ARCHIVED: In Windows, what is auditing and how do I use it?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

In Windows 7, Vista, and XP, auditing allows an administrator or anyone with administrative rights to track and record the activities of users, groups, and processes. It is primarily used to diagnose performance problems and security risks, and for expansion planning.

Note:
Security of Information Technology Resources (IT-12) requires that you normally refrain from running your Windows computer as an administrator. For more, see About the principle of least privilege.

Auditing is usually enabled by default in Windows. To change the auditing options:

  1. From the Start menu, select either Control Panel, or Settings and then Control Panel.
  2. In Windows 7, first select System and Security. In all versions of Windows, open Administrative Tools, and then Local Security Policy or Local Security Settings.
  3. In the Local Security Settings window, click the arrow or + (plus sign) next to Local Policies, and then click Audit Policy.

You will then see the nine types of auditing you can do in Windows:

  • Account Logon Events: Tracks logins, logouts, and network connections
  • Account Management: Tracks changes to accounts
  • Directory Service Access: Tracks access to the Active Directory services
  • Logon Events: Tracks logins, logouts, and network connections
  • Object Access: Tracks access to files, directories, and other NTFS objects (including printers; in Windows, everything is considered an object)
  • Policy Change: Tracks changes to user rights, audit policies, and trusts
  • Privilege Use: Tracks changes to user privileges
  • Process Tracking: Tracks program activation and termination, and other object or process activity
  • System Events: Tracks server shutdowns and restarts, and logs events affecting system policy

To enable Object Access auditing:

  1. Right-click an object (e.g., a file, directory, or printer), and select Properties.
  2. Click the Security tab.
  3. In Windows 7, click Advanced, and then click the Auditing tab. In Vista or XP, click Auditing.

    Different events will be available depending on the type of object selected. Auditing is available only for NTFS objects; FAT does not allow for object auditing.

This is document akoq in the Knowledge Base.
Last modified on 2018-01-18 13:40:57.