• Start
  • Audit policy change
  • Audit policy change and Audit process tracking
  • Published: August 2004




    Download 290 Kb.
    bet16/21
    Sana24.03.2021
    Hajmi290 Kb.
    #13513
    1   ...   13   14   15   16   17   18   19   20   21

    Audit Logging


    To track changes that are made to Windows Firewall settings and to see which applications and services asked Windows XP to listen on a port, you can enable audit logging and then look for audit events in the security event log.

    To enable audit logging on a computer running Windows XP with SP2, do the following:



    1. Log on using an account that is a local administrator.

    2. From the Windows XP desktop, click Start, click Control Panel, click Performance and Maintenance, and then click Administrative Tools.

    3. In Administrative Tools window, double-click Local Security Policy Shortcut.

    4. In the console tree of the Local Security Settings snap-in, click Local Policies, and then click Audit Policy.

    5. In the details pane of the Local Security Settings snap-in, double-click Audit policy change. Select Success and Failure, and then click OK.

    6. In the details pane of the Local Security Settings snap-in, double-click Audit process tracking. Select Success and Failure, and then click OK.

    7. Close the Local Security Settings snap-in.

    You can also enable audit logging for multiple computers in an Active Directory® directory service domain using Group Policy by modifying the Audit policy change and Audit process tracking settings at Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy for the Group Policy objects in the appropriate domain system containers.

    Once audit logging is enabled, use the Event Viewer snap-in to view audit events in the security event log.

    Windows Firewall uses the following event IDs:


    • 848 - Displays the startup configuration of Windows Firewall.

    • 849 - Displays an application exception configuration.

    • 850 - Displays a port exception configuration.

    • 851 - Displays a change made to the application exceptions list.

    • 852 - Displays a change made to the port exceptions list.

    • 853 - Displays a change made to the Windows Firewall operation mode.

    • 854 - Displays a change made to Windows Firewall logging settings.

    • 855 - Displays a change made to ICMP settings.

    • 856 - Displays a change made to the Prohibit unicast response to multicast or broadcast requests setting.

    • 857 - Displays a change made to the Remote Administration setting.

    • 860 - Displays a change made to a different profile.

    • 861 - Displays an application attempting to listen for incoming traffic.


    Download 290 Kb.
    1   ...   13   14   15   16   17   18   19   20   21




    Download 290 Kb.