</li> To audit unsuccessful attempts, click to select the Failure check box.</li></ul> </li></ol>

Notes
 * To perform this procedure, you must be a member of the Administrators group on the local computer.
 * If the computer is joined to a domain, members of the Domain Admins group may be able to perform this procedure.
 * To make sure that you maintain a secure environment, consider using the run as command to perform this procedure.

For a domain or organizational unit on a domain controller or a workstation that has the Administration Tools Pack installed
<ol> Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.</li> In the console tree, right-click the domain or organizational unit for which you want to set Group Policy.</li> Click Properties, and then click the Group Policy tab.</li> Click Edit to open the Group Policy object (GPO) that you want to edit.

Alternatively, click New to create a new GPO, and then click Edit.</li> In the console tree, go to the following location, and then click Audit Policy:

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy

</li> In the details pane, double-click an event category for which you want to change the auditing policy settings.</li> If you are defining auditing policy settings for this event category for the first time, click to select the Define these policy settings check box.</li> Perform one or both of the following, and then click OK. <ul> To audit successful attempts, click to elect the Success check box.</li> <li>To audit unsuccessful attempts, click to select the Failure check box.</li></ul> </li></ol>

Notes
 * To perform this procedure, you must be a member of the Administrators group on the local computer.
 * If the computer is joined to a domain, members of the Domain Admins group may be able to perform this procedure.
 * To make sure that you maintain a secure environment, consider using the run as command to perform this procedure.
 * If you are in the domain controller, you may have to edit the Default Domain policy on the domain.

For a domain or organizational unit on a member server or a workstation that is joined to a domain
<ol> <li>Click Start, click Run, type mmc, and then click OK.</li> <li>In the File menu, click Add/Remove Snap-in, and then click Add.</li> <li>Click Group Policy Object Editor, and then click Add.</li> <li>On the Select Group Policy Object page in the Group Policy Wizard, click Browse.</li> <li>Either select a GPO in the appropriate domain, site, or organizational unit or create a new one, click OK, and then click Finish.</li> <li>Click Close, and then click OK.</li> <li>In the console tree, go to the following location, and then click Audit Policy:

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy

</li> <li>In the details pane, double-click an event category for which you want to change the auditing policy settings.</li> <li>If you are defining auditing policy settings for this event category for the first time, click to select the Define these policy settings check box.</li> <li>Perform one or both of the following tasks, and then click OK. <ul> <li>To audit successful attempts, click to select the Success check box.</li> <li>To audit unsuccessful attempts, click to select the Failure check box.</li></ul> </li></ol>

Notes
 * To perform this procedure, you must be a member of the Administrators group on the local computer.
 * If the computer is joined to a domain, members of the Domain Admins group may be able to perform this procedure.
 * To make sure that you maintain a secure environment, consider using the run as command to perform this procedure.
 * If you are in the domain controller, you may have to edit the Default Domain policy on the domain.
 * To audit object access, follow the steps above to turn on auditing of the object access event category, and then turn on audit on the specific object.
 * After you configure the auditing policy, events are recorded in the security log. Open the security log to view these events.
 * You must be logged on as a member of the Administrators group or you must have been granted the Manage auditing and security log right in Group Policy to perform this procedure.
 * The default auditing policy setting for domain controllers is No Auditing. This setting means that even if auditing is turned on in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing policy to apply to domain controllers, you must modify this policy setting.

How to apply or modify auditing policy settings for a local file or folder

 * 1) Click Start, point to All Programs, point to Accessories, and then click Windows Explorer.
 * 2) Locate the file or folder that you want to audit.
 * 3) Right-click the file or folder, click Properties, and then click the Security tab.
 * 4) Click Advanced, and then click the Auditing tab.
 * 5) Perform one of the following tasks:
 * 6) * To set up auditing for a new user or group, click Add, type the name of the user or group that you want to configure in the Enter the object name to select box, and then click OK.
 * 7) * To remove auditing for an existing group or user, click the group or user name, click Remove, click OK, and then skip the rest of this procedure.
 * 8) * To view or change auditing for an existing group or user, click the group or user name, and then click Edit.
 * 9) In the Apply onto box, click the location where you want auditing to occur.
 * 10) In the Access box, select the appropriate check boxes to indicate the actions you want to audit:
 * 11) * To audit successful events, click to select the Successful check box.
 * 12) * To stop auditing successful events, click to clear the Successful check box.
 * 13) * To audit unsuccessful events, click to select the Failed check box.
 * 14) * To stop auditing unsuccessful events, click to clear the Failed check box.
 * 15) * To stop auditing all events, click Clear All.
 * 16) If you want to prevent subsequent files and subfolders of the original object from inheriting these audit settings, click to select the Apply these auditing entries to objects and/or containers within this container only check box.

Important Before you set up auditing for files and folders, you must turn on object access auditing by defining auditing policy settings for the object access event category. If you do not turn on object access auditing, you receive an error message when you set up auditing for files and folders and files or folders are not audited.

Notes
 * You must be logged on as a member of the Administrators group or you must have been granted the Manage auditing and security log right in Group Policy to perform this procedure.
 * You can set up file and folder auditing only on NTFS drives.
 * After you turn on object access auditing, view the security log in Event Viewer to review the results of your changes.
 * If you see the following settings, auditing has been inherited from the parent folder:
 * In the Auditing Entry for File or Folder dialog box, the check boxes are unavailable in the Access box.
 * In the Advanced Security Settings for File or Folder dialog box, the Remove button is unavailable
 * Because the security log is limited in size, carefully select the files and folders that you want to be audited. Also, consider the disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.

How to apply or modify auditing policy settings for an object by using Group Policy
<ol> <li>Click Start, click Run, type mmc, and then click OK.</li> <li>On the File menu, click Add/Remove Snap-in, and then click Add.</li> <li>Click Group Policy Object Editor, and then click Add.</li> <li>On the Select Group Policy Object page in the Group Policy Wizard, click Browse.</li> <li>Either select a GPO in the appropriate domain, site, or organizational unit or create a new one, click OK, and then click Finish.</li> <li>Click Close, and then click OK.</li> <li>Perform one or more of the following tasks: <ul> <li>System services: <ol> <li>In the console tree, go to the following location, and then click System services:

Computer Configuration/Windows Settings/Security Settings/System services

</li> <li>In the details pane, right-click the service that you want to either apply or modify auditing policy settings for, and then click Properties.</li> <li>If it is not already selected, select the Define this policy setting check box, and then select the appropriate setting.</li> <li>Click Edit security.</li></ol> </li> <li>Registry keys: <ol> <li>In the console tree, go to the following location, and then click Registry:

Computer Configuration/Windows Settings/Security Settings/System Services/Registry

</li> <li>If you want to add a registry key to this GPO to audit, right-click Registry, click Add Key, go to the key that you want to configure, and then click OK.</li> <li>If you want to apply or modify auditing settings on a registry key that has already been added to this GPO, right-click the registry key in the details pane, click Properties, and then click Edit Security.</li></ol> </li> <li>Files or folders: <ol> <li>In the console tree, go to the following location, and then click File System:

Computer Configuration/Windows Settings/Security Settings/File System

</li> <li>If you want to add a file or folder to this GPO to audit, right-click File System, click Add File, either go to the file that you want to add or make a new folder, and then click OK.</li> <li>If you want to apply or modify auditing settings on a file or folder that has already been added to this GPO, right-click the file or folder in the details pane, click Properties, and then click Edit Security.</li></ol> </li></ul> </li> <li>Click Advanced, and then click the Auditing tab.</li> <li>Perform one of the following tasks: <ul> <li>To set up auditing for a new user or group, click Add, type the name of the user or group that you want to add in the Enter the object name to select box, and then click OK.</li> <li>To view or change auditing for an existing group or user, click the name that you want to view, and then click Edit.</li> <li>To remove auditing for an existing group or user, click the name that you want to remove, click Remove, click OK, and then skip the rest of this procedure.</li></ul> </li> <li>Select the appropriate entry in the Apply onto list.</li> <li>In the Access box, perform the following tasks: <ul> <li>To audit successful events, click to select the Successful check box.</li> <li>To stop auditing successful events, click to clear the Successful check box.</li> <li>To audit unsuccessful events, click to select the Failed check box.</li> <li>To stop auditing unsuccessful events, clear the Failed check box.</li> <li>To stop auditing all events, click Clear All.</li></ul> </li> <li>If you want to prevent files and subfolders in the tree from inheriting these audit entries, click to select the Apply these auditing entries to objects and/or containers within this container only check box.</li></ol>

Important Before you set up auditing for files and folders, you must turn on object access auditing by defining auditing policy settings for the object access event category. If you do not turn on object access auditing, you receive an error message when you set up auditing for files and folders and files or folders are not audited.

Notes
 * You must be logged on as a member of the Administrators group or you must have been granted the Manage auditing and security log right in Group Policy to perform this procedure.
 * You can set up file and folder auditing only on NTFS drives.
 * After you turn on object access auditing, view the security log in Event Viewer to review the results of your changes.
 * If you see the following settings, auditing has been inherited from the parent folder:
 * In the Auditing Entry for File or Folder dialog box, the check boxes are unavailable in the Access box.
 * In the Advanced Security Settings for File or Folder dialog box, the Remove button is unavailable
 * Because the security log is limited in size, carefully select the files and folders that you want to be audited. Also, consider the disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.

Keywords: kbmgmtservices kbsecurity kbhowtomaster KB325898

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.