Q: Does Windows provide a mechanism to enforce the auditing of all file system or registry object actions that specific users or groups perform on a Windows system or domain?
For example, I want to keep track of all the file system permission change actions that are executed by a given user account on my domain machines. It's very difficult to achieve this using the standard Windows auditing tools, because I'd need to change the auditing settings, or system ACL (SACL), of all file objects where the user could possibly change the permissions.
A: Yes, this is possible in Windows Vista, Windows 7, and Windows Server 2008, thanks to the Global Object Access Auditing feature. You can configure this new auditing feature using the auditpol.exe command line utility or using Group Policy Object (GPO) settings.
The great thing about Global Object Access Auditing is that you can centrally configure audit settings using GPOs without touching the auditing settings of the objects themselves. In the classic Windows auditing system, as pointed out in the question,you first had to centrally enable success or failure auditing for the "Audit Object Access" audit policy. You then had to change the auditing settings in the ACL editor of the objects for which you wanted to audit object access events.
To configure Global Object Access Auditing using GPO settings, you must navigate to the new Computer Configuration, Windows Settings, Security Settings, Advanced Audit Policy Configuration, Audit Policies, Global Object Access Auditing container. In the example shown here, I want to track file system Change permissions actions for user John.
Click to expand.
Double-click File System or Registry, depending on what types of access you want to audit. Select the Define this policy setting box then click Configure. Finally, in the Advanced Security Settings for Global File SACL dialog box, click Add to create a global file SACL for user John for all successful Change permissions object accesses.
When you want to use global object access auditing, you shouldn't forgot to enable auditing for the Object Access Audit File System or Audit Registry subcategories. This can be done from the Computer Configuration, Windows Settings, Security Settings, Advanced Audit Policy Configuration, Audit Policies GPO container. If you fail to take this step, no file or registry access events will show up in the Windows security log.
To ensure that the new audit policies aren't overridden by the classic Windows audit policies, or simply to prevent that the new policies from conflicting with the old ones, it's also advisable to disable the classic audit policies. You can do this by enabling the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings GPO setting. You can find this setting in the Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options GPO container.
Note that the classic Windows audit policies are the ones you can configure from the Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy GPO container.Related Reading: