Requirements for auditing object access
Establishing audit policy is an important facet of security. Monitoring the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach.
The most common types of events to be audited are:
- Access to objects, such as files and
- Management of user accounts and group
- Users logging on to and logging off from the
When you implement audit policy:
- If you want to audit directory service access
or object access, determine which objects you want to monitor
access of and what type of access you want to monitor. For example,
if you want to audit any attempts by users to open a particular
file, you can configure auditing policy settings in the object
access event category so that both successful and failed attempts
to read a file are recorded.
- Specify the categories of events that you
want to audit. Examples of event categories are user logon, user
logoff, and account management. The event categories that you
select constitute your audit policy. For more information about
each event category, see Audit Policies.
- Set the size and behavior of the Security
log. You can view the Security log with Event Viewer.
You can have one or more auditing entries for the same user or group depending on the type of auditing, where it was inherited from, the type of access, and what it will be applied to.
Names the currently selected object.
Displays each auditing entry for this object:
Include inheritable auditing entries from this object's parent
When selected, inheritable auditing entries from the object's parent will be written to the Security log.
Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object
When selected, auditing settings on this parent object will replace those on its descendant objects.
When cleared, auditing settings on each object, whether parent or its descendant, can be unique.