190 likes | 357 Views
Microsoft Windows XP Professional. MCSE Exam 70-270. Auditing Resources and Events. Chapter Twelve. Planning an Audit Policy. Understanding Audit Policies
E N D
Microsoft Windows XP Professional MCSE Exam 70-270
Auditing Resources and Events Chapter Twelve
Planning an Audit Policy • Understanding Audit Policies • An audit policy defines the types of security events that Windows XP Professional records in the security log on each computer. The security log allows you to track the events that you specify. • Track the success and failure of events • Eliminate or minimize the risk of unauthorized use of resources
Determining What to Audit • The types of events that you can audit include the following: • Accessing files and folders • Logging on and off • Shutting down a computer running Windows XP Professional • Starting a computer running Windows XP Professional • Changing user accounts and groups • Attempting to make changes to Active Directory objects (only if your Windows XP Professional computer is part of a domain)
Audit policy include: • Determine whether you need to track system usage trends. • Review security logs frequently. • Define an audit policy that is useful and manageable.
Implementing an Audit Policy • For computers running Windows XP Professional, you set up an audit policy for each individual computer. • Auditing Requirements • You must have the Manage Auditing And Security Log user right for the computer on which you want to configure an audit policy or review an audit log. By default, Windows XP Professional grants these rights to the Administrators group. • The files and folders to be audited must be on NT file system (NTFS) volumes.
Setting up Auditing • Setting up auditing is a two-part process: • Set the audit policy. The audit policy enables auditing of objects but doesn't activate auditing of specific objects. • Enable auditing of specific resources. You designate the specific events to audit for files, folders, printers, and Active Directory objects. Windows XP Professional then tracks and logs the specified events.
Setting an Audit Policy • The first step in implementing an audit policy is selecting the types of events for Windows XP Professional to audit.
Auditing Accessto Files and Folders • When you set your audit policy to audit object access, you enable auditing for specific files and folders and specify which types of access, by which users or groups, to audit.
Auditing Access to Printers • After you select the printer, you use the same steps that you use to set up auditing on files and folders.
Using Event Viewer • Windows XP Professional Logs • By default, Event Viewer has three logs available to view • Viewing Security Logs • The security log contains information about events that are monitored by an audit policy.
Locating Events • When you first start Event Viewer, it automatically displays all events that are recorded in the selected log. • To filter or find events, start Event Viewer, and then on the View menu click Filter or click Find.
Managing Audit Logs • You can track trends in Windows XP Professional by archiving event logs and comparing logs from different periods. • To configure the settings for logs, select the log in Event Viewer, and then on the Action menu, click Properties to display the Properties dialog box for the log.
Archiving Logs • Archiving security logs allows you to maintain a history of security-related events.
Practice: • Auditing Resources and Events Pages 456 – 461