Wednesday, November 11, 2009

Audit Policy Settings Basic to In-depth Home Computer Security Guide Page 24

Search Engine Optimization and SEO Tools

Audit Policy Settings

User can set the Audit Policy Setting to determine the security events to report the user or system activity. For example, the user can choose to audit failed logon attempts, which might indicate that someone is trying to log on with an invalid password (perhaps using a program to automate the attack). Or user might want to monitor the use of a particular sensitive file. The user can also choose to monitor changes to user accounts and passwords, changes to security policies, and use of privileges that might reveal that someone is trying to "administer" user’s computer—perhaps not with user’s best interests in mind.
Unlike the other logs that appear in Event Viewer, the Security log is disabled by default in Windows XP Professional and Windows 2000. No events are written to the Security log until the user enable auditing, which is done via Local Security Settings. (In Windows XP Home Edition, security auditing is enabled for certain events. Because Home Edition doesn't include Local Security Settings, user cannot change which events are audited unless he use a tool like Auditpol.exe, which is included in the Windows 2000 Resource Kit.) Even if the user sets up auditing for files, folders, or printers, the events he specified aren't recorded unless he also enables auditing by setting a high-level audit policy in
Local Security Settings.

To edit the Audit Policy Setting Start menu\Settings\Control Panel\Administrative Tools\Local Security Settings\local Policies\Audit Policy and check the boxes accordingly

The following table gives the Audit policy available in Windows Operating System with their respective descriptions.

Table-1: Audit Policies for Security Events

Policy Description
Audit account Account logon events occur when a user attempts to log on or log off
logon events across the network, authenticating to a local user account.

Audit account Account management events occur when a user account or security
management group is created, changed, or deleted; when a user account is
renamed, enabled, or disabled; or when a password is set or changed.

Audit directory Directory service access events occur when a user attempts to access
service access an Active Directory object. (If the computer is not part of a Windows
domain, these events won't occur.)

Audit object Logon events occur when a user attempts to log on or log off a
events workstation interactively.

Audit object Object access events occur when a user attempts to access a file,
access folder, printer, registry key, or other object that is set for auditing.

Audit policy Policy change events occur when a change is made to user rights
change assignment policies, audit policies, trust policies, or password

Audit privilege Privilege use events occur when a user exercises a user right (other
use Than logon, logoff, and network access rights, which trigger other
types of

Audit process Process tracking includes events such as program activation, handle
tracking duplication, indirect object access, and process exit. Although this
policy generates a large number of events to wade through, it can
provide useful information, such as which program a user used to
access an object.

Audit system System events occur when a user restarts or shuts down the computer
events or when an event affects the system security or the Security log.

Local Security Settings has some additional policies that affect auditing, but they're not in the Audit Policy folder. Instead, look to the Security Settings\Local Policies\ Security Options folder for these policies:

• Audit: Audit the user of Backup and Restore privilege. Enable this policy if the user wants to know when someone uses a backup program to back up or restore files. To make this policy effective, user must also enable Audit Privilege Use in the Audit Policy folder.

• Audit: Shut down system immediately if unable to log security audits.

• Audit: Audit the access of global system objects. This policy affects auditing of obscure objects (mutexes and semaphores, for example) that aren't used in most home and small business networks; users can safely ignore it.

The user should only enable the audit policies which he requires to monitor. As it is a time-consuming process and can waste a lot of resources. When the auditing is enabled, the system must write an event record to the Security log for each audit check the system performs. This activity can degrade the computer’s performance. There is absolutely no need to enable them all, it’s purely on the requirement of the user, like Audit Directory Service Access is not required for the home user who is not connected to any Windows Active Directory network.

In addition, indiscriminate auditing adds to log many events that might be of little value to the user, thereby making the real security issues more difficult to find. And because the Security log has a fixed size, filling it with unimportant events could displace other, more significant events.

Here are some suggestions for what user should consider auditing:

• Audit failed logon attempts, which might indicate that someone is trying to log on with various invalid passwords.

• If the user is concerned about someone using a stolen password to log on, audit successful logon events.

• To detect use of sensitive files (such as a payroll data file, for example) by unauthorized users, audit successful read and write access as well as failed attempts to use the file by suspected users or groups.

• If the user use his computer as a Web server, he will want to know whether an attacker has defaced his Web pages. By auditing write access to the files that make up the Web pages, user will know whether his site has been vandalized.

• To detect virus activity, audit successful write access to program files (files with .exe, .com, and .dll file name extensions).

• If the user is concerned that someone is misusing administrative privileges, audit successful incidents of privilege use, account management, policy changes, and system events.

Event Viewer

A component a user can use to view and manage event logs, gather information about hardware and software problems, and monitor security events. It maintains logs of three kinds: application, system, and security.

Checkout for the security logs in event viewer regularly.

To open Event Viewer follow steps given below:

Start menu\Setting\Control Panel\Administrative Tools\ Event Viewer

Thats the End of Tutorial in Future I will update this tutorial.

No comments:

Post a Comment

You Have Successfully Posted the Message.