Auditing is the best way to track what’s happening on your Windows Server 2012 R2 systems. You can use auditing to collect information related to resource usage such as file access, system logons, and system configuration changes. Any time an action occurs that you’ve configured for auditing, the action is written to the system’s security log, where it’s stored for your review. The security log is accessible from Event Viewer.

NOTE For most auditing changes, you need to be logged on using an account that’s a member of the Administrators group or you need to be granted the Manage Auditing And Security Log right in Group Policy.

Auditing policies are essential to help ensure the security and integrity of your systems. Just about every computer system on the network should be configured with some type of security logging. You configure auditing policies for individual computers with local Group Policy and for all computers in domains with Active Directory-based Group Policy. Through Group Policy, you can set auditing policies for an entire site, a domain, or an organizational unit. You can also set policies for an individual workstation or server.

After you access the GPO with which you want to work, you can set auditing policies by following these steps:

1. In the Group Policy Management Editor, shown in Figure 4–4, access the Audit Policy node by working your way down the console tree. Expand Computer Configuration, Policies, Windows Settings, Security Settings, and Local Policies, and then select Audit Policy.

FIGURE 4–4 Set auditing policies by using the Audit Policy node in Group Policy.

2. The auditing options are as follows:

■ Audit Account Logon Events Tracks events related to user logon and logoff.

■ Audit Account Management Tracks account management by means of Active Directory Users And Computers. Events are generated any time user, computer, or group accounts are created, modified, or deleted.

■ Audit Directory Service Access Tracks access to Active Directory. Events are generated any time users or computers access the directory.

■ Audit Logon Events Tracks events related to user logon, logoff, and remote connections to network systems.

■ Audit Object Access Tracks system resource usage for files, directories, shares, printers, and Active Directory objects.

■ Audit Policy Change Tracks changes to user rights, auditing, and trust relationships.

■ Audit Privilege Use Tracks the use of user rights and privileges, such as the right to back up files and directories.

NOTE The Audit Privilege Use policy doesn’t track system access-related events, such as the use of the right to log on interactively or the right to access the computer from the network. You track these events with logon and logoff auditing.

■ Audit Process Tracking Tracks system processes and the resources they use.

■ Audit System Events Tracks system startup, shutdown, and restart, in addition to actions that affect system security or the security log.

3. To configure an auditing policy, double-tap or double-click its entry, or press and hold or right-click the entry, and then tap or click Properties.

4. In the dialog box that is displayed, select the Define These Policy Settings check box, and then select either the Success check box, the Failure check box, or both. Success logs successful events, such as successful logon attempts. Failure logs failed events, such as failed logon attempts.

5. Tap or click OK.

When auditing is enabled, the security event log will reflect the following:

■ Event IDs of 560 and 562 detailing user audits

■ Event IDs of 592 and 593 detailing process audits

If you configure a GPO to enable the Audit Object Access option, you can set the level of auditing for individual folders and files. This enables you to control precisely how folder and file usage is tracked. Auditing of this type is available only on NTFS volumes.

You can configure file and folder auditing by following these steps:

1. In File Explorer, press and hold or right-click the file or folder to be audited, and then tap or click Properties.

2. Tap or click the Security tab, and then tap or click Advanced to display the Advanced Security Settings dialog box.

3. On the Auditing tab, tap or click Continue. You can now view and manage auditing settings by using the options shown in Figure 4–5.

FIGURE 4–5 After you audit object access, you can set auditing policies on individual files and folders on the Auditing tab.

4. The Auditing Entries list shows the users, groups, or computers whose actions you want to audit. To remove an account, select the account in the Auditing Entries list, and then tap or click Remove.

5. To configure auditing for additional users, computers, or groups, tap or click Add. This displays the Select Users, Computers, Service Accounts, Or Groups dialog box.

6. Enter the name of a user, computer, or group in the current domain, and then tap or click Check Names. If a single match is found, the dialog box is automatically updated and the entry is underlined; otherwise, you’ll get an additional dialog box. If no matches are found, you either entered the name incorrectly or you’re working with an incorrect location. Modify the name in the Name Not Found dialog box and try again, or tap or click Locations to select a new location. When multiple matches are found, in the Multiple Names Found dialog box, select the name you want to use, and then tap or click OK.

7. Tap or click OK. The user and group are added, and the Principal and the Auditing Entry dialog box are updated to show this. Only basic permissions are listed by default. If you want to work with advanced permissions, tap or click Show Advanced Permissions to display the special permissions.

8. As necessary, use the Applies To list to specify where objects are audited. If you are working with a folder and want to replace the auditing entries on all child objects of this folder (and not on the folder itself), select Only Apply These Settings To Objects And/Or Containers Within This Container. Keep in mind that the Applies To list lets you specify the locations where you want the auditing settings to apply. The Only Apply These Settings To Objects And/Or Containers Within This Container check box controls how auditing settings are applied. When this check box is selected, auditing settings on the parent object replace settings on child objects. When this check box is cleared, auditing settings on the parent are merged with existing settings on child objects.