Local Security Policy: Audit
Audits are security events that get documented for your review in the Windows Event Viewer (eventvwr.exe). There are a handful of options for Vista’s local security policy to determine what (if anything) is to be audited By default there are no audit policies enabled Here is what is available…
Security Settings > Local Policies > Security Options > Audit: Audit the access of global system objects
Disabled by default, this security setting dictates if the access of global system objects is to be audited or not. When enabled, system objects, such as mutexes, events, semaphores and DOS devices are created with a default system access control list (SACL). If the “Audit object access audit” policy is also enabled, access to these system objects is audited.
Changing this policy requires a restart of Windows Vista in order to take affect.
Security Settings > Local Policies > Security Options > Audit: Audit the use of Backup and Restore privilege
Again, disabled by default, this setting lets you specify whether to audit the use of all user privileges, including Backup and Restore, when the “Audit privilege use” policy is in effect. Enabling both such policies generates an audit event for every file that is backed up or restored. Conversely, if this is disabled and then the use of the “Backup or Restore” privilege is not audited even if the “Audit privilege use” is enabled.
This policy also requires that you restart Widnows Vista in order for the setting to take affect.
Security Settings > Local Policies > Security Options > Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Windows Vista allows audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. This policy is disabled by default.
If the category level audit policy set here is not consistent with the events that are currently being generated, the cause might be that the SCENoApplyLegacyAuditPolicy registry key is set.
Security Settings > Local Policies > Security Options > Audit: Shut down system immediately if unable to log security audits
Disabled by default, this security setting determines whether the system shuts down if it is unable to log security events.
If this is enabled, it causes the system to stop if a security audit cannot be logged for any reason. Often this can happen if the security audit log is full and the retention method that is specified for the security log is either “Do Not Overwrite Events” or “
“Overwrite Events by Days”.
If the security log is full and an existing entry cannot be overwritten, and this security option is enabled, the following Stop error appears:
STOP: C0000244 {Audit Failed}
An attempt to generate a security audit failed.
To recover, an administrator must log on, archive the log (optional), clear the log, and reset this option as desired. Until this security setting is reset, no users, other than a member of the Administrators group will be able to log on to the system, even if the security log is not full.
Changes made to this policy require a restart of Windows Vista
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine