Share via


Audit Policy Summary

Applies To: Windows Server 2008

This page provides a list of all of the changes that will be made to the audit policy on the selected server if you apply the policy. It shows the current setting for each audit policy setting and the setting defined by the policy. No changes are made to the selected server until you apply the security policy.

If you would like to change the resulting audit policy, you can return to the previous page and choose one of the other two audit policy options on the System Audit Policy page.

SACLs and Rollback

In SCWAudit.inf, the auditing security template that is provided with Security Configuration Wizard (SCW), the system access control lists (SACLs) help detect the tampering or attempted tampering of the operating system. These SACLs enable the system to record write access by any user to any executable or configuration files in the Windows directory structure, and changes to the state or configuration of Windows services. The SACLs do not cause Windows to monitor files and directories that are primarily used for other purposes, and they generate as few logged events as possible. However, application of a service pack, restoring information from a backup, or changing permissions on all or part of the Windows directory could result in a large number of events being generated.

The SCW rollback feature does not include the ability to roll back SACLs. Therefore, if you do not want to apply the SCWAudit.inf security template, you can clear the Also include the SCWAudit.inf security template. SCWAudit.inf sets System Access Control Lists (SACLS) in order to audit access of the file system check box on the Audit Policy Summary page.

To view details about the file system and registry SACLs defined in SCWAudit.inf, you can open SCWAudit.inf from the Security Templates snap-in. SCWAudit.inf is located in %WINDIR%\Security\Msscw\Kbs.

Another security template, DefaultSACLs.inf, is also provided. It allows you to reapply the default SACLs, in case SCWAudit.inf does not function as intended. The default SACLs that are applied are those that were installed with Windows, not the SACLs that were in effect before you applied SCWAudit.inf. To apply DefaultSACLs.inf, type the following at a command prompt:

secedit /configure /cfg DefaultSACLs.inf /db DefaultSACLs.sdb

Additional references