Monitor attempts to access and change settings on your PC
Posted: Sun Mar 02, 2014 11:50 am
Monitor attempts to access and change settings on your computer
You must be logged on as an administrator to perform these steps.
You can monitor (also known as audit) what's happening on your computer to help make it more secure. By auditing your computer, you can tell if someone has logged on to the computer, created a new user account, changed a security policy, or opened a document. Auditing doesn't prevent a hacker or someone who has an account on your computer from making changes, it just lets you know when a change is made and who made it.
The following table describes the different kinds of events you can monitor. If you choose to monitor any of these kinds of events, Windows will record the events in a log that you can look at with Event Viewer.
Account management
Monitor this to see when someone has changed an account name, enabled or disabled an account, created or deleted an account, changed a password, or changed a user group.
Logon events
Monitor this to see when someone has logged on or off your computer (either while physically at your computer or by trying to log on over a network).
Directory service access
Monitor this to see when someone accesses an Active Directory object that has its own system access control list (SACL).
Object access
Monitor this to see when someone has used a file, folder, printer, or other object. While you can also audit registry keys, we don't recommend doing that unless you have advanced computer knowledge and know how to use the registry.
Policy change
Monitor this to see attempts to change local security policies and to see if someone has changed user rights assignments, auditing policies, or trust policies.
Privilege use
Monitor this to see when someone performs a task on the computer that they have permission to perform.
Process tracking
Monitor this to see when events such as program activation or a process exiting occur.
System events
Monitor this to see when someone has shut down or restarted the computer, or when a process or program tries to do something that it doesn't have permission to do. For example, if spyware tried to change a setting on your computer without your permission, system event monitoring would record it.
Account management
Monitor this to see when someone has changed an account name, enabled or disabled an account, created or deleted an account, changed a password, or changed a user group.
Logon events
Monitor this to see when someone has logged on or off your computer (either while physically at your computer or by trying to log on over a network).
Directory service access
Monitor this to see when someone accesses an Active Directory object that has its own system access control list (SACL).
Object access
Monitor this to see when someone has used a file, folder, printer, or other object. While you can also audit registry keys, we don't recommend doing that unless you have advanced computer knowledge and know how to use the registry.
Policy change
Monitor this to see attempts to change local security policies and to see if someone has changed user rights assignments, auditing policies, or trust policies.
Privilege use
Monitor this to see when someone performs a task on the computer that they have permission to perform.
Process tracking
Monitor this to see when events such as program activation or a process exiting occur.
System events
Monitor this to see when someone has shut down or restarted the computer, or when a process or program tries to do something that it doesn't have permission to do. For example, if spyware tried to change a setting on your computer without your permission, system event monitoring would record it.
To turn on auditing
1. Open Local Security Policy by clicking the Start button Picture of the Start button, typing secpol.msc into the search box, and then clicking secpol. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
2.In the left pane, double-click Local Policies, and then click Audit Policy.
3.Double-click the event type that you want to audit.
4.Select the Success or Failure check box, or both, and then click OK.
•If you select Success, Windows will record any successful attempts to complete the type of event that you are monitoring. For example, if you're auditing logon events, any time someone logs on to your computer would be considered a successful logon event.
•If you select Failure, any unsuccessful attempt to log on to your computer will be recorded.
•If you select both Success and Failure, Windows will record all attempts.
There is a limit to how many events can be recorded and, if the audit log gets too full, it can slow down your computer. To make more space, you can delete events from the log when you're viewing them in Event Viewer.
To monitor who opens documents
1.Right-click the document or file that you want to keep track of, and then click Properties.
2.Click the Security tab, click Advanced, and then click the Auditing tab.
3.Click Continue. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
4.Click Add.
5.In the Enter the object name to select box, type the name of the user or group whose actions you want to keep track of, and then click OK in each of the four open dialog boxes.
If you want to monitor everyone, type Everyone. If you want to monitor a particular person, type the name of the computer followed by the person's user name or the name of the domain followed by the person's user name (if the computer is on a domain): computer\user name or domain\user name.
6.Select the check box for any action you want to audit, and then click OK. The following table describes what you can audit.
Auditable actions for files
Traverse folder/execute file
Keeps track of when someone runs a program file.
List folder/read data
Keeps track of when someone views the data in a file.
Read attributes
Keeps track of when someone views the attributes of a file, such as read-only or hidden.
Read extended attributes
Keeps track of when someone views the extended attributes of a file. The extended attributes are defined by the program that created the file.
Create files/write data
Keeps track of when someone changes the contents of a file.
Create folders/append data
Keeps track of when someone adds data to the end of a file.
Write attributes
Keeps track of when someone changes the attributes of a file.
Write extended attributes
Keeps track of when someone changes the extended attributes of the file.
Delete subfolders and files
Keeps track of when someone deletes a folder.
Delete
Keeps track of when someone deletes a file.
Read permissions
Keeps track of when someone reads the permissions on a file.
Change permissions
Keeps track of when someone changes the permissions on a file.
Take ownership
Keeps track of when someone takes ownership of a file.
To view audit logs
1. Open Event Viewer by clicking the Start button Picture of the Start button, clicking Control Panel, clicking System and Security, clicking Administrative Tools, and then double-clicking Event Viewer. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
2.In the left pane, double-click Windows Logs, and then click Security.
3.Double-click an event to see the details.
You must be logged on as an administrator to perform these steps.
You can monitor (also known as audit) what's happening on your computer to help make it more secure. By auditing your computer, you can tell if someone has logged on to the computer, created a new user account, changed a security policy, or opened a document. Auditing doesn't prevent a hacker or someone who has an account on your computer from making changes, it just lets you know when a change is made and who made it.
The following table describes the different kinds of events you can monitor. If you choose to monitor any of these kinds of events, Windows will record the events in a log that you can look at with Event Viewer.
Account management
Monitor this to see when someone has changed an account name, enabled or disabled an account, created or deleted an account, changed a password, or changed a user group.
Logon events
Monitor this to see when someone has logged on or off your computer (either while physically at your computer or by trying to log on over a network).
Directory service access
Monitor this to see when someone accesses an Active Directory object that has its own system access control list (SACL).
Object access
Monitor this to see when someone has used a file, folder, printer, or other object. While you can also audit registry keys, we don't recommend doing that unless you have advanced computer knowledge and know how to use the registry.
Policy change
Monitor this to see attempts to change local security policies and to see if someone has changed user rights assignments, auditing policies, or trust policies.
Privilege use
Monitor this to see when someone performs a task on the computer that they have permission to perform.
Process tracking
Monitor this to see when events such as program activation or a process exiting occur.
System events
Monitor this to see when someone has shut down or restarted the computer, or when a process or program tries to do something that it doesn't have permission to do. For example, if spyware tried to change a setting on your computer without your permission, system event monitoring would record it.
Account management
Monitor this to see when someone has changed an account name, enabled or disabled an account, created or deleted an account, changed a password, or changed a user group.
Logon events
Monitor this to see when someone has logged on or off your computer (either while physically at your computer or by trying to log on over a network).
Directory service access
Monitor this to see when someone accesses an Active Directory object that has its own system access control list (SACL).
Object access
Monitor this to see when someone has used a file, folder, printer, or other object. While you can also audit registry keys, we don't recommend doing that unless you have advanced computer knowledge and know how to use the registry.
Policy change
Monitor this to see attempts to change local security policies and to see if someone has changed user rights assignments, auditing policies, or trust policies.
Privilege use
Monitor this to see when someone performs a task on the computer that they have permission to perform.
Process tracking
Monitor this to see when events such as program activation or a process exiting occur.
System events
Monitor this to see when someone has shut down or restarted the computer, or when a process or program tries to do something that it doesn't have permission to do. For example, if spyware tried to change a setting on your computer without your permission, system event monitoring would record it.
To turn on auditing
1. Open Local Security Policy by clicking the Start button Picture of the Start button, typing secpol.msc into the search box, and then clicking secpol. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
2.In the left pane, double-click Local Policies, and then click Audit Policy.
3.Double-click the event type that you want to audit.
4.Select the Success or Failure check box, or both, and then click OK.
•If you select Success, Windows will record any successful attempts to complete the type of event that you are monitoring. For example, if you're auditing logon events, any time someone logs on to your computer would be considered a successful logon event.
•If you select Failure, any unsuccessful attempt to log on to your computer will be recorded.
•If you select both Success and Failure, Windows will record all attempts.
There is a limit to how many events can be recorded and, if the audit log gets too full, it can slow down your computer. To make more space, you can delete events from the log when you're viewing them in Event Viewer.
To monitor who opens documents
1.Right-click the document or file that you want to keep track of, and then click Properties.
2.Click the Security tab, click Advanced, and then click the Auditing tab.
3.Click Continue. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
4.Click Add.
5.In the Enter the object name to select box, type the name of the user or group whose actions you want to keep track of, and then click OK in each of the four open dialog boxes.
If you want to monitor everyone, type Everyone. If you want to monitor a particular person, type the name of the computer followed by the person's user name or the name of the domain followed by the person's user name (if the computer is on a domain): computer\user name or domain\user name.
6.Select the check box for any action you want to audit, and then click OK. The following table describes what you can audit.
Auditable actions for files
Traverse folder/execute file
Keeps track of when someone runs a program file.
List folder/read data
Keeps track of when someone views the data in a file.
Read attributes
Keeps track of when someone views the attributes of a file, such as read-only or hidden.
Read extended attributes
Keeps track of when someone views the extended attributes of a file. The extended attributes are defined by the program that created the file.
Create files/write data
Keeps track of when someone changes the contents of a file.
Create folders/append data
Keeps track of when someone adds data to the end of a file.
Write attributes
Keeps track of when someone changes the attributes of a file.
Write extended attributes
Keeps track of when someone changes the extended attributes of the file.
Delete subfolders and files
Keeps track of when someone deletes a folder.
Delete
Keeps track of when someone deletes a file.
Read permissions
Keeps track of when someone reads the permissions on a file.
Change permissions
Keeps track of when someone changes the permissions on a file.
Take ownership
Keeps track of when someone takes ownership of a file.
To view audit logs
1. Open Event Viewer by clicking the Start button Picture of the Start button, clicking Control Panel, clicking System and Security, clicking Administrative Tools, and then double-clicking Event Viewer. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
2.In the left pane, double-click Windows Logs, and then click Security.
3.Double-click an event to see the details.