[This is preliminary documentation and subject to change]

Configuring and Monitoring Auditing

You can use Windows Explorer, the IIS snap-in, and the Microsoft Management Console (MMC) to monitor events related to Web server security and to identify security breaches for specific files or directories. For more information about auditing, consult your Windows documentation. This topic includes procedural information for configuring auditing for directory or file access and server events.

For more information about IIS logging, see Logging Site Activity.

Installing the Group Policy snap-in

In order to use the auditing features described in these topics, you will need to install the Group Policy snap-in. This snap-in is not included in the Computer Management console, and a new console will have to be created for the Goup Policy snap-in. For more information about adding MMC snap-ins, see the Windows Whistler documentation.

To create a new MMC console and add the Group Policy snap-in

Click Start and then Run. In the Run dialog box, type mmc. This will start a new MMC console.
In the File menu, select Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, select Group Policy from the list of available snap-ins. Click Add.
In the Select Group Policy Object dialog box, either click Finish to audit the local computer, or Browse to the computer you want to audit.
If you clicked Browse, proceed to step 7. Otherwise, go to step 9.
In the Browse for a Group Policy Object dialog box, click the Computers tab, click Another computer, browse to the computer you want to audit, and then click OK.
In the Select Group Policy Object dialog box, click Finish.
Close the Add Standalone Snap-in dialog box.
Click OK.
In the Console menu, select Save to save the new console to your hard disk. This is the console you will use to configure the auditing features.

To enable another account to configure auditing

By default, only members of the Administrators group have privileges to configure auditing. You can delegate the task of configuring auditing of server events to another user account. To enable the account to configure auditing:

In the group policy console you created, expand the following menus, in the following order: Computer Configuration, Windows Settings, Security Settings, Local Polices, and User Rights Assignment.
Right-click Manage audit and security log and select Properties.
In the Manage auditing and security log dialog box, click Add.
Note If the Add button is dimmed, clear the Exclude from local policy check box to activate it.
Select the appropriate user or user group from the list and click Add. Click OK.

To audit directory or file access

The following auditing features require the NTFS file system. See Securing Your Files with NTFS.

Use Windows Explorer to specify the directory or file you want to audit and open its property sheets.
Select the Security tab.
Note If you do not see a Security tab, your server's file system is set to FAT. For information on converting it to NTFS, see the Windows documentation.
Click the Advanced button. In the Advanced Security Settings dialog box, click the Auditing tab.
To add a group, user or computer to audit, click Add. Select a user, contact, group, or computer from the list, and click OK.
In the Audit Entry dialog box, under Access select the appropriate options. For more information on these options, see the Windows documentation.
To change the scope of the audited resources, select the appropriate audit level from the Apply onto drop down list. For more information on these levels, see the Windows documentation.
To audit objects only applicable to the selected scope, select the Apply these audit entries to objects and/or containers within this container only check box. Selecting this check box will stop auditing of objects created within the selected scope that run outside of that scope.

Notes

Auditing uses computer resources. For optimum server performance, auditing should be applied as specifically as possible. For example, if a particular directory has 100 files in it, and only a few of those files need to be audited, you should set auditing for those files, rather than for the entire directory.
Directory or file access auditing can be configured remotely by sharing out the directory or file. The remote user can use the procedure described earlier. For more information about sharing a directory or file, see the Windows documentation.

To configure server event auditing

In the group policy console you created, expand the following menus, in the following order:Computer Configuration, Windows Settings, Security Settings, Local Polices, and then, Audit Polices.
Note To configure security policies for the domain on the primary domain controller (PDC) or backup domain controller (BDC), click Domain Policies rather than Local Polices.
In the details pane, right-click the event(s) you want to audit and select Properties. The Audit policy change Properties dialog box appears.
Select or clear the appropriate check boxes. For more information about the auditing options, see the Windows documentation.
Note If the options are inactivated clear Exclude from local policy check box to activate them.
Click OK.