Auditing and Tracking Windows Access
Access control is primarily a set of preventive security controls. Preventive controls are mechanisms that prevent undesired actions from occurring. While it is good to prevent undesired actions, it is also helpful to get information on what the access controls are doing. Viewing access information can help validate access controls and identify any potential issues. Defined access controls may be either too restrictive or too permissive. Collecting performance information for later analysis can help fine-tune controls to make them more effective and precise.
Auditing is the process of collecting performance information on which actions were taken and storing that information for later analysis. In the context of access control, auditing makes a record of desired, allowed, and denied-access requests. This information can be stored for a long or short length of time, allowing time to analyze how well access controls are doing their job.
The first step to collecting access control auditing information is to enable auditing. The process of enabling auditing tells Windows to record the events that will be defined for later analysis. Windows stores audit event notes in event logs and makes it easy to see what has happened on Windows computers.
When enabling auditing for any event category, Windows asks if you want to record successful or failed events, or both. Carefully consider which event types would be beneficial. Each audit event that is recorded requires extra processing to save the event in a log file. Although the effort required for each event is small, it can add up for events that occur frequently. Limit audits to only those events that are needed.
The next step in auditing Windows computers is to view and analyze the log files that contain audit entries. Use the Windows Event Viewer to access audit event records.
Each row in the main Event Viewer window displays a single audit event. Details of the selected row display in the details section at the bottom of the window. The Event Viewer gives you the ability to filter the selected log for ad hoc analysis. You can save filter settings as custom views. The ability to filter events allows you to show only the events that are of most interest without having to scroll through the entire log file.
Expression-Based Security Audit Policy (Windows Server 2012 and Newer)
Windows Server provides administrators with the ability to use expression-based security audit policies. DAC in Windows Server enables administrators to create targeted audit policies by using expressions that are based on user, computer, and resource claims.
Here are two examples of expression-based audit policies that administrators can apply in Windows Server:
Audit everyone who does not have a high security clearance and attempts to access highly sensitive documents.
Audit all contractors when they try to access documents that are related to projects that they are not working on.
Policies with specific constraints can help limit the number of audit events and record only the most relevant data or users. Administrators can create expression-based audit policies directly on a file or folder or applied centrally through Group Policy.