Banking

Get IT Done: Preempt problems with Windows 2000's auditing features

Use the auditing features of Windows 2000 to prevent network problems


Most of the management phase of maintaining a proper network structure relies on plain common sense and hard work. I learned this from running and monitoring a DEC VAX VMS 4000 system on a daily basis. These systems are as stable as a rock when set up right the first time and constantly monitored. This is also true of any other networking system, including UNIX, Linux, and Windows 2000 Server.

As a network administrator, you can catch potential problems before they happen by auditing activities that involve the files and folders on the network. Auditing gives you access to information pertaining to how users exercise their access permissions and privileges. It is to your advantage to catch users creating problems and resolve those problems before they become a bigger mess. With the auditing features of Windows 2000, you can effectively monitor your systems.

Enabling group policy
Before you begin auditing with Windows 2000, you’ll need to enable a group policy and configure the system to audit particular files and folders. Once you accomplish this step you are ready to enable auditing. Start by performing the following tasks:
  1. Log in to the system with administrator’s privileges and open the Active Directory Users and Computers console.
  2. Right-click on the domain icon and select Properties from the fly-out menu.
  3. Select the Group Policy tab from the Properties window.
  4. Double-click the Default Domain Policy entry to display the Group Policy console.
  5. Access Computer Configuration by expanding the tree.
  6. Choose Computer Configuration | Windows Settings | Security Settings | Local Policies | Audit Policy. The right pane lists the available audit policies.
  7. In the Audit Policy screen, double-click Audit Object Access to open the Security Policy Setting window.
  8. Select Define These Policy Settings and choose Success And Failure under Audit These Attempts.
  9. Click OK to save the changes and return to the Group Policy console.
  10. Close the console.

It will take a while for the system to update the registry, but you can do it manually by running secedit/refreshpolicy machine_policy at the command-line prompt. The policy will be distributed, and you can configure file and folder auditing at a member’s computer.

The security log file
The audit output is written to a security log file called SECEVENT.EVT, located in \WINNT\System32\Config. You can view this file using the Event Viewer console viewer, EVENTVWR.MSC. Remember that you have to be logged in as the administrator to perform any of these tasks.

If you have a big system and you audit many users or events, the system performance can suffer as a result of the size of the audit log. The number of audits you are scheduling can also affect system performance. You can do little except keep the number of objects you are auditing to a minimum. However, if you want to increase the size of the security log, click its Properties window and increase the value for the Maximum Log Size.

The default size of the security log is 512KB, but you can set it up to around 300MB. You can’t go much higher than this because of memory constraints. The system will overwrite events older than seven days, but you can set this to a longer interval if you want. The last option is to overwrite only when necessary. I suggest that you leave this option set to overwrite files older than seven days unless you have a good reason for overwriting sooner.

Using group policies to configure event log settings
Group policies offer a good way to set up your servers and workstations for auditing. By using group policies, you can configure any of the event log settings. The routine is to open the Group Policy console, expand the tree to Computer Configuration | Windows Settings | Security Settings | Event Log | Settings for Event Logs, and double-click the policy you want to set. Enable the policy, make the entry, and click OK to make it applicable.

Audit log failure
If your audit log fails, you should prevent access to the system entirely. To do this, you can use a group policy called Shut Down System Immediately If Unable To Log Security Audits. You can find this group policy at Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options. The downside is that this policy will crash the system if the security log file fills to maximum capacity. So make sure that you have the administrator’s password handy, as you are the only one who will be able to log on and restore the system. Personally, I don’t feel comfortable with this method. But if it comes down to protecting information whose loss could hurt your company or cost you your job, then use this method. If you leave the company for any reason, make sure the person replacing you knows that this policy is in effect and let them know how to handle it to restore the system.

Conclusion
The auditing process is complicated, especially when you add in large distributed networks. However, the auditing feature of Windows 2000 can assist you in maintaining system performance by making you aware of problems and situations before they become dangerous. Creating account log files can give you access to this type of information you need as a network administrator.

Dallas G. Releford holds a BS in computer science and an MS in management information systems. He also has diplomas and certification in creative writing, electronics, photography, computer programming, and law enforcement. He’s worked in the computer field as a programmer, MIS manager, PC specialist, and in other related positions.

If you'd like to share your opinion, start a discussion by posting a comment or send the editor an e-mail.

Editor's Picks

Free Newsletters, In your Inbox