How do I enable auditing on the SAM?
December 21, 1999
A. It is possible to enable auditing of any failed or successfulaccess to your sensitive information by the only accounts which have theability to access such information, e.g. Administrators. This can be done asfollows:
First ensure auditing is enabled on the system using User Manager -Policies menu - Audit. Select the "Audit These Events". Choose theobjects to audit and click OK.
Next make sure the Scheduler service is running on the machine either viathe Services Control Panel applet (Start - Settings - Control Panel - Services)or type "net start" and look for "Scheduler". If it is notrunning you can start by typing
C:> net start scheduleAt the command prompt (cmd.exe) type
C:> at /interactive "regedt32.exe"
where is a minute in the future.At the time entered Regedt32.exe will be started but running under theinternal System account. This allows access to areas normally inaccessible.
Select the HKEY_LOCAL_MACHINE window
Select the SAM key and from the Security menu select Auditing
Click here to view imageClick the Add button and on the displayed dialog (which will show groups)click the 'Show Users' button.
Add the following:
- SYSTEM
- Domain Admins
- Administrator
- Backup Operators
and any other accounts with the following:
- Take ownership of files or other objects
- Back up files and directories
- Manage auditing and security log
- Restore files and directories
- Add workstations to domain
- Replace a process level token
Click OKCheck the "Audit Permissions on Existing Subkeys" box
Set Success and Failure for
- Query Value
- Set Value
- Write DAC
- Read Control
Click here to view imageClick OK. Click Yes to the dialog that asks if you want to audit allexisting subkeys in the SAM.
You should now repeat but on the Security key steps 6 to 11.
Close the registry editor
Stop the schedule service is you only started it for this task
C:> net stop schedule
Auditing the Security key is optional but without it only password keys willbe audited. Setting auditing on the Security key will allow you to track othersecurity relevant changes to the system.
You will now see entries in the Security log via event viewer, e.g.
Click here to view image
About the Author
You May Also Like