Home‎ > ‎CIS 75‎ > ‎

Lab 03 - Windows Auditing

Security is: Prevention + Detection + Response. In class we discussed the use of access controls in Windows to prevent unauthorized access to files and folders. Access control is your first step in keeping resources on your Windows systems secure. However, for important shared resources you may want to go a step further and gather auditing information. Windows allows you to record any time a file or folder is accessed. The record goes into Window's event viewer. Auditing important resources is like installing a security camera. It doesn't prevent unauthorized access but it does make it very difficult (or impossible) to get away with tampering. 

For this lab you will need access to a Windows machine. The instructions are for Windows 7 and Windows 8 but should also work on Vista. You can use the lab computers if you don't have a Windows machine of your own. 

Before you can do auditing in Windows you must enable the feature. Auditing can produce a lot of log messages so it's disabled by default. To enable auditing use the "Local Security Policy" MMC. Start that using the search feature:

Search -> Local Security Policy 

The picture shows the Local Security Policy MMC snap-in. The setting is found under:

Security Settings -> Local Policies -> Audit Policy -> Audit Object Access

Double click "Audit Object Access". In the dialog enable the "Success" and the "Failure" checkbox as shown.

Creating a Shared Resource 
Create a folder on your desktop called "Audited". In that folder create a plain text file called "Shared.txt" Using what you learned in class make the Shared.txt accessible (Modify, Read & Execute, Read and Write) to every user on your Windows system. Take a screenshot of the permissions tab. The screenshot should look like the following sample: 

Turning On Auditing
Now we want to record who changes the file. In the advanced permissions window, set an audit policy for Shared.txt. The policy should log when anyone writes to the file. Take a screenshot of the auditing tab. It should look like the sample below:

Verify the Audit
Now that auditing is enabled use Notepad to edit the file. Add a line to the file and save it.  Now start Windows Event Viewer. It can be found by:

Search -> Event Viewer

In event viewer select the security log by selecting: 

Windows Logs -> Security 

There are a lot of events in the Event Viewer that you may have to look through. The event you're looking for will have the "Task Category" set to "File System". When you find the event the "Details" tab of the event should look something like below.

With the event selected click "Save Selected Events..." on the right side bar. Save the event as an XML file and submit the XML file with your screenshots.

After the Lab
You may want to disable auditing again in the Local Security Policy MMC.

  • Screenshot of your file permissions (5 points)
  • Screenshot of your audit permissions (5 points) 
  • The XML export of your audit event (10 points)