copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

Windows NT Configuration Guidelines

Date: 17 July 2002
Related Files: NTFS Security Example Batch File  

Click here for printable version

This document is being published jointly by the CERT Coordination Center and AusCERT (Australian Computer Emergency Response Team) and details common Microsoft Windows NT 4.0 configuration problems that have been exploited by intruders and recommends practices for deterring several types of break-ins. We encourage system administrators to review all sections of this document and modify their systems accordingly to fix potential weaknesses.
I. Installation Guidelines
II. Patches
  1. Service Packs
  2. Hotfixes
  3. Keeping Patches Current
III. Computer Virus Prevention
IV. Network Configurations
V. Passwords
VI. File System and Shares
VII. Registry
  1. Setting Recommendations
  2. Access Control List Recommendations
VIII. Audit Logs
  1. Users
  2. Files and Directories
  3. Registry
References
Document revision history


I. Installation Guidelines

A minimum installation for NT servers includes NT 4.0, the latest Service Packs, recommended patches and relevant security Hotfixes released by Microsoft.

It is not recommended to install more than one copy of Windows NT on the same computer, however if you must, we recommend that the second copy of Windows NT has no users except for the local Administrator and that a strong password be set on this account. There are cases where ACLs created by one of the copies are not protected when another copy is active.

When installing Windows NT do not copy the entire root directory and a few other files from one computer to another as each NT installation receives a unique system ID which makes its accounts and group ID's also unique. Making such copies may compromise the entire network's security.

Check for ROLLBACK.EXE on the hard disc and if present remove it. ROLLBACK can destroy critical system information including the registry, user account information. To recover from the ROLLBACK.EXE damage the entire system has to be restored from the backup tape, if one is available. Note that Microsoft inadvertently distributed ROLLBACK.EXE with some Windows NT 4.0 releases.

II. Patches

The CERT®/CC and AusCERT continuously receive reports about sites that have been compromised because they have not applied the latest patches. One of the most important tasks of a systems administrator is to keep the most current patches for an operating system and for software installed on a system. Many of these patches fix security vulnerabilities that are well known to intruders.

There are two types of patches from Microsoft; Service Packs and Hotfixes. Installing these patches in order is important. Service Packs must be installed before the Hotfixes. These fixes can be found at:

  1. Service Packs
  2. Service packs are used to patch a wide range of vulnerabilities and bugs. The latest service pack that you have tested to work in your environment should always be applied after installing the operating system. Service packs are cumulative; you only need to install the latest Service Pack. The latest service pack is located at the following site.

    Extensive information about installing the Service Pack can be found in the readme.htm file.

  3. Hotfixes
  4. Hotfixes are released more frequently than service packs and are meant to patch a more specific problem. Not all hotfixes may be needed for a particular system. The latest hotfixes can be found at [country\OS version\hotfixes-postspX] where X is the number of the Service Pack currently installed. For example, Hotfixes for Service Pack 5 of the United States version of NT 4.0, the directory would be:

    Before you install these fixes on critical systems or install them on a large number of devices, test hotfixes to ensure that there is not a conflict with other third party drivers.

    Details about the order to install hotfixes can be found in the postspX.txt file, where `X' is the number of the service pack you have installed. As an example, for Service Pack 5 the file is postsp5.txt.

  5. Keeping Patches Current
  6. Since new patches are released frequently, it can be difficult for system administrators to keep up with them. Microsoft has a security notification service that anyone can subscribe to. This service keeps customers informed about current security issues, how to protect systems from these issues, and what Microsoft is doing to fix the problems. For further information on the Microsoft Security Notification Service, see:

III. Computer Virus Prevention

Computer viruses spread easily through floppy disks, email, or programs downloaded from the Internet. Potential problems range from changing data to reformatting your hard drive. Once created, viruses can spread without help from their creators. You can get them from computers at the office, from using computers at school, or from a document emailed to you by a friend.

To protect your systems, we recommend that you install a virus scanning/detecting/cleaning program. Our Computer Virus Resources document links to information about computer viruses, hoaxes, and chain letters.

Once you start using a virus detection/prevention program, it is very important to keep it up-to-date. New viruses are created continuously, and vendors of virus detection software offer updates to detect them. To get the latest updates, check the manuals or the vendor web page. Some virus detection software allows you to get the updates automatically via the Internet. Make sure you setup the software to schedule these updates at least once a week.

We recommend that computers, at the very least, do a quick scan when the system is booted, as programs are loaded into memory, and when new data is detected (from email, removable media).

Computers should get a full system scan periodically which can be scheduled to run when the users are away for the evening.

Prior to making software available to many machines on a network install it on a stand-alone device and scan it for computer viruses. There have been reports that installation media contained a virus, but was not detected by the software company that distributed the media.

Computers that act as servers keep in mind that many files from a wide variety of users pass through it such as email and file/directory sharing. Because of this consider performing frequent scans of areas that users have read and write access to, perform full virus scans before backups, and implement mail and gateway scanning.

A good method to prevent large outbreaks of computer viruses in an organization is user education. This may include having policies and procedures for downloading software, the transfer of software between internal machines, how to deal with email attachments (executables, and documents that may have macros), how and when to run anti-virus software, and what to do when a virus is detected.

IV. Network Configurations

Disable unneeded network protocols and services.

Disable inbound and outbound traffic to your external connections for TCP and UDP ports 135, 137, 139 and UDP port 138. Blocking these ports prevents potential intruders from gathering useful information such as computer names, usernames, and services running on those computers. This list, from Microsoft Knowledgebase Article Q150543, describes services available on these ports.

    List of Ports Used by Windows NT version 4.0 services:
     
    Function                    Static ports
    --------                    ------------
    Browsing                    UDP:137,138
    DHCP Lease                  UDP:67,68
    DHCP Manager                TCP:135
    Directory Replication       UDP:138 TCP:139
    DNS Administration          TCP:139
    DNS Resolution              UDP:53
    Event Viewer                TCP:139
    File Sharing                TCP:139
    Logon Sequence              UDP:137,138 TCP139
    NetLogon                    UDP:138
    Pass Through Validation     UDP:137,138 TCP:139
    Performance Monitor         TCP:139
    PPTP                        TCP:1723 IP Protocol:47
    Printing                    UDP:137,138 TCP:139
    Registry Editor             TCP:139
    Server Manager              TCP:139
    Trusts                      UDP:137,138 TCP:139
    User Manager                TCP:139
    WinNT Diagnostics           TCP:139
    WinNT Secure Channel        UDP:137,138 TCP:139
    WINS Replication            TCP:42
    WINS Manager                TCP:135
    WINS Registration           TCP:137
        

For additional protection, block ports on individual NT systems using the advanced options in the protocol properties. Start -> Setting -> Control Panel -> Network -> Protocols -> TCP/IP -> Advanced -> Enable Security -> Configure. This could be useful if you have an NT server that is only used as a public web server. You can then block out all TCP ports except 80 (HTTP) and IP ports 6 (TCP) and 17 (UDP).

If you need to run the Internet Information Server (IIS), make sure that you block known vulnerabilities and we recommend IIS runs on a stand-alone machine.

The Windows NT Remote Access Service (RAS) allows remote computers to connect to Windows NT RAS servers across a telephone connection or using PPTP protocol over an intranet. If your site requires this service make sure you:

  • have "Microsoft encrypted authentication" on the RAS server and all clients to avoid traffic of un-encrypted passwords;
  • grant remote access capabilities only to users who require it;
  • if possible use 'call-back' to a known/stored phone number.

V. Passwords

To increase the level of security for user accounts, implement password policies. Password policies are set in the User Manager and enable you to change the following:

  • Password aging
  • Minimum password length
  • Password uniqueness
  • Account lockout features
    • Number of failed logon attempts
    • How long to lockout an account

In Service Pack 2 and higher, better password protection is offered through passfilt.dll. To enable the enhanced password policies, refer to the following Microsoft article:

passfilt.dll imposes the following additional restrictions on passwords:

  1. Passwords must be at least six characters long.
  2. Passwords must contain at least three of the following four classes of characters:
    • Upper case letters (A, B, C, ... Z)
    • Lower case letters (a, b, c, ... z)
    • Numbers (0, 1, 2 ... 9)
    • Non-alphanumeric characters (punctuation symbols)
  3. Passwords can not match your username or part of your full name listed for the account.

Use SYSKEY. Syskey enables the private password data stored in the registry to be encrypted using a 128-bit cryptographic key. This is a unique key for each system. For further information on configuring and using syskey, see the following Microsoft Knowledgebase article.

By default, the administrator account is never locked out, so it is generally a target for brute force logon attempts of intruders. It is possible to rename the account in User Manager, but you may wish to lockout the administrator account after a set number of failed attempts over the network. The NT resource kit provides an application called passprop.exe which enables Administrator account lock out except for interactive logons on a domain controller.

Another alternative to avoid all accounts belonging to the Administrator group being locked over the network is to create a local account which belongs to the Administrator group, but is not allowed to logon over the network. This account may then be used at the console to unlock the other accounts.

Make sure the Guest account is disabled. If this account is enabled, anonymous connections can be made to NT computers.

Secure the Emergency Repair Disk as it contains a copy of the entire Security Access Manager (SAM) database. If a malicious user has access to the disk he/she may be able to launch a crack attack against it.

VI. File System and Shares

Always use NTFS. With NTFS it is possible to define access control to files and directories.

There are File/Directory ACLs (Access Control Lists) and Share ACLs. When files are accessed remotely, the most restrictive of the two types of ACLs is used. For example, if the ACL on a file is set to be READ, but the share permissions are set for FULL CONTROL the resulting permission will be READ access. To ensure that both local and remote connections have the correct ACLs we recommend using NTFS ACLs.

Ensure that Windows NT is the only operating system installed on machines intended to be servers. The presence of a secondary operating system may allow NT's security features to be bypassed.

An alternative operating system such as MS-DOS, Windows 95 or Linux can be used to run programs which read and write NTFS partitions and circumvent ACL protection.

Do not install more than one copy of Windows NT on a computer unless absolutely essential. There are cases where ACLs created by one copy of the OS do not provide protection when a different copy of the OS is active.

If you want to prevent sharing on an NT device, do not start the Server service and Computer Browser service automatically. You can still browse to other devices if these services are not started, but they prevent your device from offering file and print sharing services to others.

If you are sharing directories or printers, make sure that the permissions are what you expect. By default, when a share is enabled, it gives Everyone Full Control on the share.

Even if you have proper NTFS file permissions and enable sharing on directories, replace the share permission for the Everyone group with the USERS and/or ADMINISTRATORS groups instead.

Be careful of the FULL CONTROL permission for non administrator and system accounts. The files in a directory can be deleted regardless of what the file permissions are if users have FULL CONTROL on the directory. This happens because there is a hidden 'delete child' permission that is part of the FULL CONTROL permission that allows a user to delete a file even if the user does not have delete permission on the file. To prevent this, use any other combination of permissions.

This batch file exemplifies various NTFS permissions that would better secure the base file system of a standard NT install. It does not factor in specific applications.

VII. Registry

  1. Setting Recommendations
  2. This list gives registry settings that administrators may find useful for enhancing the security of an NT system.


    Hive\Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

    To prevent the floppy drive from being accessed remotely, use this setting. The user who is locally logged on can still access the drive.

      Name: AllocateFloppies
      Type: REG_SZ
      Default Value: 0
      Recommended Value: 1

    To prevent the CD-ROM drive from being accessed remotely, use this setting. The user who is locally logged on can still access the drive.

      Name: AllocateCDRoms
      Type: REG_SZ
      Default Value: 0
      Recommended Value: 1

    To display a legal notice before a user enters their username and password to logon to a device, use these settings. It is only displayed to a user logging on locally. We encourage you to discuss the content of this banner with your legal counsel.

      Name: LegalNoticeCaption
      Type: REG_SZ
      Default Value: not set
      Recommended Value: COMPANY *** LEGAL NOTICE

      Name: LegalNoticeText
      Type: REG_SZ
      Default Value: not set
      Recommended Value: This device is for *** related work only. Authorized Users Only.

    When a user successfully logs into an NT system, the username is shown by default the next time someone tries to log into the system. Knowing the usernames of a successful logon can help intruders perform dictionary or brute attacks. To prevent the username of the last logged on user from being displayed to the next user to logon to the device, use this setting.

      Name: DontDisplayLastUserName
      Type: REG_SZ
      Default Value: not set
      Recommended Value: 1

    To deter unknown people from shutting down NT systems and deactivate the shutdown button on the initial logon screen, use the following registry setting. This works because to shutdown a device the user would need to logon first. If auditing is turned on to track logon activity, the administrators can determine who rebooted the system.

      Name: ShutdownWithoutLogon
      Type: REG_SZ
      Default Value: 1
      Recommended Value: 0

    By default NT caches the past 10 logons. This is used in case the domain controller is unavailable. To prevent the caching of logon information, change the following registry value. It can range from 0-50.

      Name: CachedLogonsCount
      Type: REG_DWORD
      Default Value: not set
      Recommended Value: 0

    For more information on cached logons, see:


    Hive\Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services]

    By default, it is possible for users to add print drivers to an NT system. To prevent users from adding print drivers, make the following registry change:

      Name: AddPrinterDrivers
      Type: REG_DWORD
      Default Value: not set
      Recommended Value: 1


    Hive\Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Subsystems]

    Although there is no clear evidence that OS/2 and POSIX are a security risk you may wish to disable OS/2 and POSIX if they are not required.

      Name: OS2
      Type: REG_EXPAND_SZ
      Default Value: %SystemRoot%/system32/os2ss.exe
      Recommended Value: remove it

      Name: POSIX
      Type: REG_EXPAND_SZ
      Default Value: %SystemRoot%/system32/psxss.exe
      Recommended Value: remove it


    Hive\Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application]

    To prevent all users from viewing the Application Event Log, use the following registry setting. Also, be sure to set the proper access control on the registry key. See section VII.B for further information on controlling access to the registry.

      Name: RestrictGuestAccess
      Type: REG_DWORD
      Default Value: not set
      Recommended Value: 1

    Hive\Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System]

    To prevent all users from viewing the System Event Log, use the following registry setting. Again, be sure to set the proper access control on the registry key. See section VII.B for further information on controlling access to the registry.

      Name:RestrictGuestAccess
      Type:REG_DWORD
      Default Value: not set
      Recommended Value: 1

    Hive\Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security]

    The default configuration for the Security Event log does prevent users from viewing the log.


    Hive\Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]

    NT allows non-authenticated users to list domain usernames and share names. This information could be useful to intruders. To prevent this type of access, set the following registry key.

      Name: RestrictAnonymous
      Type: REG_DWORD
      Default Value: not set
      Recommended Value: 1

    For further information on preventing anonymous access to NT devices, see:

    There are two types of authentication used by NT. The first is LanManager (LM) which is a backwards compatible authentication and is inherently insecure. The other is the Windows NT authentication. The NT authentication has a stronger encryption method and can support mixed/special character passwords. To prevent LM authentication, set the following registry key.

      Name: LMCompatibilityLevel
      Type: REG_SZ
      Default Value: 0
      Recommended Value (Workstation): 3
      Recommended Value (Domain Controller): 5

    This configuration may be incompatible with some versions of Samba. For further information on disabling LanManager authentication in Windows NT, see:

    To enable the use of more restrictive password policies, use the following registry key. See section III. Passwords for further information on passfilt.dll. Be careful not to remove any existing strings when adding passfilt.dll.

      Name: Notification Packages
      Type: REG_MULTI_SZ
      Default Value: not set
      Recommended Value: passfilt.dll


    Hive\Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg]

    To prevent remote users from viewing the NT registry, use the following key. The access control on this key is then used to determine who can remotely view the registry.

      Name: Description
      Type: REG_SZ
      Default Value: not set
      Recommended Value: Registry Server

    For further information on restricting access to the NT registry, see:


    Hive\Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager]

    To prevent users from changing the attributes of shared resources (e.g. printer settings), set the following registry value.

      Name: ProtectionMode
      Type: REG_DWORD
      Default Value: 0
      Recommended Value: 1


    Hive\Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management]

    By default, the file used for paging is not cleared. This may contain clear text passwords or other sensitive information. To ensure that NT clears the paging file when the machine is shutdown, set the following value.

      Name: ClearPageFileAtShutdown
      Type: REG_DWORD
      Default Value: 0
      Recommended Value: 1

    For further information, see:


    Hive\Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rdr\Parameters]

    To prevent "man-in-the-middle" attack, enable SMB signing. There are 2 steps to implementing SMB signing. The following registry entry is the first step, which enables SMB signing on the workstation side.

      Name: RequireSecuritySignature
      Type: REG_DWORD
      Default Value: 0
      Recommended Value: 1

      Name: EnableSecuritySignature
      Type: REG_DWORD
      Default Value: 0
      Recommended Value: 1

    Hive\Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters]

    The following entry is the second step for enabling SMB signing for the server side.

      Name: RequireSecuritySignature
      Type: REG_DWORD
      Default Value: 0
      Recommended Value: 1

      Name: EnableSecuritySignature
      Type: REG_DWORD
      Default Value: 0
      Recommended Value: 1

    For further information, see:


    Hive\Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters]

    NT creates a number of hidden shares that are not visible through browsing, but can still be connected to. These are known as administrative shares. They are generally used for remote backup purposes, but if this is not necessary, you can disable them with the following registry setting.

      Name (on domain controllers): AutoShareServer
      Name (on workstations): AutoShareWks
      Type: REG_BINARY
      Default Value: not set
      Recommended Value: 0


    Hive\Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer]

    Another method to prevent users from browsing to other NT workstations is to disable the Server service and Computer Browser service. This is more practical for end user workstations that should not be sharing anything. If these services are disabled, it is still possible to connect to other devices that are sharing.

      Name: Start
      Type: REG_DWORD
      Value: 3

    Hive\Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Browser]

    In conjunction with disabling the Server service, use this setting.

      Name: Start
      Type: REG_DWORD
      Value: 3


  3. Access Control List Recommendations
  4. ISS has a utility called everyone2user.exe that will change all instances of the Everyone group to the Users group. The Everyone group also has unauthenticated users as part of its membership.

    Any key with TREE next to it means all of the keys that are below it should also have the ACLs set.



    We suggest that you have the UsersEveryone group set to have NONE access.

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog TREE


    The following key should have the Users/Everyone group set to have Special Access:
    • Query Value
    • Create Subkey
    • Enumerate Subkeys
    • Notify
    • Read Control

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Profile List


    The following keys should have the Users/Everyone group set to have READ access.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSetServices TREE
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes TREE
    HKEY_LOCAL_MACHINE\SOFTWARE\Windows 3.1 Migration Status TREE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths TREE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer TREE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Embedding TREE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Type 1 Installer
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug TREE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility TREE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\MCI TREE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\MCI Extenstions TREE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers TREE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDrivers
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontCache
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW TREE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports TREE

    VIII. Audit Logs

    There are 3 areas where security auditing can be enabled. By default, all security auditing is disabled. All of the logs are viewed through the Event Viewer (Start -> Programs -> Administration Tools -> Event Viewer). The file where the information is stored is located at %systemroot%/winnt/system32/config/security.

    The audit logs can be configured to take certain actions when the logs are full. One setting enables you to overwrite old events when the log is full. This could result in lost information, but is easy to maintain. Another option is to overwrite the logs after so many days. The third option is to not overwrite any events. This ensures that you do not lose any logging data, but could also be a denial of service issue since once the logs are full the system will not perform any actions that need to be logged. In the last case the logs need to be cleared manually.

    Keep in mind that not all applications log to the Event Viewer so make sure you know where all the logs are being stored. One example of this is Microsoft Internet Information Server which stores logs in the c:\winnt\system32\logfiles directory.


    Hive\Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\ControlLsa]

    In a high security environment the following registry setting will stop (crash) the computer if the audit logs fill up. The following Knowledgebase article gives further information about this registry setting.

    http://support.microsoft.com/support/kb/articles/q140/0/58.asp

      Name: CrashOnAuditFail
      Type: REG_DWORD
      Value: 1

    By default not all privileges are audited. The following registry setting will also enable auditing of backups and restores, debug programs, traverse checking, and replacing of process level tokens. During backup and restores this will cause a large number of events in the audit logs.

      Name: FullPrivilegeAuditing
      Type: REG_DWORD
      Value: 1

    In high security development environments auditing of base objects should be enabled. After setting this registry value, use User Manger to begin this type of auditing.

      Name: BaseObjectAuditing
      Type: REG_DWORD
      Value: 1


    1. Users
    2. Using User Manager, it is possible to define an audit policy of various user actions. These include logon, logoff, accessing files, restarting and shutting down the system. All of these can record successful and failed attempts. We suggest that you audit failed logon attempts at the very least.
    3. Files and Directories
    4. When changing the properties for files and directories, you can also audit various events such as read, write, execute, delete, change permission, and taking ownership. When defining the audit policy for a drive or directory, you can have the policy be the same for all of the files and directories below it.
    5. Registry
    6. The third area to define auditing is in the registry. Much like defining file and directory audit properties, you can track actions taken in the registry on the various keys.

    References


    Revision History
    April 17, 2000
    Initial Release