Setting Up an Audit Policy - Page 2
Auditing a Local System
For the purposes of this article, I'll focus primarily on systems that are part of a domain. However, before I get started, I'll briefly discuss stand-alone systems. To establish an audit policy on a system that doesn't participate in a domain, follow these steps:
- Load the Local Security Settings snap-in by selecting Programs|Administrative Tools|Local Security Policy from the Start menu.
- Double click on the Local Policy object in the Security Settings tree to expand it.
- Select Audit Policy from the tree. Doing so will reveal the auditing information for that system.
- To enable auditing for any of the areas I discussed earlier, double-click on the type of audit you want to work with. When you do, a dialog box will ask if you want to perform a success or a failure audit (or both) on that type of event.
Once you've enabled auditing, it's up to you to go through the system and fine-tune the type of events that will be audited in each category. The process for doing so is the same as that used for systems that participate in a domain. I'll discuss these procedures later in the series.
Auditing Within a Domain
To set up an audit policy within a system that's a part of a domain, follow these steps:
- Choose Start|Programs|Administrative Tools|Active Directory Users and Computers.
- When the Active Directory Users and Computers console loads, navigate through the console tree to the domain you want to work with. Expand the domain.
- Beneath the domain, you'll see a Computers object and a Domain Controllers object. Select the appropriate object for the system you're working with. Because my primary test system is a domain controller, I'll be working under the Domain Controllers section for the remainder of this article.
- Once you've selected the appropriate object, right-click on it. (That is, right-click on Domain Controllers, not on the icon for the specific system you're working with.) Doing so opens the Domain Controller's properties sheet.
- Select the Group Policy tab. Select the group policy to which you want to apply the audit policy and click Edit.
- Windows 2000 will load the Group Policy console. Navigate through the tree to Default Domain Controllers Policy|Computer Configuration|Windows Settings|Security Settings Local Policies|Audit Policy.
- When you select Audit Policy, you'll see a list of audit events to the right. This list is identical to the one used in the section on auditing systems that don't participate in a domain. To audit a group of events, double-click on the group of events you want to work with. A dialog box will open that lets you enable success and/or failure audits for that group of events.
After enabling auditing for a group of events, you'll still have to manually fine-tune the exact events you want to audit. Again, I'll show you how to do that later.
In future articles in this series, I'll explain how to audit specific events. For now, it's important to know that making changes to the audit policy is essentially the same as making changes to the security policy. Whether you're working on a stand-alone system or on a system that's part of a domain, security policy updates don't take effect until they have propagated to the system or domain.