Auditing Windows NT Servers
Setting the Audit Policy
Selected activities of users can be tracked by auditing security events and then placing entries in the computer's security log. Use the Audit policy to determine the types of security events that are logged. Because the security log is limited in size, carefully select events to be logged. The maximum size of the computer's security log is defined in Event Viewer. Entries in a security log can be reviewed using Event Viewer.
To manage the Audit Policy
-
On the Policies menu, click Audit.
-
To record events in the security log, click Audit These Events. Or, to not record any events in the security log, click Do Not Audit.
-
If you selected Audit These Events, click to select or clear the Success and Failure check boxes for each type of event.
Notes and Tips
-
When administering domains, the Audit policy affects the security logs of all domain controllers in the domain because they share the same Audit policy.
-
When administering a computer running Windows NT Workstation or Windows NT Server that is not a domain, the Audit policy affects only the security log of that computer.
-
Entries in a security log can be reviewed using Event Viewer.
-
Because the security log is limited in size, carefully select which events to log. The maximum size of each computer's security log is defined in Event Viewer.
Settings to be Used
For all domain controllers, PDCs and BDCs, use the following settings:
|
Recommended Event
|
Success
|
Failure
|
|
Logon
|
no
|
yes
|
|
User and Group Management
|
yes
|
yes
|
|
Security Policy Changes
|
yes
|
yes
|
|
Restart,Shutdown, and System
|
yes
|
yes
|
For application servers, auditing should be implemented as required by the application owner. Again, it is important to set the size and retention period of the Security Event Log to an appropriate level.
|
