* Eric Fitzgerald <ericf@private> [10/09/03 - 10:47]: > Due to a scheduling problem we were not able to ship the per-user > auditing management utility in the Resource Kit. > > Per-user auditing policy will be included in Windows XP SP2, along with > the management utility. So, it seems that the utility is named auditusr.exe and is present in Windows XP SP2, as mentionned in a recent entry of Eric F.'s blog: http://weblogs.asp.net/ericfitz/ Quoting Eric F.: ----------------------------------------------------------------------- We introduced a feature in Windows Server 2003 RTM where exceptions to audit policy can be set on a per-user basis. For example, audit logon/logoff activity for everyone, but audit all activity for EricF. Or, audit all activity for everyone, except SQLServiceAccount. This feature is required for Common Criteria evaluation. We anticipate it will mainly be used to either reduce noise or track suspicious individuals. This feature is called "Per-user auditing" colloquially; the official name of the feature is "Per-User Selective Audit". In Windows 2003 RTM for some reason the command-line admin tool, auditusr.exe, was not checked in. It was added for SP1 (and for XPSP2, which also has the per-user auditing feature). Per-user auditing cannot exclude events for members of the Administrators group- such policy can be created but will be ignored by the auditing system. Per-user auditing cannot be set for groups, only individual user accounts. Use of AuditUsr.exe is documented in the comand-line help (auditusr /?). ----------------------------------------------------------------------- Another interesting quote, about modifications of security audit in Windows Server 2003 SP1: "The net result of these changes is that the audit volume for Windows Server 2003 should drop significantly in SP1." For those interested, I suggest looking at the 3 posts published, they contain some interesting information: http://weblogs.asp.net/ericfitz/ Jean-Baptiste Marchand -- Jean-Baptiste.Marchand@private HSC - http://www.hsc.fr/ _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Dec 29 2004 - 10:20:32 PST