When you do, you'll see the Domain Controllers properties sheet. Now, go to the Group Policy tab, select the group policy that you want to audit, click Edit, and Windows will load the Group Policy console. You're now at a point where the basic auditing technique is the same for both domain controllers and non-domain controllers.
To set up auditing for a non-domain controller, open the Local Security Policy console and navigate through the tree structure to Security Settings Local Policies Audit Policy. You can see an example of this screen in Figure B. From this point, the technique is the same whether you're on a domain controller or not. Let's audit an event. For demonstration purposes, we'll audit failed login attempts. As you can see in Figures A and B, Windows lists several different types of events that can be audited.
One of these events is Audit Account Logon Events. To audit a logon failure, right-click Audit Logon Events and select the Properties from the resulting context menu. When you do, you'll see a dialog box that will allow you to audit the events. The dialog box will vary slightly depending on whether or not you're auditing a domain controller. If you're auditing a domain controller, you must select the Define These Policy Settings check box before you'll be able to audit an event.
This check box doesn't exist when auditing nondomain controllers. At any rate, you'll now be able to audit an event success, failure, or both. For the purpose of auditing login failures, select the Failure check box, as shown in Figure C , and click OK.
Once you've set up the audit policy, you must apply it. To do so, you must either type a command at the command prompt, reboot your server, or wait until the next propagation cycle, which is usually every eight hours. Now that you know how auditing works, the first question that you should ask yourself is what really needs to be audited? As I mentioned, I always recommend auditing domain controllers, and if the situation applies, member servers and stand-alone servers.
But what should you audit on those servers? I recommend that you audit the following items:. Before I get into file-level auditing, there are a couple of helpful hints that I should point out. First, it's a good idea to audit just about everything that members of the Administrator's group do.
The reason for this is that a hacker will typically try to gain administrative access before attacking your system. Therefore, such an attack would likely show up as an administrative action.
Another tip is that when auditing users, you should audit the Everyone group instead of the Users group. The reason for this is that the Users group includes only authenticated users. It doesn't cover anonymous users who may have slipped through your Internet firewall. The Everyone group, on the other hand, covers all users whether or not they are authenticated.
Before you can audit a file, directory, or other object, you must enable Object Access auditing by using the method that I demonstrated earlier. Once you've enabled object auditing, go into Windows Explorer and navigate to the object that you want to audit.
Right-click the object and select the Properties command from the resulting context menu. When you see the object's properties sheet, navigate to the Security tab and click the Advanced button.
You'll now see the Access Control Settings For dialog box. Next, select the Auditing tab, click the Add button, and select the users or groups that you want to audit. Click OK to continue. The security logs of a domain controller record logon events. Unfortunately, a logon from that long ago has probably been rotated out of the log at this point unless you have extremely little traffic. If you use centralized logging, you could retrieve it from there.
How to Get User Login History. To get this report by email regularly, simply choose the "Subscribe" option and define the schedule and recipients. Windows Server is the follow-up to Windows , incorporating compatibility and other features from Windows XP.
Windows Server includes compatibility modes to allow older applications to run with greater stability. It was made more compatible with Windows NT 4. Windows Server brought in enhance…. You should select the corresponding GPO according to your requirement.
Like us on. Share on. Introduction to Auditing in Windows There arenine auditing settings that can be configured on Windows computer Audit Account Logon Events: Tracks user logon and logoff events. Audit Object Access: Reports file and folder access. Audit Policy Change: Reports changes to group policies Audit privilege use: Reports events that is related to a user performing a task that is controlled by a user right.
0コメント