Friday, August 22, 2014

Audit object access

Audit object access


This security setting determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has an appropriate SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.
Note that you can set a SACL on a file system object using the Security tab in that object's Properties dialog box.
Default: No auditing.

Configuring this security setting

You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\
For specific instructions about how to configure auditing policy settings, see Define or modify auditing policy settings for an event category.


Object Access Events Description
560Access was granted to an already existing object.
562A handle to an object was closed.
563An attempt was made to open an object with the intent to delete it.
  • This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().
564A protected object was deleted.
565Access was granted to an already existing object type.
567A permission associated with a handle was used.
  • A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used.
568An attempt was made to create a hard link to a file that is being audited.
569The resource manager in Authorization Manager attempted to create a client context.
570A client attempted to access an object.
  • An event will be generated for every attempted operation on the object.
571The client context was deleted by the Authorization Manager application.
572The administrator manager initialized the application.
772The certificate manager denied a pending certificate request.
773Certificate Services received a resubmitted certificate request.
774Certificate Services revoked a certificate.
775Certificate Services received a request to publish the certificate revocation list (CRL).
776Certificate Services published the certificate revocation list (CRL).
777A certificate request extension was made.
778One or more certificate request attributes changed.
779Certificate Services received a request to shutdown.
780Certificate Services backup started.
781Certificate Services backup completed.
782Certificate Services restore started.
783Certificate Services restore completed.
784Certificate Services started.
785Certificate Services stopped.
786The security permissions for Certificate Services changed.
787Certificate Services retrieved an archived key.
788Certificate Services imported a certificate into its database.
789The audit filter for Certificate Services changed.
790Certificate Services received a certificate request.
791Certificate Services approved a certificate request and issued a certificate.
792Certificate Services denied a certificate request.
793Certificate Services set the status of a certificate request to pending.
794The certificate manager settings for Certificate Services changed.
795A configuration entry changed in Certificate Services.
796A property of Certificate Services changed.
797Certificate Services archived a key.
798Certificate Services imported and archived a key.
799Certificate Services published the CA certificate to Active Directory.
800One or more rows have been deleted from the certificate database.
801Role separation enabled.
For more information about security events, see Security Events on the Microsoft Windows Resource Kits Web site.
For more information, see:

No comments:

Post a Comment