Changes in Security Auditing
Updated: March 9, 2009
Applies To: Windows 7, Windows Server 2008 R2
This product evaluation topic for the IT professional describes changes to security auditing, including the Granular Audit Policies feature, in Windows 7 and Windows Server 2008 R2.
Deploying and configuring audit polices in a centralized manner through Group Policy is available in Windows 2000, Windows XP, and Windows Server 2003. In Windows Vista and Windows Server 2008, the Granular Audit Policies feature allows more precise auditing. However, the Granular Audit Policies feature does not provide centralized configuration through Group Policy.
As in previous versions of Windows, security audit policies in Windows 7 and Windows Server 2008 R2 can be located in Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policies by using the Local Computer Policy snap-in.
In Windows 7 and Windows Server 2008 R2, configuration and deployment of detailed audit policies by using the Advanced Audit Policy Configuration feature can be accomplished with Group Policy.
Detailed audit policies are located in Local Computer Policy\Computer Configuration\Windows Settings\Advanced Audit Policy Configuration.
Object Access auditing has been improved by these features:
Enhanced event messages
Event messages now display the reason that an account was allowed or denied access.
Global Object audit policy
In earlier version of Windows, a system access control list (SACL) had to be propagated to every single object on every single asset. By using the Global Object audit policy, you can use a Group Policy Object to track all of the targeted objects. Investigators now can analyze the object access events to understand exactly which objects users and processes attempted to access, and reasons for success or failure.