ARCHIVED: In Windows NT 4.0, what is auditing and how do I enable it?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

Note: For security and support reasons, UITS recommends using Windows 2000 Professional or Windows XP Professional, rather than NT Workstation 4.0, on Indiana University's network. Microsoft retired both mainstream and extended support for this version in June 2004, which means security updates are no longer being developed. For more information, see Microsoft's Windows Desktop Product Lifecycle Guidelines page at: 

  http://support.microsoft.com/?LN=en-us&pr=lifecycle

In Windows NT 4.0, auditing allows you to track and record the activities of users, groups, and processes. It is primarily used to diagnose performance problems and security risks, and for expansion planning.

Enabling auditing

To enable auditing on Windows NT Workstation and Server, you must be logged in as an administrator. Follow the steps below:

  • From the Start menu, select Programs, then Administrative Tools (Common), and then User Manager (for NT Workstation) or User Manager for Domains (for NT Server).
  • From the top menu bar, select Policies, and then choose Audit.
  • The master switch is the radio button labeled Audit these Events. To enable auditing, select this radio button.

The master switch turns Windows NT's entire auditing system on or off. By default, this switch is set to Do Not Audit. It is not enough just to enable auditing; by itself this does not add any tracking abilities. You also need to select the appropriate switch for the type of event to be audited. There are seven event types that can be audited by tracking successes and/or failures. The seven event types and their uses are listed below:

  • Logon and Logoff: Tracks logins, logouts, and network connections.
  • File and Object Access: This option tracks access to files, directories, and other NTFS objects. This includes printers (because everything in NT is considered an object).
  • Use of User Rights: This tracks when users make use of rights.
  • User and Group Management: This tracks changes in the accounts of users and groups (password changes, account changes, deletions, group memberships, and renaming).
  • Security Policy Changes: This tracks changes to user rights, audit policies, and trusts.
  • Restart, Shutdown, and System: This tracks server shutdowns and restarts, and logs events affecting system policy.
  • Process Tracking: This tracks program activation and termination, and other object/process activity.

To enable File and Object Access auditing, you need to select the objects being audited. To do this, right-click an object (e.g., a file, directory, or printer). Select Properties, and then select the Security tab. Click the Auditing button. Different events will be available depending on the type of object selected. Auditing is available only for NTFS objects; FAT does not allow for object auditing.

Auditing can create large amounts of system overhead, especially if the event that is being monitored occurs frequently (e.g., file access). A common mistake is to audit the success and failure of all events. This can dramatically slow a system down. Audit only the events that are truly necessary to track a problem or security issue, or to test a piece of equipment or hardware.

Using audit information

The information gathered by auditing is stored in the security log. You can access the security log via the Event Viewer, which you can find on the Start menu under Administrative Tools (Common). By default, any user who has local access to a workstation or server can look at the system and application logs of the Event Viewer. To access the security log under Event Viewer, you must have administrative rights.

This is document aicq in the Knowledge Base.
Last modified on 2018-01-18 12:40:55.