210 likes | 494 Views
Chapter Overview. Planning an Audit Policy Implementing an Audit Policy Using Event Viewer. Auditing. Auditing is a network security tool that lets you track User activities Microsoft Windows XP Professional events Windows XP Professional can record events in the security log.
E N D
Chapter Overview • Planning an Audit Policy • Implementing an Audit Policy • Using Event Viewer
Auditing • Auditing is a network security tool that lets you track • User activities • Microsoft Windows XP Professional events • Windows XP Professional can record events in the security log. • Valid and invalid logon attempts • Events related to creating, opening, or deleting files or other objects
Using an Audit Policy • An audit policy defines the types of events recorded in the security log. • Windows XP Professional writes events to the security log on the computer where the event occurs. • You can set up an audit policy for a computer to • Track the success and failure of events • Minimize the risk of unauthorized use of resources
Determining What to Audit • Determine which computers need auditing. • Auditing is turned off by default. • Plan what to audit on each computer.
Selecting Events to Audit • Accessing files and folders • Logging on and off • Shutting down and restarting a computer • Changing user accounts and groups • Attempting to make changes to objects in the Active Directory service
Auditing Successful Events and Failed Events • Tracking successful events • Tells you how often Windows XP Professional or users access objects • Helps you plan resources • Tracking failed events • Alerts you to security breaches • Identifies frequent failed logon attempts
Auditing Policy Guidelines • Determine if you need to track system usage trends. • Review security logs frequently. • Define a useful, meaningful, and manageable audit policy.
Configuring Auditing • Auditing requirements • You must have the Manage Auditing And Security Log user right. • The files and folders to be audited must be on NT file system (NTFS) volumes. • Setting up auditing is a two-part process. • Set the audit policy. • Enable auditing of specific resources.
Auditing Access to Files and Folders • If security breaches are an issue, set up auditing for files and folders on an NTFS volume. • Set up your audit policy to audit object access, and then • Enable auditing for specific files and folders • Specify which types of access to audit
Auditing Access to Printers • Audit access to printers to track access to sensitive printers. • Set your audit policy to audit object access. • Enable auditing for specific printers. • Specify the type of access to audit. • Specify which users will have access.
Understanding Windows XP Professional Logs • Use Event Viewer to view Windows XP Professional logs. • By default, Event Viewer contains three logs: • Application log • Security log • System log
Viewing Security Logs • Type column: shows successful events (with a key icon) and unsuccessful events (with a lock icon) • Date column: shows the date the event occurred • Time column: shows the time the event occurred • Source column: shows the software that recorded the event (it can be an application or a component of the system) • Category column: shows the type of event, such as object access, account management, directory service access, or logon events • Event column: shows the EventID • User column: lists the user who succeeded or failed in the security access attempt • Computer column: shows the computer the event occurred on
Managing Logs • You can control the maximum size of the logs. • The default size is 512 KB. • The maximum size is 64 KB to 4 GB. • You can specify what to do when a log is full. • Overwrite events as needed. • Overwrite events older than x days. • Do not overwrite events.
Archiving Logs • Keep logs for a specified period to track security-related information over time. • Configure logs in Event Viewer. • Archive the log. • Clear the log. • View an archived log.
Chapter Summary • Auditing helps ensure that your network is secure by tracking user activities and system-wide events. • Windows XP Professional records audited events in the security log. • In planning an audit policy, you must decide on which computers to set up auditing and what to audit on each one. • After you set your audit policy to audit object access, you can enable auditing for specific files, folders, and printers and specify which types of access to audit.
Chapter Summary (Cont.) • You must have the Manage Auditing And Security Log user right for the computer on which you want to configure an audit policy or review an audit log. • You use the Group Policy snap-in to set audit policies. • You use Event Viewer to view the contents of the Windows XP Professional logs. • Windows XP Professional has the following three logs by default: the application log, the security log, and the system log.
Chapter Summary (Cont.) • You use the Filter and Find commands in Event Viewer to easily locate specific events or types of events. • You view the security log on a remote computer by opening the MMC console and pointing Event Viewer to the remote computer. • You manage the Windows XP Professional logs by archiving them (to allow you to track trends over time) and by controlling the size of the log files.