How do I enable auditing on the SAM?
It is possible to enable auditing of any failed or successful access to your
sensitive information by the only accounts which have the ability to access such
information, e.g. Administrators. This can be done as follows:
- First ensure auditing is enabled on the system using User Manager -
Policies menu - Audit. Select the "Audit These Events". Choose the
objects to audit and click OK.
- Next make sure the Scheduler service is running on the machine either via
the Services Control Panel applet (Start - Settings - Control Panel -
Services) or type "net start" and look for "Scheduler".
If it is not running you can start by typing
C:\> net start schedule
- At the command prompt (cmd.exe) type
C:\> at <time> /interactive "regedt32.exe"
where <time> is a minute in the future.
- At the time entered Regedt32.exe will be started but running under the
internal System account. This allows access to areas normally inaccessible.
- Select the HKEY_LOCAL_MACHINE window
- Select the SAM key and from the Security menu select Auditing
- Click the Add button and on the displayed dialog (which will show groups)
click the 'Show Users' button.
- Add the following:
- Domain Admins
- Backup Operators
and any other accounts with the following:
- Take ownership of files or other objects
- Back up files and directories
- Manage auditing and security log
- Restore files and directories
- Add workstations to domain
- Replace a process level token
- Check the "Audit Permissions on Existing Subkeys" box
- Set Success and Failure for
- Query Value
- Set Value
- Write DAC
- Read Control
- Click OK. Click Yes to the dialog that asks if you want to audit all
existing subkeys in the SAM.
- You should now repeat but on the Security key steps 6 to 11.
- Close the registry editor
- Stop the schedule service is you only started it for this task
C:\> net stop schedule
Auditing the Security key is optional but without it only password keys will
be audited. Setting auditing on the Security key will allow you to track other
security relevant changes to the system.
You will now see entries in the Security log via event viewer, e.g.