Tracking unauthorized access to sensitive data is a sound security strategy for any size organization. And Windows 2000 allows you to accomplish this through the local auditing of file and folder access. To test our members’ knowledge of this important security feature, we developed a quick, five-question quiz. More than 550 TechRepublic members took our shortcuts pop quiz. Here’s a rundown of how they did. Would you have done better?

Monitoring file and folder access
Unfortunately, this question’s correct answer was somewhat obscured by a typo. The correct answer as listed on the quiz’s answer page was Audit object policy. It should have read Audit object access, as there is no Audit object policy event. Due to this mistake, I don’t think the results, shown in Figure A, are entirely accurate.

Figure A

Those who chose the answer Audit object policy likely assumed it was correct because it was the closest answer to Audit object access. Those who chose Audit privilege use were probably thinking it was the most correct actual event listed as an answer. To clear up any confusion, the following list describes each event you can audit:

  • Audit account logon events allows you to track successful and unsuccessful logons to the workstation.
  • Audit account management allows you to track when changes are made or attempted to local user accounts, such as creating an account, deleting an account, modifying an account, enabling or disabling an account, or changing a password.
  • Audit directory service access allows you to track access to an Active Directory object that has its own System Access Control List (SACL) and is used only for tracking Active Directory domain events. Check out this TechRepublic article for more information on ACLs, DACLs, and SACLs.
  • Audit logon events allows you to track when users successfully or unsuccessfully log on, log off, or establish a network connection with the audited workstation. You most likely want to audit unsuccessful logons.
  • Audit object access allows you to track successful and unsuccessful attempts to access an object for which an SACL is configured. This can include files, folders, and even registry keys.
  • Audit policy change allows you to track changes to audit or trust policies and user rights assignments.
  • Audit privilege use allows you to track when a user exercises a user right.
  • Audit process tracking allows you to track system processes, such as when an application starts.
  • Audit system events allows you to track when the workstation is restarted or shut down and when something affects system security or the Security log.

For complete instructions on auditing file and folder access, check out Brien Posey’s TechRepublic article “Improve Windows 2000 Pro security through local file and folder auditing”.

Monitoring both failed and successful access attempts

Figure B

The correct answer is False, and 89 percent those who took the quiz knew this, as shown in Figure B. Each audit policy can be configured to track successes, failures, neither, or both.

Monitoring both individuals and groups

Figure C

The correct answer is False, and 70 percent got this one correct, as shown in Figure C. Once you’ve enabled Audit object access, you can audit a file or folder by right-clicking it and selecting the Properties command from the resulting menu. Select the Security tab, and click the Advanced button. Select the Auditing tab, and then click the Add button. You’ll be presented with a list of users and groups. You can then select the users or groups that you wish to audit.

Logging auditing events

Figure D

The correct answer is Event Viewer Security log, and 71 percent of our quiz takers knew this answer, as shown in Figure D. To view your logged auditing events, click on Start | Programs | Administrative Tools | Event Viewer and select Security Log, as shown in Figure E.

Figure E
This is what the Security log looks like.

Contents of the Audit log

Figure F

The correct answer is True, and 89 percent of our quiz takers knew the answer, as shown in Figure F. To view details about a particular log entry, shown in Figure G, double-click the entry or right-click and select Properties. Event details include date, time, user, computer, category, source, type, event ID, and a description.

Figure G

Results positive
Despite the typo in Question 1, I think these results demonstrate that most of those who took the quiz have a firm understanding of Windows 2000 file and folder auditing. For those who got all of the questions correct, great job. As I’ve mentioned in my previous pop quiz results articles, you get the TechPoints for just taking the quiz, not for getting all the answers correct. Good luck on our next pop quiz.

You be the teacher

If you have a topic you’d like us to cover in an upcoming pop quiz, we want to hear about it. Post a comment to this article or drop us a line and share your suggestions for both quiz topics and questions.