Auditing for Failures

 

Often we ignore the Security event log when troubleshooting various problems because over time we realize that the security log rarely helps us.   But our disappointment may be due to lack of auditing.   Setting auditing up should allow you to see more security related failures in the Security event log.

 

Start button >  Run  > Open: Secpol.msc

 

Highlight “Audit Policy”

Add audit failing to everything while troubleshooting

 

Run gpupdate /force to try to refresh the local policies and domain policies.  Rebooting might work better.  I’m honestly not sure if a gpupdate really does anything about local policies or not.

 

 

If you want to monitor object access to a specific file or folder, you’ll want to ensure that object access auditing is set as seen above and then proceed to temporarily set auditing on the specific object as seen below.

Find the file or folder in Windows Explorer…

 

Right click the file or folder and choose Properties from the gray menu.

Switch to the Security Tab

Click the advanced button and then switch to the Auditing tab

Click the Add button.

Click locations to switch from Domain objects to Local accounts (if desired)

Select accounts you’re focusing on

Select access types you’re focusing on

 

If you’re not sure what to focus on, consider opening the services console…

    Start > Run > Open: Services.msc > OK

 

Find the process you’re suspicious of.  (In the example below, it’s the real-time antivirus scanner.)

 

Double-click the service you’re suspicious of, select the “Log On” tab, and see which account the service runs under.

 

 

 

 

 

 

 

More links…

 

301640         How To Set, View, Change, or Remove Auditing for a File or Folder in Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;EN-US;301640

 

300549         How to enable and apply security auditing in Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;EN-US;300549