CertiGuide to A+ (A+ 4 Real)  9  Chapter 1: What are Operating Systems and How Do They Work?       9  File Attributes            9  NTFS File Permissions

Advanced Permissions 1 Enabling Auditing

To complement access controls, NTFS also supports object access auditing. By adding users to the audit list and selecting actions to audit, Windows will write an event to the Event Log every time an auditable action occurs. This is an extremely useful feature, as it is essential to have a comprehensive audit trail of access to sensitive data. To configure auditing, click on the “Auditing” tab in the Advanced Access Controls dialog. By default, nothing is audited, so click the “Add” button to select a user from the usual user and group selection dialog. For this example, we will use the local Administrator account again. After selecting a user or group and clicking “OK”, you are prompted to select which events should be audited. The dialog is identical to the “Advanced Permissions” dialog, except that instead of Allow and Deny there are Success and Failure check boxes. In this context Success is when a user completes an action (such as deleting a file), whilst Failure is when the user was prevented from doing so by permissions (because the user has not been granted the delete permission on the file).

To demonstrate the principle of auditing we will audit the “Read Data” action on the test file. Tick the checkbox corresponding to success for “List Folder/Read Data”, and click “OK”. The Advanced Access Controls dialog reappears with a new entry in the Auditing window corresponding to the audit entry just created. Click “OK” to dismiss the Advanced Access Controls dialog, and click “OK” to dismiss the test file properties dialog.

Advanced Permissions 1 Enabling Auditing