Skip navigation
Menu
Security

Setting Up Security Auditing

  1. Log on with administrative authority.
  2. Start User Manager. Select Policies, Audit, and the Audit These Events check box.
  3. Choose the items to audit for Success or Failure--at a minimum, enable auditing logon and logoff attempts. Close the dialog box to enable basic system auditing.
  4. Open the Services applet in Control Panel, set the NT Scheduler service to run under the SYSTEM account, and start (or restart) the service.
  5. Open a DOS command window, and check the current system time.
  6. Add 1 or 2 minutes to the time (e.g., if it's 11:30, use 11:32), and issue the following command at the DOS prompt: 
    at 11:32 /interactive "regedt32.exe"

    This command establishes a scheduled event that launches regedt32 on the desktop at 11:32 running under the security context of the SYSTEM account.

  7. Wait until 11:32, at which time NT Scheduler launches the Registry editor. At this point, you have access to the entire Registry, including the SAM database. Be careful when you edit the Registry; mistakes can render a system unbootable.
  8. Select HKEY_LOCAL_MACHINE, locate the SAM tree, and select it in the left pane.
  9. Choose Security, Auditing.
  10. In the Auditing dialog box, click Add, Show Users.
  11. Add the SYSTEM account, the Domain Admins group, all of your trusted administrator accounts, and any other account that has the following User Rights:
    • Take ownership of files or other objects
    • Back up files and directories
    • Manage auditing and security log
    • Restore files and directories
    • Add workstations to domain
    • Replace a process-level token
  12. Select the Audit Permission on Existing Subkeys check box.
  13. Select the Success and Failure check boxes for the following entries:
    • Query Value
    • Set Value
    • Write DAC
    • Read Control
  14. Click OK, Yes.
  15. Repeat steps 10 through 14 for the SECURITY key, if necessary. This step isn't required if you want to audit only the keys containing passwords.
  16. Exit the Registry editor.
  17. Stop NT Scheduler, and reconfigure the service account to run under the same account it was running under before step 4. If you don't use NT Scheduler, simply leave it stopped, or better yet, disabled.
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
DevSecOps concept
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024