Enable Security Auditing

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Microsoft® Windows® Server 2003 uses security and system logs to store collected security events. Before enabling the system and security logs, you need to enable auditing for the system log and establish the number of events you want recorded in the security log. You customize system log events by configuring auditing. Auditing is the process that tracks the activities of users and processes by recording selected types of events in the security log of the Web server. You can enable auditing based on categories of security events such as:

  • Any changes to user account and resource permissions.

  • Any failed attempts for user logon.

  • Any failed attempts for resource access.

  • Any modification to the system files.

The most common security events recorded by the Web server are associated with user accounts and resource permissions.

Requirements

  • Credentials: Membership in the Administrators group on the local computer.

  • Tools: Microsoft Management Console (MMC); Local Security Policy

Recommendation

As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. At the command prompt, type **runas /user:**administrative_accountname “mmc %systemroot%\system32\inetsrv\iis.msc”.

Procedures

To define or modify auditing policy settings for an event category on the local Web server

  1. Open Administrative Tools, and then click Local Security Policy.

  2. In the console tree, click Local Policies, and then click Audit Policy.

  3. In the details pane, double-click an event category for which you want to change the auditing policy settings.

  4. On the Properties page for the event category, do one or both of the following:

    • To audit successful attempts, select the Success check box.

    • To audit unsuccessful attempts, select the Failure check box.

  5. Click OK.

Perform the following procedure on the domain controller.

To define or modify auditing policy settings for an event category within a domain or organizational unit, when the Web server is joined to a domain

  1. Open Administrative Tools, and then click Active Directory Users and Computers.

  2. Right-click the appropriate domain, site, or organizational unit and then click Properties.

  3. On the Group Policy tab, select an existing Group Policy object to edit the policy.

  4. In Group Policy Object Editor, in the console tree, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policy, and then click Audit Policy.

  5. In the details pane, double-click an event category for which you want to change the auditing policy settings.

  6. If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.

  7. Do one or both of the following:

    • To audit successful attempts, select the Success check box.

    • To audit unsuccessful attempts, select the Failure check box.

  8. Click OK.