Many of us who use Windows Server are not really aware about a unique feature called as Auditing. This are knows to network admins only. What does this do? I got a mail last time from a friend who runs a Computer Learning Institute. Some of his eBooks were deleted and he was not able to track who did it. After contacting me, I suggested him to enable Auditing Policies on Windows Server which enable you to find records of user’s activity on the network. It is possible to track who deleted the files, who modified it or moved or and even the logins and logouts. Auditing is a very simple process which generates logs helping the networking admins to keep a track of user’s activity. This is best recommended for all those who run small or big size server networks. Auditing is available in all version of Windows Server and marks my works, this is not really tough to configure.
The steps to enable are simple. Windows Server 2008 R2 offers better features in Auditing. Called as Security Auditing it helps you to track the user’s effectiveness in your work. In the new version there are more enhancement and complex algo which works more efficiently. There are high levels of security auditing logs and simplified deployment. From my views I recommend you to use the most recent version if you need a higher level of security. Or else it really does not matter if you just want the logs. Some of the enhancement which I want to highlight here if you use Windows Server 2008 or higher are:
- Global Object Access Auditing: Under this you get option to enable SACLs. It is called as computer system access control list. Under this the object type can be defined as per file system or registry. Once the list is applied it is applied to every object of type you can configure. It is best recommended to track system files. It is recommended for a wide network. It can track changes done to system files and registry.
- Reason for access" reporting: Reason for access" reporting. This list is called as Access Control Entries. Under this, the admin has right to allow privileges to objects. He/She can on his will allow or deny rights to objects in the environment.
- Advanced audit policy settings: There are 53 new settings in this. As mentioned on Microsoft site it is found that the new additions allow the admins to target more specific activities.
What Auditing can do?
There are two ways to use it. First you can describe policies which will track the user activities. And other system wide activities. Under use actives you can collect logs of user logins, logouts, file modifications, deletion, etc. while under system wide you can generate logs on objects activities. A sample I can give is of user membership process. It allows you to track the following
- The action that was performed.
- The user who performed the action.
- The success or failure of the event and the time that the event occurred.
Bookmarks