In part one of my three-part series on auditing with Windows 2000 Professional, I showed you how to set the audit policy. In part two, my focus centers on enabling and configuring the auditing of files, folders, and printers on your computer. The lesson here is “what you keep track of is much more important than how you track it.”
Auditing object access
If you want to keep track of who is accessing or trying to access a file, folder, or printer on your computer, then you need to enable the Audit Object Access policy. However, enabling the policy is only the first step. The second step is to configure auditing on the object of interest.
Microsoft approaches object access auditing in this way because it saves system resources. If you were to enable object access auditing and then have the system automatically audit and log all access attempts to all objects, the logs would fill up quickly, and important information would be lost in the morass of a full Security log.
There are two types of objects you’ll frequently want to audit:
- Files and folders
The auditing features are slightly different for each type.
Auditing files and folders
To enable auditing for a particular object, perform the following steps:
- Right-click on the object (such as a file or folder) and click Properties. In the object’s Properties dialog box, click on the Security tab (Figure A).
|Check the Security tab in the Properties dialog box to see who has permissions.|
- In Figure A, you can see who has permissions to this file. Click on the Advanced button and the Auditing tab. You will see the dialog box shown in Figure B.
|The Auditing tab in the Access Control Settings dialog box|
- Note the two check boxes on this page:
- Allow Inheritable Auditing Entries From Parent To Propagate To This Object
- Reset Auditing Entries On All Child Objects And Enable Propagation Of Inheritable Auditing Entries
The first setting allows the audit settings from a parent folder to be applied to subfolders and objects contained in the subfolders. If you want custom audit settings on a subfolder or file, you need to remove the check mark from this check box.
The second option allows you to make a change on the parent folder and have that change applied to all subfolders and files contained in those subfolders. This removes the previous audit settings on the child objects and applies the settings configured on the parent object. This makes life a lot easier because if you select this option, you don’t have to go to each subfolder and file and make manual changes to the audit properties.
Click the Add button to add users to audit. In the Select User, Computer, Or Group dialog box, click on the user or group and then click OK. You will see the dialog box shown in Figure C.
|User properties displayed in the Auditing Entry dialog box|
- In the Auditing Entry dialog box (Figure C), you set the types of actions you want to be audited for a particular user or group. Table A includes explanations for each of these access options. For each action (type of access) you configure auditing for success or failure. Note the check box at the bottom of the dialog box. If you select the Apply These Auditing Entries To Objects And/Or Containers Within This Container Only option, the auditing configuration set here will not propagate to subfolders and files. After making your selections, click OK.
|Traverse Folder/Execute File||Logs an event when a user moves through folders to reach other files and folders, even if the user doesn’t have permission to access the traversed folders or running program files.|
|List Folder/Read Data||Logs an event when a user views folder names and files and when a user opens a file.|
|Read Attributes and Read Extended Attributes||Logs an event when a user reads the attributes of a file or folder.|
|Create Files/Write Data||Logs an event when a user creates a new file within a folder and when he or she changes the content of a file.|
|Create Folders/Append Data||Logs an event when a user creates a folder within another folder or when the user adds data to the end of a file, while not changing any of the existing data to the file.|
|Write Attributes and Write Extended Attributes||Logs an event when a user changes the attributes of a file or folder.|
|Delete Subfolders And Files||Logs an event when a user deletes subfolders and files.|
|Delete||Logs an event when a user deletes a folder or file.|
|Read Permissions||Logs an event when a user views the permissions on a file or folder.|
|Change Permissions||Logs an event when a user changes the permissions on a file or folder.|
|Take Ownership||Logs an event when a user takes ownership of a file or folder.|
- Notice that the appearance of the Access Control Settings dialog box changes after making the change (Figure D). Our selections have created three lines in the dialog box: one for Fail, one for Success, and one for All (Fail and Success). In this example, we have chosen to disable the Allow Inheritable Auditing Entries From Parent To Propagate To This Object option. This allows us to create custom settings to be applied to this folder. We also want to replace the audit settings on the objects contained in this folder, so we select the Reset Auditing Entries On All Child Objects And Enable Propagation Of Inheritable Auditing Entries check box. Click Apply and then click OK.
|The Access Control Settings dialog box after setting the type of actions to be audited for a particular group|
- Click Apply and then OK one more time to close the Properties dialog box.
You do not need to restart the computer for auditing of the objects to begin. The only time you need to restart the computer to support auditing is after you have configured the audit policy in the Local Security Settings console.
Auditing printer access
A printer is also an object, and therefore, it can be audited. Enabling auditing of a printer object is virtually the same as enabling auditing on a file or folder. However, there are differences in the types of events you can audit.
To audit a printer object, perform the following steps:
- Open the Printers folder from the Control Panel.
- Right-click on the printer object you wish to audit, and then click the Properties command.
- After the Properties dialog box opens, click on the Security tab and then click on the Advanced button.
- In the Access Control Settings dialog box for the printer object, click the Add button to add a user or group to audit. In the Select User, Computer, Or Group dialog box, select the user or group to audit, and then click OK.
- The Auditing Entry dialog box will appear (Figure E).
|The Auditing Entry dialog box for a printer object|
Table B explains the meanings of the various access settings. In the case of auditing a sensitive printer (such as a costly high-quality color laser printer), you will want to audit successful print jobs so that the department can be charged for usage. Click Apply and then click OK. Click OK one more time to close the Printer Properties dialog box.
|Logs an event when a user tries to print a file.|
|Manage Printers||Logs an event when a user attempts to change printer settings or when the user attempts to pause, share, or remove a printer.|
|Manage Documents||Logs an event when a user changes a job setting such as restarting, pausing, moving, or deleting a document or when the user attempts to share the printer or change any of the settings in the printer’s Properties dialog box.|
|Read Permissions||Logs an event when a user attempts to view the printer permissions.|
|Change Permissions||Logs an event when a user attempts to change permissions on the printer.|
|Take Ownership||Logs an event when a user attempts to take ownership of the printer.|
In part one of this Daily Feature series, I discussed how to set the audit policy. This Daily Feature focused on how to set up your audit policies for your files, folders, and printers. Keep in mind that an overabundance of audit information can slow system performance and ultimately become too cumbersome to work with. When defining file, folder, and printer policies, use the Failure and Success check boxes sparingly to avoid excessive audit logs. In part three of this series, I will finish up with a discussion on best practices.