Auditing access to securable objects by using SACLs
After the security of discretionary access lists is in place, NTFS
allows only those user accounts or groups with the correct permissions
to access objects. However, others within an environment might attempt
to access files or folders. Often, being able to review or audit these
access attempts can help ensure that those within the organization who
need access to an object can get it and that those who do not need
access cannot get it.
For example, many organizations have documents containing personal
information or human resources–related information about their
employees. Outside the legal and human resources departments, not many
employees need access to this information.
When you use SACLs to audit objects within an environment, entries
are recorded in the Windows event logs when events occur. If Orin
attempts to access files within the Human Resources folder, Windows can
write that attempt to the event log. Upon review, you will see that
these access attempts happened, when they happened, and which user
account was involved.
Note
WHEN TO AUDIT
Auditing for an object must be enabled for any actions to be logged. Consider carefully what you want to audit. Too much auditing
will produce more information than is useful, whereas too little will
not provide all the information necessary to monitor correctly what is
occurring within your environment.
Auditing is configured in the Advanced Security Settings dialog box
for an object and requires you to be an administrator or to have the
appropriate permissions for the selected object to enable auditing. Figure 5 shows the Auditing tab of the Advanced Security Settings dialog box.
Configuring auditing
is very similar in Windows 8 to configuring security permissions for an
object. The only difference is that you are configuring which
permissions (or actions on an object) to audit rather than access to an object. To configure auditing for an object, complete the following steps:
-
Access the Auditing tab of the Advanced Security Settings dialog box for the object to be audited.
-
Tap or click Add.
-
Select a security principal to audit.
-
Select the type of access attempts to include:
-
All Records all access attempts by this security principal for this object
-
Fail Records all failed attempts by this security principal to access this object
-
Success Records all successful attempts by this security principal to access this object
-
Select the permissions to audit.
Note
PERMISSIONS FOR AUDITING
When selecting permissions to include in auditing, these permissions
determine the type of access that is audited for success or failure. If
Read is selected, attempts to read an object will be audited for
success or failure.
-
Tap or click OK to save the access control entry.
-
Tap or click OK in the Advanced Security Settings dialog box.
After security auditing
has been configured for an object, Windows begins creating entries in
the Security event log when conditions that meet the auditing settings are triggered.
Using auditing
can be extremely helpful but, when auditing is overused, it can be
difficult to manage. When you are considering auditing, keep in mind
any policies put in place by your organization and work to ensure that
the items audited are the items you need to know about
rather than auditing everything. Many companies have policies covering
auditing and access controls to ensure that they are used
appropriately. This includes controls such as authorization of auditing
particular information and reviewing collected information, and which
information and access should be audited when particular events occur.
Different events, such as litigation or investigation into employee
actions internally, might require auditing to be handled differently.
