Auditing with Windows XP is configured in several different ways, all depending upon what needs to be audited, and where those object resides. Generally, the first step is to enable the specific type of auditing through the audit policy, which will usually begin the audit process at that point. Auditing can be enabled through the security policy. The security policies can be accessed through Administrative Tools applet within the Control Panel.

The audit policy events include:

• Audit Account Logon Events - Tracks user logon and logoff events.

• Audit Account Management - Reports changes to user accounts
• Audit Directory Service Access - Reports access and changes to the directory service. If the system is a member server or XP system, directory service is NTLM-based, and consists of user accounts and group policies.
• Audit Logon Events - Reports success/failure of any local or remote access-based logon.
• Audit Object Access - Reports file and folder access. Must be implemented here, and then the individual file/folder must be configured for auditing within its properties in order to fully enable this feature.
• Audit Policy Change - Reports changes to group policies
• Audit Privilege Use - Related to Audit Object Access: reports when permissions are utilized such as read, or full control.
• Audit Process Tracking - Reports process and program failures. Not security related.
• Audit System Events - Reports standard system events. Not security related.

[tags]windows,microsoft,xp,diana huggins,policy event[/tags]