Enable Security Event Logging

by Tony Bradley [Published on 16 Dec. 2004 / Last Updated on 16 Dec. 2004]

Installing an alarm system on your home or car can be an effective way of at least being alerted when some sort of intrusion has been attempted. Of course, they don't work very well when they aren't enabled. Windows XP comes with the means to detect and log security events so that you can monitor and respond to intrusions or attempted security breaches, however it is not enabled by default.

One of the simplest means of monitoring the performance and security of a Windows PC or server is also one of the most overlooked. Before you go out and spend hundreds or thousands of dollars on tools to monitor your system's performance or security, make sure you take a look at the features that are built right into Windows.

When a computer is having a problem or begins to act strangely, one of the first places you should look to begin troubleshooting is in the Event Viewer. You can find it in the Control Panel under Administrative Tools. The Event Viewer keeps a running log of information, alerts and warning regarding your computer system and the programs and services running on it.

Event Viewer has three tabs: Application, System and Security. In Windows XP though you won't find any entries under the Security tab unless you make the effort to first enable security auditing. The functionality is there, but Microsoft does not enable it by default.

To see the options you have for security auditing and logging and to enable or disable them, go to Control Panel -> Administrative Tools -> Local Security Policy. Once the Local Security Settings console window opens, click on Local Policies then Audit Policy. You will see the following policies that you can enable auditing of successful or failed attempts or disable logging altogether:

  1. Audit Account Logon Events
  2. Audit Account Management
  3. Audit Director Service Access
  4. Audit Logon Events
  5. Audit Object Access
  6. Audit Policy Change
  7. Audit Privilege Use
  8. Audit Process Tracking
  9. Audit System Events

You can right-click on any of these policies within the Local Security Settings console and select Help for more details about what activities the policy will audit. While it may make sense in some instances to turn on auditing of both successful and failed attempts for all of the policies, auditing and logging every activity that occurs on the computer can consume vast amounts of memory and processing power and the log data will quickly fill up a large chunk of hard drive space. It is better to do some research regarding what the various auditing policies monitor and create an auditing and logging plan that works best for the situation in terms of balancing the need for security auditing with the need for maximum performance of the system.

Another aspect to factor into your security auditing plan is to determine how the logs will be stored on the hard drive and what to do if the log becomes filled to capacity. If you open the Event Viewer and right click on Security and select Properties you can configure the parameters for the Log Size.

First, you can set a maximum size for how much hard drive space the logs are allowed to consume. Below that you can choose whether to overwrite existing events as needed when the log fills, or to automatically overwrite log entries that are older than the number of days you specify, or that overwriting or deleting log entries is not allowed except through manual intervention by an Administrator.

For maximum security and to ensure that no security event is allowed to occur without being logged, there is also a policy setting to determine what the computer should do if the log does in fact become too full. By default it is not configured, but you can force the computer to automatically shut down rather than continuing to run without the ability to log security events. In the Local Security Settings console under Local Policies, click on Security Options. You can click on the policy Audit: Shut Down System Immediately If Unable To Log Security Audits and enable it if you want to make sure the computer shuts down if it is unable to log security events for any reason.

Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security (http://netsecurity.about.com), providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security (http://www.tonybradley.com).

Featured Links