How To Monitor for Unauthorized User Access in Windows 2000 (300958)

SUMMARY

This article describes how to monitor your system for unauthorized user access. There are two main steps: Enabling security auditing and viewing the security logs. Note that different systems have different security needs, and the security topic is complex. Any user who sets up security audits on your system must be assigned to administrative groups or be given security rights and privileges.

back to the top

How to Enable Security Auditing

You set up security auditing differently depending on whether the computer is a standalone computer or a domain controller.

back to the top

Standalone Servers, Member Servers, or Windows 2000 Professional

1. Click Start, click Run, type mmc /a, and then click OK.
2. On the Console menu, click Add/Remove Snap-in, and then click Add.
3. Under Snap-in, click Group Policy, and then click Add.
4. In the Select Group Policy Object box, click Local Computer, click Finish, click Close, and then click OK.
5. In the Local Computer Policy box, click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click Audit Policy.
6. In the details pane, click Audit logon events.
7. Click Action, click Security, select Unsuccessful logon attempts, and then click OK.

back to the top

Windows 2000-Based Domain Controllers

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers
2. In the console tree, click Domain Controllers.
3. Click Action, and then click Properties.
4. Click the Group Policy tab, click Default Domain Controllers Policy, and then click Edit.
5. Click to expand Computer Configuration, Windows Settings, Security Settings, Local Policies, and then Audit Policy.
6. In the details pane, click Audit logon events.
7. On the Action menu, click Security, click to select the Define these policy settings check box, click to select the Failure check box, and then click OK.

back to the top

How to View Security Logs

1. Click Start, point to Programs, point to Administrative tools, and then click Event viewer.
2. In the console tree, click Security log.
3. Look in the details pane for information about the event you want to view, and then double-click the event.

back to the top

Troubleshooting

• If your computer is connected to a network, security logging may be restricted or disabled by a network policy.
• The security log is limited in size; carefully select the events to be audited and consider the amount of disk space you are willing to devote to the security log.
• If security auditing is enabled on a remote computer, you can view the event logs remotely with Event Viewer. Start a Microsoft Management Console (MMC) console in Author mode, and then add Event Viewer to the console. When you are prompted to specify which computer the snap-in will manage, click Another computer, and then type the name of the remote computer.
• Security auditing for workstations, member servers, and domain controllers can be enabled remotely only by domain administrators. To do this, create an organizational unit, add the appropriate machine accounts to the organizational unit, and then use Active Directory Users and Computers to create a policy to enable security auditing.

back to the top