How do I enable auditing on the SAM?

It is possible to enable auditing of any failed or successful access to your sensitive information by the only accounts which have the ability to access such information, e.g. Administrators. This can be done as follows:

  1. First ensure auditing is enabled on the system using User Manager - Policies menu - Audit. Select the "Audit These Events". Choose the objects to audit and click OK.
  2. Next make sure the Scheduler service is running on the machine either via the Services Control Panel applet (Start - Settings - Control Panel - Services) or type "net start" and look for "Scheduler". If it is not running you can start by typing
    C:\> net start schedule
  3. At the command prompt (cmd.exe) type
    C:\> at <time> /interactive "regedt32.exe"
    where <time> is a minute in the future.
  4. At the time entered Regedt32.exe will be started but running under the internal System account. This allows access to areas normally inaccessible.
  5. Select the HKEY_LOCAL_MACHINE window
  6. Select the SAM key and from the Security menu select Auditing
  7. Click the Add button and on the displayed dialog (which will show groups) click the 'Show Users' button.
  8. Add the following:
    - SYSTEM
    - Domain Admins
    - Administrator
    - Backup Operators
    and any other accounts with the following:
    - Take ownership of files or other objects
    - Back up files and directories
    - Manage auditing and security log
    - Restore files and directories
    - Add workstations to domain
    - Replace a process level token
    Click OK
  9. Check the "Audit Permissions on Existing Subkeys" box
  10. Set Success and Failure for
    - Query Value
    - Set Value
    - Write DAC
    - Read Control
  11. Click OK. Click Yes to the dialog that asks if you want to audit all existing subkeys in the SAM.
  12. You should now repeat but on the Security key steps 6 to 11.
  13. Close the registry editor
  14. Stop the schedule service is you only started it for this task
    C:\> net stop schedule

Auditing the Security key is optional but without it only password keys will be audited. Setting auditing on the Security key will allow you to track other security relevant changes to the system.

You will now see entries in the Security log via event viewer, e.g.

1st Security Agent

Mail Bomber

Security Administrator

PC Lockup

Access Lock

Access Administrator Pro

ABC Security Protector

1st Security Agent

Mail Bomber

Security Administrator for Windows

PC Lockup

Access Lock

Access Administrator

ABC Security Protector

http//www.softheap.com