Remember to maintain security and privacy. Do not share sensitive information. Procedimento.com.br may make mistakes. Verify important information. Termo de Responsabilidade

How to Perform Auditing on Windows Systems

Auditing is a critical process for ensuring the security and integrity of a system. It involves tracking and recording system activities to detect unauthorized access, policy violations, or other security-related events. In the Windows environment, auditing can be configured to monitor various activities such as file access, user logins, and system changes. This article will guide you through the process of setting up and running audits on Windows systems using built-in tools and commands.

Examples:

  1. Enabling Audit Policy via Local Security Policy:

    • Open the Local Security Policy management console by typing secpol.msc in the Run dialog (Win + R).
    • Navigate to Local Policies > Audit Policy.
    • Double-click on the policy you want to enable (e.g., "Audit Logon Events").
    • Select "Success" and/or "Failure" depending on what you want to audit, and click OK.

  2. Configuring Audit Policies via Command Line:

    • Open Command Prompt as Administrator.
    • Use the following command to enable auditing for logon events: 
      auditpol /set /subcategory:"Logon" /success:enable /failure:enable
    • To verify the current audit policy settings, use: 
      auditpol /get /category:*

  3. Setting Up File and Folder Auditing:

    • Right-click on the folder or file you want to audit and select Properties.
    • Go to the Security tab and click on Advanced.
    • Navigate to the Auditing tab and click on Add.
    • Select the principal (user or group) you want to audit.
    • Choose the type of access you want to audit (e.g., "Full control", "Read", "Write").
    • Click OK to apply the settings.

  4. Viewing Audit Logs:

    • Open Event Viewer by typing eventvwr.msc in the Run dialog (Win + R).
    • Navigate to Windows Logs > Security.
    • Here, you can view the security logs that contain the audit records.

  5. Using PowerShell for Auditing:

    • Open PowerShell as Administrator.
    • To enable auditing for a specific policy, use: 
      Set-AuditPolicy -AuditPolicyCategory "Logon/Logoff" -AuditPolicySubcategory "Logon" -Success $true -Failure $true
    • To view current audit policies, use: 
      Get-AuditPolicy -Category *

To share Download PDF

Windows CMD PowerShell secpol.msc auditpol eventvwr.msc Set-AuditPolicy Get-AuditPolicy

Gostou do artigo? Deixe sua avaliação!
Sua opinião é muito importante para nós. Clique em um dos botões abaixo para nos dizer o que achou deste conteúdo.