Lab 8: AuditingIndex

LAB8: AUDITING
In this exercise, you shall look at enabling auditing on selected resources, so that their usage and access can be monitored.

Previously, you created a share called SALES DOC which is associated with the \TEMP subdirectory on the partition where Windows NT Server is installed on the PDC.

  1. Log on to the BDC as user1
  2. Open Network Neighborhood, select the PDC and connect to the shared resource SALES DOC
  3. Log on to the PDC as administrator
  4. Run Server Manager, select the PDC, and then view Properties->In Use

    Open Resources View on PDC

  5. As can be seen, this shows that user1 is currently using the SALES DOC resource
  6. Another way of looking at who is accessing shared resources is to select Properties->Shares within Server Manager. Clicking on the share SALES DOC then brings up the following window, and notice that it is possible to disconnect the user from the resource if desired. In this instance, the name of the computer that user1 is currently using is displayed, rather than the username

    Shared Resources View on PDC

  7. Close the above window on the PDC, but do not yet exit Server Manager
  8. On the BDC, close the open window associated with the connected share to SALES DOC
  9. On the PDC, click on the Properties->In Use for the PDC
  10. Is there any connection now to the share SALES DOC? [YES NO]

So far, we have looked at quick ways to establish if a share is in use, and also a means of disconnecting a user from a share if desired. If a user has gained access to a share, disconnecting them from the share does NOT prevent them from accessing the share at a later time. If you wish to prevent them from reconnecting to the share, you must also change the permissions associated with the share.

Now lets enable some auditing on the share SALES DOC, so we can track usage over a much long time frame.

  1. Run Windows NT Explorer and right mouse click the TEMP directory [on the Windows NT Server partition] to bring up the Properties window
  2. Select Security
  3. Select Auditing

    Directory Auditing

  4. Click on Add to select Users or Groups which you want to audit

    Add Users and Groups

  5. Select the group Everyone, then click Add, then click OK to close the window.

    Directory Auditing enabled

  6. Enable Read Success and Read Failure Events, then click on OK
  7. If a message box warning appears about Auditing not yet being enabled, click on OK