There are 3 major events in auditing.

• Specifying the major categories to be audited in the security policy
• Viewing the audit log in the event viewer
• Specifying which types of access to audit for each object in its SACL

Auditing is enabled in the computer security policy as shown in the dialog to the right. Auditing can be enabled for successful operations such as a successful logon or for failures as in the example of an attempted logon where the password was specified incorrectly. Failure events may indicate that someone is trying to hack into your system or access restricted files.

Audit transactions are stored in the Security Log and are viewable with the Event Viewer as shown below.

Auditing object access requires setting the SACL Security Access Control List for the objects of interest. The SACL has the same structure as a DACL in that it is a list of ACE Access Control Entries. The DACL controls access to an object whereas a SACL controls which accesses are audited. The SACL specifies which types of access should be audited for specified users or groups. Access to the SACL is through the Advanced option in the object security dialog as shown below.

Keyboard Exercise

Enable auditing for logon events and then logon and off a few time. Use the event viewer to view these events.