Auditing-- where?? and why ??

TheMSsForum.com: The Microsoft Software Forum

Dear All,
i hope u r all fine :)

i found that for a secure system u should be auditing ur system
events??
i don c how such a thing adds a level of security??

so i decided to audit my system events and logons using the gpedit.msc,
but i was wondering where r the auditing files stored, where can i view
the events previously auditted??
and how can i benefit from it


thanx for ur gr8 help and time :)
Top

Re: Auditing-- where?? and why ?? by Malke

Malke
Thu Jul 13 06:58:08 CDT 2006

Eng.Rana@gmail.com wrote:

> Dear All,
> i hope u r all fine :)
>
> i found that for a secure system u should be auditing ur system
> events??
> i don c how such a thing adds a level of security??
>
> so i decided to audit my system events and logons using the gpedit.msc,
> but i was wondering where r the auditing files stored, where can i view
> the events previously auditted??
> and how can i benefit from it

That's a pretty sweeping statement and one that I question. It really
depends on your situation and what you mean by auditing system events. We
don't know if you have a standalone machine (running what OS?) or a domain
server taking care of 250 clients. We don't know if this is something you
heard from "a friend's cousin who knows something about computers" or you
are actively trying to harden your server. You will get more focused
answers if you provide more information. Oh, and if you do want more help
please take the time to use conventional English instead of text messaging
abbreviations. This is not a chat room and it makes your post difficult to
read. This will limit your responses.

In the meantime:

Audit User Access of Files, Folders, and Printers in Windows XP -
http://support.microsoft.com/Default.aspx?kbid=310399

Audit Active Directory Objects in Windows Server 2003 -
http://support.microsoft.com/Default.aspx?kbid=814595

To add users or groups to the audit list - http://tinyurl.com/lozjc

Malke
--
MS-MVP Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"
Top

Re: Auditing-- where?? and why ?? by karl

karl
Thu Jul 13 07:04:23 CDT 2006


<Eng.Rana@gmail.com> wrote in message
news:1152774755.373384.144980@p79g2000cwp.googlegroups.com...

> i found that for a secure system u should be auditing ur system
> events??
> i don c how such a thing adds a level of security??
>
> so i decided to audit my system events and logons using the gpedit.msc,
> but i was wondering where r the auditing files stored, where can i view
> the events previously auditted??
> and how can i benefit from it

Auditing lets you control and see what is happening on your system. One day
you will want to know what some user has been doing, or whether your system
has been hacked. Log files such as auditing logs are your friend here. If
you don't configure this before you have this question, that information is
unavailable to you. You don't have to enable auditing if you don't want,
but most people do consider auditing to be necessary on systems where
security is important.

Windows auditing is logged to the Windows Security Event Log. Be careful
not to enable too much auditing. Note that there are a variety of different
kinds of auditing, such as logon auditing and NTFS file access auditing. To
enable file access auditing is a two step process: turn on the auditing in
group policy, and then set the auditing properties on each file and folder
that you wish to audit. More info is at:

http://securityadmin.info/faq.asp?auditing

Recommendations for what levels of auditing to enable are in the Windows
Security Guide for your version of Windows, which can be found at
www.microsoft.com/technet/security

--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
--------------------------------
Microsoft Security FAQ:
http://securityadmin.info


Top

Re: Auditing-- where?? and why ?? by Developer

Developer
Thu Jul 13 09:52:16 CDT 2006

thanx for the great help :)

actually i'm using 2 of the options provided by the group policy editor
in windows server 2003, namely,
1- Audit: logon events
2-Audit: System events

i was just wondering from where can i view the events auditted, thats
all :)



karl levinson, mvp wrote:
> <Eng.Rana@gmail.com> wrote in message
> news:1152774755.373384.144980@p79g2000cwp.googlegroups.com...
>
> > i found that for a secure system u should be auditing ur system
> > events??
> > i don c how such a thing adds a level of security??
> >
> > so i decided to audit my system events and logons using the gpedit.msc,
> > but i was wondering where r the auditing files stored, where can i view
> > the events previously auditted??
> > and how can i benefit from it
>
> Auditing lets you control and see what is happening on your system. One day
> you will want to know what some user has been doing, or whether your system
> has been hacked. Log files such as auditing logs are your friend here. If
> you don't configure this before you have this question, that information is
> unavailable to you. You don't have to enable auditing if you don't want,
> but most people do consider auditing to be necessary on systems where
> security is important.
>
> Windows auditing is logged to the Windows Security Event Log. Be careful
> not to enable too much auditing. Note that there are a variety of different
> kinds of auditing, such as logon auditing and NTFS file access auditing. To
> enable file access auditing is a two step process: turn on the auditing in
> group policy, and then set the auditing properties on each file and folder
> that you wish to audit. More info is at:
>
> http://securityadmin.info/faq.asp?auditing
>
> Recommendations for what levels of auditing to enable are in the Windows
> Security Guide for your version of Windows, which can be found at
> www.microsoft.com/technet/security
>
> --
> kind regards,
> Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
> --------------------------------
> Microsoft Security FAQ:
> http://securityadmin.info

Top

Re: Auditing-- where?? and why ?? by levinson_k

levinson_k
Thu Jul 13 10:58:02 CDT 2006

Should still be in the Windows Security Event Log [e.g. as you may already
know, click on Start, Run and type EVENTVWR, or right-click on My Computer
and select Manage].


"Developer.Man4@gmail.com" wrote:

> thanx for the great help :)
>
> actually i'm using 2 of the options provided by the group policy editor
> in windows server 2003, namely,
> 1- Audit: logon events
> 2-Audit: System events
>
> i was just wondering from where can i view the events auditted, thats
> all :)
>
>
>
> karl levinson, mvp wrote:
> > <Eng.Rana@gmail.com> wrote in message
> > news:1152774755.373384.144980@p79g2000cwp.googlegroups.com...
> >
> > > i found that for a secure system u should be auditing ur system
> > > events??
> > > i don c how such a thing adds a level of security??
> > >
> > > so i decided to audit my system events and logons using the gpedit.msc,
> > > but i was wondering where r the auditing files stored, where can i view
> > > the events previously auditted??
> > > and how can i benefit from it
> >
> > Auditing lets you control and see what is happening on your system. One day
> > you will want to know what some user has been doing, or whether your system
> > has been hacked. Log files such as auditing logs are your friend here. If
> > you don't configure this before you have this question, that information is
> > unavailable to you. You don't have to enable auditing if you don't want,
> > but most people do consider auditing to be necessary on systems where
> > security is important.
> >
> > Windows auditing is logged to the Windows Security Event Log. Be careful
> > not to enable too much auditing. Note that there are a variety of different
> > kinds of auditing, such as logon auditing and NTFS file access auditing. To
> > enable file access auditing is a two step process: turn on the auditing in
> > group policy, and then set the auditing properties on each file and folder
> > that you wish to audit. More info is at:
> >
> > http://securityadmin.info/faq.asp?auditing
> >
> > Recommendations for what levels of auditing to enable are in the Windows
> > Security Guide for your version of Windows, which can be found at
> > www.microsoft.com/technet/security
> >
> > --
> > kind regards,
> > Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
> > --------------------------------
> > Microsoft Security FAQ:
> > http://securityadmin.info
>
>
Top