 |
|
|
|
 |
CertiGuide to A+ (A+ 4 Real) 9 Chapter 1: What are Operating Systems and How Do They Work? 9 File Attributes 9 NTFS File Permissions |
|
Enabling Auditing
Although the audit entry has been created, before any auditing will actually take place the audit policy has to be enabled. This is very similar to enabling the account management auditing earlier in the book and is done via the local security policy. Go to the Start menu, select Programs, then Administrative Tools and click on the “Local Security Policy” object (or create a new MMC console and add the “Local Security Policy” snap-in manually). In the Local Security Policy editor, expand the “Local Policies” folder and click on the “Audit Policies” subfolder that appears.
|
Locate the “Audit Object Access” item and double click it. The dialog in Figure 156 will appear.
|
Tick both the “Success” and “Failure” check boxes, and click “OK”. You will be returned to the Local Security Policy editor. Check to make sure the effective policy setting for object access auditing is set to “Success, Failure”, and then exit the policy editor tool
Domain Policy Overrides |
Auditing is now active and enabled. It is only necessary to complete the policy change task once, and not per file or folder audit entry.
To demonstrate auditing, log on to the machine as the local Administrator. Open Explorer, navigate to the C:\Test folder and double click the “Test File.txt” to open it in Notepad. Exit Notepad, and then open Event Viewer (either by using the Computer Management console, or by typing “eventvwr” in the Start – Run dialog). Click on the Security log to view the audited events.
An event has been logged for the Administrator access to the test file, as per the auditing configuration. Double click the event to review its detailed contents.
To remove auditing from a file or folder, select the auditing entry in the Auditing list you wish to remove, and click the “Remove” button. To turn off auditing altogether, set the object access auditing in the local security policy to “No Auditing” by unchecking the success and failure check boxes. This method has the advantage of disabling all auditing without removing the actual action-auditing configuration on files and folders, which allows you to re-enable it later without a large amount of recreation work.
|
| |||||||||||||||||||
Home - Table Of Contents - Contact Us
CertiGuide to A+ (A+ 4 Real) (http://www.CertiGuide.com/apfr/) on CertiGuide.com
Version 1.0 - Version Date: March 29, 2005
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.