Have you ever needed to keep
tight reigns on your computer due to sensitive information saved on it? Do you
work in a business environment that requires that you periodically log onto
your machines to see who has had access to private files or network folders?
Perhaps you lost your laptop or left your computer unlocked for a long period
when there were unknown guests hanging around your office. Here are some
instructions on how to log in to view security audit information on your
Windows computer such as who logged in to your computer, what time they logged
in, and even what they accessed or what actions they performed.
If you are using a Professional
edition of Windows, your first step is to enable the Audit option for log on
events. By enabling this feature, you will be able to monitor both logins and
logoffs by local computer users and users who attempt to access your computer
over the network.
The first step to enabling the Audit of logon events
is to go to your group policy editor. This can be done by going to run in
your Windows Start bar and typing gpedit.msc. Find the option for Audit
logon events under the following folder: Local Computer Policy
>>Computer Configuration >>Windows Settings >> Security
Settings >>Local Policies >> Audit Policy.
Double click the configuration
settings for Audit Logon Events and place a check in the box for both Success
and Failure.
While at first it may not seem
logically necessary to track logon failures as well as successes since you are
not able to actually do anything prohibited on the computer if you fail to
logon, but enabling logon failures could be one of your best ways to see if
unauthorized access is happening on your computer. If someone is trying
to gain unauthorized access to your machine, there is a good chance that there
could be a number of logon failures preceding a successful and potentially
malicious attempt. By tracking logoff events as well you are able to see
how long the user has had a session open, how many times during the day they
were logged on the system, and track a historical record. This will allow
you to see if there are any instances of erratic behavior such as logging in
and out several times in sequence in short bursts, or perhaps a user who
usually accesses the computer exclusively during business hours who suddenly
has a number of logons in the middle of the night through the week.
You can view logon events in
the system security log though the Windows Event Viewer. You can access
this by going to your start bar’s Run field and typing in Event Viewer.
Once the Event Viewer is opened, go to the Windows Logs folder on the left hand
side and then within their click on the Security option. Once you have
the security log opened you will see a number of events that have taken place
over the past historical period. You can scroll through this historical
event list and when you find the event you want to look at you can double click
it. This will open up a dialog box that will give you more detailed
information such as which computer they logged into in a network
environment. If you wish to filter your results by logon events only, you
can filter by Event ID 4624, which indicates the Logon Event. You can use
the Event Viewer to research what happened while the user was logged in by
going to each of the different event categories and scrolling through the
historical audit files.
Done..!
0 comments:
Post a Comment