Information Technology Reference
In-Depth Information
Activity 7-15: Working with Audit Policies
Time Required:
15 minutes
Objective:
Enable and test auditing of object access.
Description:
You have a share containing very sensitive files. Access to these files is not frequent,
and only a few users access them. Because of the files' sensitive nature, you want to know who
is accessing them (include those who shouldn't be attempting access) and when. You enable
auditing object access and auditing the sensitive files.
1. Log on to your server as Administrator, if necessary.
2. Open GPMC, and click the
Group Policy Objects
folder. Create a GPO in this folder named
LocalGPO
.
3. Right-click
LocalGPO
and click
Edit
. In GPME, expand
Computer Configuration
,
Policies
,
Windows Settings
,
Security Settings
, and
Local Policies
, and then click
Audit Policy
. In the
right pane, double-click
Audit object access
. In the Properties dialog box, click the
Define
these policy settings
check box. Click
Success
and
Failure
, and then click
OK
. Close GPME.
4. In GPMC, link
LocalGPO
to the
Domain Controllers
OU. Close GPMC. Open a command
prompt window, and type
gpupdate
and press
Enter
. Then type
auditpol /get /category:*
|
more
and press
Enter
. Page through the output, noting that all subcategories under Object
Access are set to Success and Failure. Close the command prompt window.
5. Open Windows Explorer, and navigate to
Q:\Shared
. (This folder should be shared from
activities completed in Chapter 6.) Delete all files and folders in the Shared folder.
6. Create a file in the Shared folder called
Confidential.txt
. Right-click
Confidential.txt
and
click
Properties
. Click the
Security
tab, and then click the
Advanced
button.
7. In the Advanced Security Settings for Confidential.txt dialog box, click the
Auditing
tab,
and then click the
Edit
button. Click
Add
. Type
Domain Users
, click
Check Names
, and then
click
OK
.
8. In the Auditing Entry for Confidential.txt dialog box, click the
Successful
and
Failed
check
boxes for the Full control permission. Click
OK
until you get back to the Windows Explorer
window.
9. Open
Confidential.txt
in Notepad, and then close it and exit Notepad. Open Event Viewer.
Right-click the
Security
log and click
Refresh
. You'll probably find a number of events listed.
Unfortunately, when object access auditing is enabled, many events are audited, as indicated
by the list of subcategories you saw under Object Access in Step 4. You can use the Auditpol
command to turn auditing off for specific subcategories.
10. Open GPMC. Right-click
LocalGPO
and click
Edit
. In GPME, navigate to the
Audit Policy
node. In the right pane, double-click
Audit object access
. In the Properties dialog box, click
to clear the
Define these policy settings
check box, and then click
OK
. Close GPME.
11. In GPMC, unlink
LocalGPO
from the
Domain Controllers
OU. Close all open windows,
and stay logged on for the next activity.
Activity 7-16: Reviewing Additional Local Policies
Time Required:
20 minutes
Objective:
Review several User Rights Assignment and Security Options settings.
Description:
You have some experience using group policies to set User Rights Assignment and
Security Options policies, but you haven't taken the time to see everything that's available in
these nodes. You open GPME and explore these two nodes.
1. Log on to your server as Administrator, if necessary.
2. Open GPMC, and then navigate to and right-click
LocalGPO
and click
Edit
to open it in
GPME.
Search WWH ::
Custom Search