Information Technology Reference
In-Depth Information
Figure 7-17
Policies in the User Rights Assignment subnode
•
Security Options
—Almost 80 settings can be found in this subnode. Available policies are
organized into 16 categories, such as Interactive logon, Network access, and User Account
Control. Only a handful of the policies are defined in Default Domain Policy and Default
Domain Controllers Policy. The majority of these policies are configured with a simple Enable
or Disable setting. An example is Interactive logon: Do not display last user name. If this policy
is enabled, the account name of the last user to log on isn't displayed in the logon window.
Auditing Object Access
Auditing, particularly auditing access to file system objects,
requires additional explanation. There are two steps for auditing objects:
• Enable the Audit object access policy for success, failure, or both.
• Enable auditing on target objects for success, failure, or both.
Auditing object access involves considerable overhead because objects must be monitored and
events must be written to the Security log when access occurs. A single object access, such as open-
ing a file, can create several log entries. For this reason, auditing objects should typically be done
for brief periods or when an object is accessed infrequently. In highly secure environments, audit-
ing access to sensitive data on an ongoing basis can be useful. Because auditing writes events to
the Security log, it makes little sense to enable auditing unless the logs are checked regularly.
As mentioned, Windows Server 2008 logs successful logon events and certain other events
by default, even though auditing isn't enabled by default. If you check the Security log, you'll see
quite a few events logged there, most pertaining to computer accounts logging on and off.
Windows Server 2008 adds subcategories in each category of audit events shown in Figure 7-16
for more control over the types of events that are audited. Unfortunately, the subcategories can't
be managed with GPME; you must use the Auditpol.exe command-line tool. By default, some
subcategories are enabled, such as logon and logoff events, and these subcategories take prece-
dence over policies set in GPOs.
Search WWH ::
Custom Search