Solution
Enable auditing on each Microsoft® Windows® operating system on your
network. After you enable auditing, you can choose which events to monitor,
such as successful or failed logon attempts. In addition, certain files and
directories can be audited on NTFS file systems for modifications or
deletions. View the links under the Additional Resources section below for
more information on configuring audit policies.
Instructions
To enable auditing on a computer running Windows Server "Longhorn", Windows
Server 2003, Windows Vista, Windows XP, or Windows 2000
Open the Control Panel.
In Control Panel, double-click Administrative Tools, and then click Local
Security Policy.
In Local Security Settings, double-click Local Policies, double-click Audit
Policy, and then click the events that you want to audit. We recommend that
you audit the following events:
Audit account logon events (Success, Failure)
Audit account management (Success, Failure)
Audit directory service access (Failure)
Audit logon events (Success, Failure)
Audit object access (Failure)
Audit policy change (Success, Failure)
Audit system events (Success, Failure)