Auditing in Windows Vista and Windows 7 is very granular, allowing you to enable auditing for very specific events. This reduces the number of irrelevant events, potentially reducing the “noise” generated by false-positive auditing events. This, in turn, can enable operations staff to more easily detect significant events. Combined with the new Windows Event Collector service, you can build a system to aggregate only the most important security events in your organization.
To view the new categories, run the following command from an administrative command prompt. Lines in bold show categories that are new in Windows 7 and thus are not included in Windows Vista.
Auditpol /get /category:*
System audit policy
Security System Extension No Auditing
System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events Success and Failure
Security State Change Success
Account Lockout Success
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success
Other Logon/Logoff Events No Auditing
Network Policy Server Success and Failure
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Audit Policy Change Success
Authentication Policy Change Success
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
User Account Management Success
Computer Account Management No Auditing
Security Group Management Success
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing
Similarly, you can use the Auditpol /set command to enable granular auditing. The most straightforward way to enable granular auditing is to enable or disable the Group Policy settings located in Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration. Managing granular auditing using Group Policy is a feature new to Windows 7 and Windows Server 2008 R2.
Windows 7 also supports Global Object Access Auditing, which you can use to configure file or registry auditing on computers using Group Policy settings. To do this, define the File System or Registry policies in Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Global Object Access Auditing. Then click the Configure button to specify the objects to audit.
Source of Information : Windows 7 Resource Kit 2009 Microsoft Press
One of the misconceptions about cloud storage is that it is only useful for storing files. This assumption comes from the popularity of file...
On today’s Internet, IPv4 has the following disadvantages: • Limited address space. The most visible and urgent problem with using IPv4 on ...
The following are the advantages of WAP: ● Implementation near to the Internet model; ● Most modern mobile telephone devices support WAP; ...
Many of the virus, adware, security, and crash problems with Windows occu when someone installs a driver of dubious origin. The driver suppo...