How To Monitor for Unauthorized User Access in Windows 2000

Article translations Article translations
Article ID: 300958 - View products that this article applies to.
This article was previously published under Q300958
Expand all | Collapse all

On This Page

SUMMARY

This article describes how to monitor your system for unauthorized user access. There are two main steps: Enabling security auditing and viewing the security logs. Note that different systems have different security needs, and the security topic is complex. Any user who sets up security audits on your system must be assigned to administrative groups or be given security rights and privileges.

How to Enable Security Auditing

You set up security auditing differently depending on whether the computer is a standalone computer or a domain controller.

Standalone Servers, Member Servers, or Windows 2000 Professional

  1. Click Start, click Run, type mmc /a, and then click OK.
  2. On the Console menu, click Add/Remove Snap-in, and then click Add.
  3. Under Snap-in, click Group Policy, and then click Add.
  4. In the Select Group Policy Object box, click Local Computer, click Finish, click Close, and then click OK.
  5. In the Local Computer Policy box, click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click Audit Policy.
  6. In the details pane, click Audit logon events.
  7. Click Action, click Security, select Unsuccessful logon attempts, and then click OK.

Windows 2000-Based Domain Controllers

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers
  2. In the console tree, click Domain Controllers.
  3. Click Action, and then click Properties.
  4. Click the Group Policy tab, click Default Domain Controllers Policy, and then click Edit.
  5. Click to expand Computer Configuration, Windows Settings, Security Settings, Local Policies, and then Audit Policy.
  6. In the details pane, click Audit logon events.
  7. On the Action menu, click Security, click to select the Define these policy settings check box, click to select the Failure check box, and then click OK.

How to View Security Logs

  1. Click Start, point to Programs, point to Administrative tools, and then click Event viewer.
  2. In the console tree, click Security log.
  3. Look in the details pane for information about the event you want to view, and then double-click the event.

Troubleshooting

  • If your computer is connected to a network, security logging may be restricted or disabled by a network policy.
  • The security log is limited in size; carefully select the events to be audited and consider the amount of disk space you are willing to devote to the security log.
  • If security auditing is enabled on a remote computer, you can view the event logs remotely with Event Viewer. Start a Microsoft Management Console (MMC) console in Author mode, and then add Event Viewer to the console. When you are prompted to specify which computer the snap-in will manage, click Another computer, and then type the name of the remote computer.
  • Security auditing for workstations, member servers, and domain controllers can be enabled remotely only by domain administrators. To do this, create an organizational unit, add the appropriate machine accounts to the organizational unit, and then use Active Directory Users and Computers to create a policy to enable security auditing.



REFERENCES

For additional information about setting up an auditing policy and security auditing, view the Microsoft Windows 2000 Resource Kits at the following Microsoft Web site:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/default.mspx?mfr=true
For additional information about events that may appear in the Security log, click the following article numbers to view the articles in the Microsoft Knowledge Base:
299475 Windows 2000 security event descriptions (part 1 of 2)
301677 Windows 2000 security event descriptions (part 2 of 2)

Properties

Article ID: 300958 - Last Review: November 15, 2006 - Revision: 7.0
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
Keywords: 
kbhowtomaster KB300958

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com