Read this whole guide offline with no ads, for a very low price!
Click Here!

Custom Search







Table Of Contents  CertiGuide to A+ (A+ 4 Real)
 9  Chapter 1: What are Operating Systems and How Do They Work?
      9  File Attributes
           9  NTFS File Permissions

Previous Topic/Section
Object Access Auditing
Previous Page
Pages in Current Topic/Section
1
Next Page
The “Creator Owner”
Next Topic/Section

Enabling Auditing

Although the audit entry has been created, before any auditing will actually take place the audit policy has to be enabled. This is very similar to enabling the account management auditing earlier in the book and is done via the local security policy. Go to the Start menu, select Programs, then Administrative Tools and click on the “Local Security Policy” object (or create a new MMC console and add the “Local Security Policy” snap-in manually). In the Local Security Policy editor, expand the “Local Policies” folder and click on the “Audit Policies” subfolder that appears.

Figure 155: Simulation: NFTS Folder Properties – Step 8

 


Locate the “Audit Object Access” item and double click it. The dialog in Figure 156 will appear.


Figure 156: Simulation: NFTS Folder Properties – Step 9 (Enable Auditing)

 


Tick both the “Success” and “Failure” check boxes, and click “OK”. You will be returned to the Local Security Policy editor. Check to make sure the effective policy setting for object access auditing is set to “Success, Failure”, and then exit the policy editor tool

Domain Policy Overrides

If you are part of a network and the effective policy setting does not show “Success, Failure” after ticking the check boxes, your system administrator may have defined a domain policy that specifies this audit setting. Domain policies always override local policies; therefore, your system administrator will need to allow you specific permission to complete this exercise.


Auditing is now active and enabled. It is only necessary to complete the policy change task once, and not per file or folder audit entry.

To demonstrate auditing, log on to the machine as the local Administrator. Open Explorer, navigate to the C:\Test folder and double click the “Test File.txt” to open it in Notepad. Exit Notepad, and then open Event Viewer (either by using the Computer Management console, or by typing “eventvwr” in the Start – Run dialog). Click on the Security log to view the audited events.

An event has been logged for the Administrator access to the test file, as per the auditing configuration. Double click the event to review its detailed contents.

To remove auditing from a file or folder, select the auditing entry in the Auditing list you wish to remove, and click the “Remove” button. To turn off auditing altogether, set the object access auditing in the local security policy to “No Auditing” by unchecking the success and failure check boxes. This method has the advantage of disabling all auditing without removing the actual action-auditing configuration on files and folders, which allows you to re-enable it later without a large amount of recreation work.


Previous Topic/Section
Object Access Auditing
Previous Page
Pages in Current Topic/Section
1
Next Page
The “Creator Owner”
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to A+ (A+ 4 Real) from StudyExam4Less.com. Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide to A+ (A+ 4 Real) (http://www.CertiGuide.com/apfr/) on CertiGuide.com
Version 1.0 - Version Date: March 29, 2005

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.