Win2008: How to set up Object Auditing

In this demonstration, we'll set up object auditing on a registry key.  The same principles would apply for object auditing on a file or folder in the file system.


First open the Local Security Policy from Administrative Tools.  (If this were a domain controller, we'd open the Domain Controller Security Policy.)



Enable failure and success auditing on "Audit Object Access." 







If success and failure are greyed out, this is controlled by group policy and you'll want to talk to your Active Directory administrator about this.

Find the registry key that you'd like to have audited.   Try to be as granular as possible.   Visit its permissions. . .



Click ADVANCED button


Select the Auditing Tab, add a checkmark (as seen below), and click ADD. . .


When deciding who to add, you can be very specific or very general.   You might need to Add the Everyone group from the local SAM and the Everyone group from the domain.






When in doubt, go for everything




Run GPUPDATE /force







Wait for the registry key value(s) to be changed. 

Then visit the Security event log and focus on new entries for Task Category of "Registry"

These can give a clue about which process and user account were used in making the change.

 

 

 

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 6/12/2010 8:07:54 AM
Event ID: 4663
Task Category: Registry
Level: Information
Keywords: Audit Success
User: N/A
Computer: MyComputer
Description:
An attempt was made to access an object.
Security ID: SYSTEM
Account Name: TheMachineName$
Account Domain: MyDomainName
Logon ID: 0x3e7
Object:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters
Handle ID: 0x1074
Process Information:
Process ID: 0x894
Process Name: C:\Windows\SysWOW64\CCM\CcmExec.exe
Access Request Information:
Accesses: Query key value
Access Mask: 0x1