Monitoring security-related events

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

It is important to monitor security related events so that you can find out if changes are made to security policies or other objects, who made the changes, and when they were made. You can monitor security-related events by setting up an auditing policy. An auditing policy is made up of all of the auditing settings that you configure for individual security event categories.

Some of the most common tasks for monitoring security-related events are defining or modifying auditing policy settings for an event category on your local computer, defining or modifying auditing policy settings for an event category across your organization, and viewing the security log. For more information about other tasks for auditing security-related events, see Auditing Security Events How To....

To define or modify auditing policy settings for an event category on your local computer

  1. Open Local Security Policy.

  2. In the console tree, click Audit Policy.

    Where?

    • Security Settings/Local Policies/Audit Policy
  3. In the details pane, double-click an event category that you want to change the auditing policy settings for.

  4. Do one or both of the following, and then click OK.

    • To audit successful attempts, select the Success check box.

    • To audit unsuccessful attempts, select the Failure check box.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open Local Security Policy, click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.

  • To audit object accesses, enable auditing of the object access event category by following the steps above. Then, enable auditing on the specific object. For information about how to enable auditing on an object, see Apply or modify auditing policy settings for a local file or folder or Apply or modify auditing policy settings for an object using Group Policy.

To define or modify auditing policy settings for an event category across your organization

  1. Open Active Directory Users and Computers.

  2. In the console tree, right-click the domain or organizational unit that you want to set Group Policy for.

  3. Click Properties, and then click the Group Policy tab.

  4. Click Edit to open the Group Policy object (GPO) that you want to edit. You can also click New to create a new GPO, and then click Edit.

  5. In the console tree, click Audit Policy.

    Where?

    • Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy
  6. In the details pane, double-click an event category that you want to change the auditing policy settings for.

  7. If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.

  8. Do one or both of the following, and then click OK.

    • To audit successful attempts, select the Success check box.

    • To audit unsuccessful attempts, select the Failure check box.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  • If you are on a server or workstation joined to the domain, you can open Active Directory Users and Computers if you click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in, click Add, double-click Active Directory Users and Computers, click Close, and then click OK.

  • To audit object accesses, enable auditing of the object access event category by following the steps above. Then, enable auditing on the specific object. For information about how to enable auditing on an object, see Apply or modify auditing policy settings for a local file or folder or Apply or modify auditing policy settings for an object using Group Policy.

To view the security log

  1. Open Event Viewer.

  2. In the console tree, click Security. The details pane lists individual security events.

  3. In the details pane, double-click an event to view more details.

Notes

  • You must be logged on as a member of the Administrators group or you must have been granted the Manage auditing and security log right in Group Policy to perform this procedure.

  • To open Event Viewer, click Start, click Control Panel, double-click Administrative Tools, and then double-click Event Viewer.

  • For more information about security events, see "Security Events" on the Microsoft Windows Resource Kits Web site

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.