| 120 |
| Audit registry keys in Windows 2000 Pro |
| Auditing in Windows 2000 Professional enables you to track certain events. For example, auditing |
| logons lets you keep track of when users log on, and sometimes more important, when failed logon |
| attempts occur, which can indicate an attempted security breach. |
| You can audit many different types of events in Windows 2000. Registry access is one you might |
| consider auditing if you're concerned that someone (or some application) is modifying the registry |
| without your knowledge. You can track when registry values or subkeys are created or modified, as |
| well as other registry events. |
| To audit registry keys, you first need to enable object access auditing through Group Policy or |
| Here's what you need to do to enable auditing at the Local Policy level: |
| Add the Group Policy snap-in to an MMC console focused on the Local Policy. (Or simply run |
| Gpedit.msc from a command line.) |
| Expand the Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit |
| Double-click Audit Object Access and enable the policy for Success And Failure. Close the policy |
| After enabling object access auditing, you can configure the permissions for individual registry |
| keys to audit them. Follow these steps to configure the registry keys: |
| Open Regedt32, then locate and select the registry key you want to audit. |
| Choose Security | Permissions to open the Permissions dialog box, then click Advanced. |
| Click the Auditing tab, click Add, and add the security object for which you want to audit registry |
| access. (For example, select a group or individual account that you want to monitor for registry |
| In the Auditing Entry dialog box, place a check in the Success and/or Failure check boxes for the |
| access events you want to audit. Then click OK. |
| Close the remaining dialog boxes and the Registry Editor. |
| When you want to disable registry auditing, change the permissions on the key to remove the |
| auditing settings or simply disable object access auditing in the Local or Group Policy. |
| Note: Working with the registry can be risky, so be sure you have a verified backup before making |
First Previous Next Last |