Requirements for auditing object access

Establishing audit policy is an important facet of security. Monitoring the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach.

The most common types of events to be audited are:

  • Access to objects, such as files and folders.

  • Management of user accounts and group accounts.

  • Users logging on to and logging off from the system.

When you implement audit policy:

  • If you want to audit directory service access or object access, determine which objects you want to monitor access of and what type of access you want to monitor. For example, if you want to audit any attempts by users to open a particular file, you can configure auditing policy settings in the object access event category so that both successful and failed attempts to read a file are recorded.

  • Specify the categories of events that you want to audit. Examples of event categories are user logon, user logoff, and account management. The event categories that you select constitute your audit policy. For more information about each event category, see Audit Policies.

  • Set the size and behavior of the Security log. You can view the Security log with Event Viewer.

You can have one or more auditing entries for the same user or group depending on the type of auditing, where it was inherited from, the type of access, and what it will be applied to.

Item Description

Object name

Names the currently selected object.

Auditing entries

Displays each auditing entry for this object:

  • Type. The result on which to apply the audit policy. This can be Success, Fail, or All. Type is set by permission access.

  • Name. Name of object to apply audit policies.

  • Access. Permission types, such as Full Control, Traverse Folder/Execute File, Read Attributes, and Delete. Includes file and folder permissions, Active Directory object permissions, and file server permissions.

  • Inherited from. Object from which permissions are inherited. You can include inheritable auditing entries from the object's parent if one exists by selecting the check box on this dialog box.

  • Apply To. Those child objects to which the permissions are also applied.

Include inheritable auditing entries from this object's parent

When selected, inheritable auditing entries from the object's parent will be written to the Security log.

Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object

When selected, auditing settings on this parent object will replace those on its descendant objects.

When cleared, auditing settings on each object, whether parent or its descendant, can be unique.

Additional references