CIS 170F: Windows 7 Administration

Week 7

Windows 7 Security Features
Auditing

  • Auditing is the security process that records the occurrence of specific operating system events in the Security log. Every object in Windows 7 has audit events related to it. Log entries can be recorded for successful events or failed attempted events. For example, logging all failed logon attempts may warn you when an attack that might breach your security is occurring. In addition, monitoring sensitive documents for read access lets you know who is accessing the documents and when.

  • It is more common to use auditing to monitor access to server-based resources than resources on desktop computers. However, there are some cases where you might want to know which us- ers are logging on to a specific workstation. For example, if security logs indicate that someone was attempting unauthorized access to resources from a particular workstation, then it is useful to see which user was logged on at the time.

  • Windows 7 has basic auditing policy settings and advanced audit policy settings. In general, the advanced audit policy settings are more detailed than the basic audit policy settings. Using the advanced audit policy settings allows you to limit the amount of audit data that you capture. In this way, you capture only relevant data and simplify the task of reviewing the audit logs.

  • Auditing is enabled through the local security policy or by using Group Policy. The Audit Policy for basic auditing is located in the Local Policies node of the local security policy. Advanced auditing is enabled through the local security policy, by using Group Policy, or by using auditpol.exe. The tool auditpol.exe provides the most accurate view of which advanced audit policy settings are applied. The advanced audit policy settings were also available in Windows Vista. However, in Windows Vista, you could configure the settings only by using auditpol.exe.




  • Once the audit policy is configured, the audited events are recorded in the Security log that is viewed by using Event Viewer. Event Viewer is available as part of the Computer Management MMC console, or as a standalone MMC console in Administrative Tools. Security events are listed by selecting the Windows Security log.