Although the audit entry has been created, before any auditing will actually take place the audit policy has to be enabled. This is very similar to enabling the account management auditing earlier in the book and is done via the local security policy. Go to the Start menu, select Programs, then Administrative Tools and click on the Local Security Policy object (or create a new MMC console and add the Local Security Policy snap-in manually). In the Local Security Policy editor, expand the Local Policies folder and click on the Audit Policies subfolder that appears.
Locate the Audit Object Access item and double click it. The dialog in Figure 156 will appear.
Tick both the Success and Failure check boxes, and click OK. You will be returned to the Local Security Policy editor. Check to make sure the effective policy setting for object access auditing is set to Success, Failure, and then exit the policy editor tool
Auditing is now active and enabled. It is only necessary to complete the policy change task once, and not per file or folder audit entry.
To demonstrate auditing, log on to the machine as the local Administrator. Open Explorer, navigate to the C:\Test folder and double click the Test File.txt to open it in Notepad. Exit Notepad, and then open Event Viewer (either by using the Computer Management console, or by typing eventvwr in the Start Run dialog). Click on the Security log to view the audited events.
An event has been logged for the Administrator access to the test file, as per the auditing configuration. Double click the event to review its detailed contents.
To remove auditing from a file or folder, select the auditing entry in the Auditing list you wish to remove, and click the Remove button. To turn off auditing altogether, set the object access auditing in the local security policy to No Auditing by unchecking the success and failure check boxes. This method has the advantage of disabling all auditing without removing the actual action-auditing configuration on files and folders, which allows you to re-enable it later without a large amount of recreation work.
Home - Table Of Contents - Contact Us
CertiGuide to A+ (A+ 4 Real) (http://www.CertiGuide.com/apfr/) on CertiGuide.com
Version 1.0 - Version Date: March 29, 2005
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.