How Can Object Access Be Audited

By Author: Shirley Green
Total Articles: 129
Comment this article

Object access auditing must be enabled in the audit policy to succeed; however, for security Designing exam events to be recorded, you must configure the SACLs on an object.If this event is enabled for success, each time a user successfully uses a privilege an event will be recorded. This means a lot of events will be
recorded. If audited for failure, only failed attempts at privilege uses will be recorded.If set for success, each action of any running process is recorded. This can mean enormous logs and is not necessary. The time to audit a process is during development, before the approval of a purchase or implementation (to determine whether the application is doing only what it is supposed to do), and when it is necessary to troubleshoot permission issues. None of these things should be done on production computers.
Records events such as shut down and start up. These events are useful because many attacks require system shut down, reboot, or both to succeed.
If a number of failed logon events for a specific account have occurred, look for a successful logon event. ...
... Successful logon events might also indicate a successful Kerberos ticket issuance. A successful logon event is shown in free practice exams for MCTS. Notice that the User name is indicated in the User field. This is the field that can be filtered on in the Event log. Shown in Figure 9-22 is a successful logoff event. It might be important to track and match logon with logoff and then, from the time stamps on the records, determine that a user was logged on when a security event occurred. User logoff and logon events can be matched by logon ID. The examples given, Figure 9-21 and Figure 9-22, are the logon and logoff events for Kevin F. Browne. You can verify this by comparing the logon ID and verifying that they are the same. By the time stamps, you can tell that Kevin was logged on for approximately four and a half minutes.
Events are recorded on the computer where the access token is created. If a domain account is used, events are recorded both on the workstation and
on the domain controller—one for the account logon event on the domain controller, and one for the logon event on the workstation. Events on the domain controller are recorded when Group Policy is read. Use these events to help determine where an attack might have originated, or to determine why a GPO was not applied. Audit for failure to uncover attacks; audit for success to discover MCITP certification whether attacks were successful.