Reminder Tutorial - Enable Auditing on Windows 7

Auditing is a one of the major tools used in detecting system intrusions or malicious activity on systems and network. And yet, even in the 'secure by design' incarnation - Windows 7, the Microsoft Client OS log event entries in the security log out of the box.

So here is another reminder on how to enable auditing on your system.To enable auditing on a computer running Windows 7, use the same old approach used in every standalone Windows OS starting from Windows 2000 Pro:

  1. Open the Control Panel.
  2. In Control Panel, double-click Administrative Tools, and then click Local Security Policy.
  3. In Local Security Settings, double-click Local Policies, double-click Audit Policy, and then click the events that you want to audit.

We recommend that you audit the following events with the types of audited events specified in the parentheses:
  • Audit account logon events (Success, Failure) - This setting determines whether the OS audits each time this computer validates an account’s credentials.
  • Audit account management (Success, Failure) - This setting determines whether to audit each event of account management on a computer.
  • Audit directory service access (Failure) - This setting determines whether the OS audits user attempts to access Active Directory objects.
  • Audit logon events (Success, Failure) - This setting determines whether the OS audits each instance of a user attempting to log on to or to log off to this computer.
  • Audit object access (Failure) - This setting determines whether the OS audits user attempts to access non-Active Directory objects.
  • Audit policy change (Success, Failure) - This setting determines whether the OS audits each instance of attempts to change user rights assignment policy, audit policy, account policy, or trust policy.
  • Audit system events (Success, Failure) - This setting determines whether the OS audits any of the following events: Attempted system time change; Attempted security system startup or shutdown; Attempt to load extensible authentication components; Loss of audited events due to auditing system failure; Security log size exceeding a configurable warning threshold level.

To view the resulting audit events, start Event Viewer and choose Windows Logs -> Security.


Talkback and comments are most welcome

Related posts
5 rules to Protecting Information on your Laptop
TrueCrypt Full Disk Encryption Review
5 Minute Security Assessment

No comments:

Designed by Posicionamiento Web