Audit policy

Definition of Audit policy in The Network Encyclopedia.

What is Audit Policy?

A policy established on a domain in Microsoft Windows NT and Windows 2000 to specify which kinds of security events are recorded in the security log.

How it works

An Audit policy can be configured using the Policies menu in User Manager for Domains. When an Audit policy is configured on a domain controller using this tool, the policy affects the security logs for all domain controllers in that domain. If the Audit policy is configured on a member server or workstation, it is valid only for that machine. The following table shows the different kinds of events that can be audited by establishing an Audit policy. You can view the results of establishing your Audit policy by using Event Viewer.

Events That Can Be Audited

Type of Event Description
Logon and logoff
Users logging on and off and forming network connections
File and object access
Users accessing a file, folder, or printer on a network
Use of user rights
A right has been exercised—for example, backing up files and directories
User and group management
An account has been modified, created, or deleted
Security policy changes
A change has been made to an Audit policy, a trust relationship, or user rights
Restart, shutdown, and system
The system has been shut down or restarted, or system security has changed
Process tracking
A process has been started or stopped, or some related activity has occurred

These are the requirements for establishing an Audit policy in Windows NT:

  • The user must be a member of the Administrators local group on the domain controllers or on the member server to be audited.
  • Server Operators can view and archive security logs, but only administrators can enable auditing.
  • File auditing can take place only on volumes formatted using the NTFS file system.

Note: To configure an Audit policy in Windows 2000, use the Computer Management administrative tool, open the System Tools folder, and select the Group Policy Editor.

TIP: Be careful when enabling auditing for File and Object Access or Process Tracking, as logging these events can generate a large amount of overhead on your system. To audit access to a file, folder, or printer, first enable File and Object Access auditing in your Audit policy, and then access the Security tab on the object’s property sheet.