ARCHIVED: In Windows NT 4.0, what is auditing and how do I enable it?
Note: For security and support reasons, UITS recommends using Windows 2000 Professional or Windows XP Professional, rather than NT Workstation 4.0, on Indiana University's network. Microsoft retired both mainstream and extended support for this version in June 2004, which means security updates are no longer being developed. For more information, see Microsoft's Windows Desktop Product Lifecycle Guidelines page at:
http://support.microsoft.com/?LN=en-us&pr=lifecycle
In Windows NT 4.0, auditing allows you to track and record the activities of users, groups, and processes. It is primarily used to diagnose performance problems and security risks, and for expansion planning.
Enabling auditing
To enable auditing on Windows NT Workstation and Server, you must be logged in as an administrator. Follow the steps below:
- From the menu, select , then , and then (for NT Workstation) or (for NT Server).
- From the top menu bar, select , and then choose .
- The master switch is the radio button labeled . To enable auditing, select this radio button.
The master switch turns Windows NT's entire auditing system on or off. By default, this switch is set to
. It is not enough just to enable auditing; by itself this does not add any tracking abilities. You also need to select the appropriate switch for the type of event to be audited. There are seven event types that can be audited by tracking successes and/or failures. The seven event types and their uses are listed below:- Logon and Logoff: Tracks logins, logouts, and network connections.
- File and Object Access: This option tracks access to files, directories, and other NTFS objects. This includes printers (because everything in NT is considered an object).
- Use of User Rights: This tracks when users make use of rights.
- User and Group Management: This tracks changes in the accounts of users and groups (password changes, account changes, deletions, group memberships, and renaming).
- Security Policy Changes: This tracks changes to user rights, audit policies, and trusts.
- Restart, Shutdown, and System: This tracks server shutdowns and restarts, and logs events affecting system policy.
- Process Tracking: This tracks program activation and termination, and other object/process activity.
To enable File and Object Access auditing, you need to select the objects being audited. To do this, right-click an object (e.g., a file, directory, or printer). Select
, and then select the tab. Click the button. Different events will be available depending on the type of object selected. Auditing is available only for NTFS objects; FAT does not allow for object auditing.Auditing can create large amounts of system overhead, especially if the event that is being monitored occurs frequently (e.g., file access). A common mistake is to audit the success and failure of all events. This can dramatically slow a system down. Audit only the events that are truly necessary to track a problem or security issue, or to test a piece of equipment or hardware.
Using audit information
The information gathered by auditing is stored in the security log. You can access the security log via the Event Viewer, which you can find on the menu under . By default, any user who has local access to a workstation or server can look at the system and application logs of the Event Viewer. To access the security log under Event Viewer, you must have administrative rights.
This is document aicq in the Knowledge Base.
Last modified on 2018-01-18 12:40:55.