Object Access Auditing
To complement access controls, NTFS also supports object access auditing. By adding users to the audit list and selecting actions to audit, Windows will write an event to the Event Log every time an auditable action occurs. This is an extremely useful feature, as it is essential to have a comprehensive audit trail of access to sensitive data. To configure auditing, click on the Auditing tab in the Advanced Access Controls dialog. By default, nothing is audited, so click the Add button to select a user from the usual user and group selection dialog. For this example, we will use the local Administrator account again. After selecting a user or group and clicking OK, you are prompted to select which events should be audited. The dialog is identical to the Advanced Permissions dialog, except that instead of Allow and Deny there are Success and Failure check boxes. In this context Success is when a user completes an action (such as deleting a file), whilst Failure is when the user was prevented from doing so by permissions (because the user has not been granted the delete permission on the file).
To demonstrate the principle of auditing we will audit the Read Data action on the test file. Tick the checkbox corresponding to success for List Folder/Read Data, and click OK. The Advanced Access Controls dialog reappears with a new entry in the Auditing window corresponding to the audit entry just created. Click OK to dismiss the Advanced Access Controls dialog, and click OK to dismiss the test file properties dialog.
Home - Table Of Contents - Contact Us
CertiGuide to A+ (A+ 4 Real) (http://www.CertiGuide.com/apfr/) on CertiGuide.com
Version 1.0 - Version Date: March 29, 2005
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.