Auditing File Access In Windows NT/2000/XP/2003

Auditing File Access In Windows NT/2000/XP/2003
Last Updated: 23 Sep 2005
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***


File Auditing is a feature of NT Security that allows you
to establish which user account was responsible for what
activity on your NT4 or 2000/2003 machine or domain.  By
default, no auditing is configured in NT4 or 2000, so you
will want to correct that right away.  The defaults in
Windows Server 2003 tend to emphasize a greater security
consciousness than in previous versions of Windows.


You can manage your audit policy using the following
tools:

• USRMGR ................. Native Utility
• MMC (SECPOL.MSC) ....... Native Utility (Win2K and later)
• AUDITPOL ............... Resource Kit


OTHER UTILITIES

• ACCTINFO.DLL ........... Resource Kit -- Server 2003


Windows 2000 and 2003 provide even more categories for
auditing, as compared to NT4, and the new version of
AUDITPOL in the 2000 ResKit adds several parameters.

Group policy is the preferred mechanism for setting
Auditing in 2000, XP and 2003.


NT4 AUDITING

	System    : System events
	Logon     : Logon/Logoff events
	Object    : Object access
	Privilege : Use of privileges
	Process   : Process tracking
	Policy    : Security policy changes
	Sam       : SAM changes


WIN2K AUDITING

	System    : System events
	Logon     : Logon/Logoff events
	Object    : Object access
	Privilege : Use of privileges
	Process   : Process tracking
	Policy    : Security policy changes
	Sam       : SAM changes
	Directory : Directory access
	Account   : Account logon events


CONFIGURATION

My auditing is configured as follows:

• System                    = Success and Failure
• Logon                     = Success and Failure
• Object Access             = Failure
• Privilege Use             = Failure
• Process Tracking          = Failure
• Policy Change             = Success and Failure
• Account Management        = Success and Failure
• Directory Service Access  = Success and Failure
• Account Logon             = Success and Failure


SCRIPTING SAMPLES

You can change your Auditing configuration with the
following script:

*** Requires NT4 or higher PLUS Server ResKit ***
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auditpol %1 /ENABLE /system:ALL /logon:FAILURE /object:FAILURE /privilege:FAILURE /process:NONE /policy:ALL /sam:ALL /directory:FAILURE /account:FAILURE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


ACCESSING AUDIT CONFIGURATION VIA GUI

• Windows 2000 and Later (excluding XP Home):
	 1. START --> RUN --> SECPOL.MSC
	 2. Expand "Local Security Settings"
	 3. Expand "Local Policies"
	 4. Select "User Rights Assignment"


3RD PARTY TOOLS

• http://www.foundstone.com/knowledge/free_tools.html
• http://www.pedestalsoftware.com/utilities/download_trials.asp
• http://www.chambet.com/tools.html
• http://www.greyware.com/software/logonmon/


WHITEPAPERS & TECH DOCUMENTS

• http://www.microsoft.com/downloads/details.aspx?FamilyID=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en
• http://www.microsoft.com/downloads/details.aspx?FamilyID=2D3E25BC-F434-4CC6-A5A7-09A8A229F118&DisplayLang=en
• http://www.microsoft.com/downloads/details.aspx?FamilyID=1B6ACF93-147A-4481-9346-F93A4081EEA8&DisplayLang=en
• http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccscg/w2kscgcb.mspx
• http://www.microsoft.com/windows2000/techinfo/planning/security/secdefs.asp
• http://msdn.microsoft.com/library/periodic/period00/ewn0054.htm
• http://support.microsoft.com/?KBID=248260
• http://support.microsoft.com/?KBID=221930
• http://support.microsoft.com/?KBID=170834
• http://support.microsoft.com/?KBID=151720
• http://support.microsoft.com/?KBID=140058
• http://support.microsoft.com/?KBID=163905
• http://support.microsoft.com/?KBID=174074
• http://support.microsoft.com/?KBID=140714
• http://KB.UltraTech-llc.com/Docs/?File=AuditingWin2K.pdf
• http://KB.UltraTech-llc.com/Docs/?File=AuditingWin2K.doc
• http://KB.UltraTech-llc.com/Docs/?File=Secure2000Pro.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ADDITIONAL SEARCH OPTIONS (MS KB)

• http://msdn.microsoft.com/
• http://www.microsoft.com/technet/
• http://www.microsoft.com/

  EXACT PHRASE ........... "File Audit"
  ALL WORDS .............. "Security Audit"
  ALL WORDS .............. "Local Security Policy"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


PERSONAL NOTES

• Sep 2005: Updated information on connecting via the
  MMC in 2000 and above.  Also added link to the Audit
  resource provided by Ed Ziots

• Process Tracking is hideously disk intensive, so I
  only configure it for purposes of an investigation,
  otherwise it stays off.  For the most part, I only
  care about logon failures, but I *always* want to
  be notified of policy changes.

• Once you enable Auditing, you should consider daily
  archiving of your EventLogs and expand them to a
  more reasonable size (say, 8MB or 16MB)

• Windows Server 2003 comes installed with more
  (and better) security defaults, along with more
  options for auditing.

• Group policy is the preferred mechanism for setting
  Auditing in 2000, XP and 2003.


RELATED SCRIPTS (ALSO IN THIS ARCHIVE)

• http://KB.UltraTech-llc.com/Scripts/?File=SetAudit.BAT


RELATED TOPICS (ALSO IN THIS ARCHIVE)

• http://KB.UltraTech-llc.com/?File=NTRights.TXT
• http://KB.UltraTech-llc.com/?File=EventLog.TXT
• http://KB.UltraTech-llc.com/?File=SysLog.TXT
• http://KB.UltraTech-llc.com/?File=Perms.TXT
• http://KB.UltraTech-llc.com/?File=Scripting.TXT
• http://KB.UltraTech-llc.com/?File=Security.TXT
• http://KB.UltraTech-llc.com/?File=ResKit.TXT
• http://KB.UltraTech-llc.com/?File=ToolKit.TXT
• http://KB.UltraTech-llc.com/?File=Utils.TXT