JSI Tip 0999. Windows NT Auditing.

Auditing in Windows NT causes the audited events to appear in the Security Event Log. It alerts you to a potential security problem, as apposed to preventing it. You can audit:

. Log on/Log off: Logs both local and remote resource logins (tips 264 and 749).
. File and Object Access: NTFS Files and folders, and printer access. Use NT Explorer to select the File(s)/Folder(s).
. User and Group Management: Any user accounts or groups created, changed, renamed, dis/enabled or deleted and password activity.
. Security Policy Changes: Any changes to user rights or audit policies.
. Restart, Shutdown, And System: Logs shutdowns and restarts for the local workstation.
. Process Tracking: Tracks program activation, handle duplication, indirect object access, and process exit.

To enable auditing, you must be logged on as a member of the local Administrators group (Domain Admins are members). In User Manager (User Manager for Domains if logged onto the PDC), click Policies / Audit. Check the options you want to audit and click OK.

Base system objects are not audited by default. If you are in a highly secure environment, you can audit base system objects by using Regedt32 to navigate to

HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa

Add Value name AuditBaseObjects as a type REG_DWORD and set the data value to 1. This tells the Local System Authority (LSA) to create base objects with the default system audit control list.

You can also turn on full priviledge auditing (if you want to fill your event log) at the LSA key.

Add Value name FullPrivilegeAuditing as a type REG_DWORD and set the value to 1. I do not recommend this.