Object Access

Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate Object Access auditing subcategory for success and/or failure events. For example, the File System subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses. Proving that these audit policies are in effect to an external auditor is even more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see Global Object Access Auditing. This category includes the following subcategories:

• Audit Application Generated
  
  
• Audit Certification Services
  
  
• Audit Detailed File Share
  
  
• Audit File Share
  
  
• Audit File System
  
  
• Audit Filtering Platform Connection
  
  
• Audit Filtering Platform Packet Drop
  
  
• Audit Handle Manipulation
  
  
• Audit Kernel Object
  
  
• Audit Other Object Access Events
  
  
• Audit Registry
  
  
• Audit SAM
  
  

For more information about audit events that are generated by Object Access audit settings in Windows Server 2008 R2 and Windows 7, see Security Audit Events for Windows 7 and Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkId=157780).