Auditing is a security measure that tracks user and operating system activities by recording selected types of events in a log. The security audit log enables you to establish a baseline of normal operations, maintain a record of system activity, and detect and respond to attempts to breach computer security. In Windows, security auditing is enabled in two steps; ﬁrst, you must enable auditing for a particular type of object or event. Then, if you want to audit access to individual objects such as folders, you must specify what to audit about the speciﬁc objects.
Figure: Audit entries in a log.
Common Events to Audit
The most common types of events to audit are:
- Access attempts on objects, such as ﬁles or folders.
- Account management activities on user accounts and group accounts.
- User logons and logoffs.
Security Log Entries
Security logs contain audit entries that record:
- The action that was performed.
- The user who performed the action.
- When the event occurred.
- The success or failure of the event.
- Additional information, such as the name or IP address of the computer where the event occurred.
You can view security log entries in Event Viewer. You can also archive logs to track trends in the use of printers, access to ﬁles, and unauthorized attempts to access resources.
Beneﬁts of Auditing
Auditing enables you to:
- Create a baseline of normal network and computer operations.
- Track the success and failure of events, such as attempts to log on, attempts by a particular user to read a speciﬁc ﬁle, changes to a user account or group membership, and changes to security settings.
- Minimize the risk of unauthorized use of resources.
- Detect attempts to breach the security of the network or computer.
- Determine what systems and data have been compromised during or after a security incident.
- Prevent further damage to networks or computers after an attacker has penetrated the network.
- Maintain a record of user and administrator activity.
————————– Thanks everyone