For most network administrators, auditing ranks somewhere near documentation-one of those jobs that we all know we should do, but don't give enough time to. With Windows NT, there's no reason for this to be the case, because a well thought-out NT auditing system will almost run itself. And it can often help you discover weaknesses in the security of your systems, as well as addressing any troublesome "it wasn't me" users.

In this article, we'll look at using the functions of Windows NT auditing. We'll also examine some ways to help you manage your audit information.

Deciding what to audit

Before you turn on the audit facilities in NT, you need to decide exactly what it is you're trying to achieve. The extent of ,your auditing activities will depend greatly on your environment and system setup. One important thing to avoid is the temptation to over-audit. For example, knowing who has deleted a file or user account can be useful information, but how relevant is the fact that a file has been successfully read, or a registry key successfully accessed?

So, before you set up auditing, it's a good idea to look at what objects you're going to audit, and at what levels. Always remember that the level of auditing you set up will have an effect on the overall performance of your server or workstation.

Auditing tasks related to user account management will have little effect, unless you're amending hundreds of accounts per day. However, auditing on file, printer, and registry access can severely impact performance, if not done selectively.

Who wants to be an auditor?

By default, only the Administrator account in NT has the ability to enable auditing, but after this is done, you can give another user the ability to manage file, printer, and registry auditing, as well as rights to manage the security log files where the Audit events are recorded. To set up an existing user to do this, start User Manager by selecting Start I Programs I Administrative Tools I User Manager For Domains.

Next, go to the Policies menu and choose User Rights. In the User Rights Policy dialog box, select Manage Auditing And Security Log from the Right dropdown list. You'll see that the...