Once you have enabled security auditing, you must also enable auditing on the Web site content (files and folders) in order to track any modification or deletion of the content.
Before you set up auditing for files and folders, you must first enable object access auditing. This security setting determines whether to audit the event of a user accessing an object, such as a file, folder, or printer. Enabling object access auditing is accomplished by defining auditing policy settings for the object access event category of the Audit Policies in Local Security Setti 656w2219g ngs. If you do not enable object access auditing, you receive an error message when you set up auditing for files and folders, and no files or folders are audited. After object access auditing is enabled, you can view the security log in Event Viewer to review the results of your changes. You can then set up Web site content auditing.
Tip Because the security log is limited in size, carefully select the files and folders to be audited. In addition, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer. |
If file or folder auditing has been inherited from the parent folder, you will see the following.
u·
In the Auditing
Entry for File or Folder
dialog box, in the Access box, the check boxes are unavailable.
-or-
u·
In the Advanced Security
Settings for File or Folder dialog
box, the Remove button is unavailable.
u·
Credentials:
You must be logged on as a member of the Administrators group or you must have
been granted the Manage auditing and security
log right in Group Policy to perform this procedure.
u·
Tools: Windows
Explorer
u·
File system: To enable auditing of Web site content, the disk
volumes on which the Web site is stored must use the NTFS file system.
As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. At the command prompt, type runas /user:administrative_accountname "mmc %systemroot%\system32\inetsrv\iis.msc".
To enable object access auditing
Open Administrative Tools, and then click Local Security Policy.
Expand Local Policies, and then click Audit Policy.
Right-click Audit object access, and then click Properties.
Enable auditing by clicking one of the following:
u·
Click Success
to generate an audit entry when a user successfully accesses an object.
u·
Click Failure
to generate an audit entry when a user unsuccessfully attempts to access an
object.
u·
If you clear both check boxes,
object access auditing is turned off.
Click OK.
To apply or modify auditing policy settings for a local file or folder
Open Accessories, and then click Windows Explorer.
Right-click the file or folder for which you want to set audit policy settings, click Properties, and then click the Security tab.
Click Advanced, and then click the Auditing tab.
Do one of the following:
u·
To set up auditing for a new user
or group, click Add. In Enter the
object name to select, type the name of the user or group that you want to
audit, and then click OK.
u·
To remove auditing for an existing
group or user, click the group or user name, click Remove, click OK,
and then skip the rest of this procedure.
u·
To view or change auditing for an
existing group or user, click the name of the group or user, and then click Edit.
In the Apply onto box, click the location where you want auditing to take place.
In the Access box, indicate what actions you want to audit by selecting the appropriate check boxes:
u·
To audit successful events, select
the Successful check box.
u·
To stop auditing successful events,
clear the Successful check box.
u·
To audit unsuccessful events,
select the Failed check box.
u·
To stop auditing unsuccessful
events, clear the Failed check box.
u·
To stop auditing all events, click Clear
All.
If you want to prevent subsequent files and subfolders of the original object from inheriting these audit entries, select the Apply these auditing entries to objects and/or containers within this container only check box.
|