Hi all, Windows Vista SP1. Auditing (Security Log). Stand-alone computer (no network or domain), if that matters.
Is it possible to have Vista generate an audit log entry when a document is printed? Is it possible to have Vista generate an audit log entry when external media is used (read and/or written)? For external media, I don't even know where to look. There's no "Security" tab for a floppy drive, or USB drive formatted with FAT. Is there a SACL hidden away somewhere that Windows uses for this? Or is this just not an option? I know you can use Group Policy to disable removable media entirely, but we need to use it, we just also need to audit/log that usage. For printing: I went into the printer's properties dialog, clicked the "Security" tab, clicked the "Advanced" button, clicked the "Auditing" tab. I added an entry for Subject "Everyone", selected all the "Access" types for both "Success" and "Failure". But when I print, nothing appears in the audit log. I did use the AUDITPOL tool to enable auditing. Both "Success" and "Failure". There's no subcategory for printing, so I enabled it for all the "Object access" subcategories. Well, except "Handle Manipulation" -- if I enable that, I get audit log entries for each and every file opened or closed by any process, which is a bit much. I am getting audit events for filesystem object accesses, so auditing works in general. And if I enable "Log spooler information events" for the spooler server properties, I do get messages in the "System" log. But it seems like if I have the option to create a SACL for a printer, then it should be able to generate audit events. Did Microsoft just forget to write the code to generate audit events for printers? Pointers to documentation and/or third-party solutions welcomed. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
