The big question is: which audit settings should you enable? If you turned on everything, your server would start flooding your Security event log and ultimately it wouldn’t be very useful. In fact, there are no hard and fast rules for which settings you should enable.

All audit settings have three possible configurations: not configured, Success, and Failure. Not configured means auditing isn’t enabled for the setting, Success means log any applicable event that was successful, and Failure means log any applicable event that failed. Often, it is more useful to log Failure events since you want to discover someone who is attempting to perform an activity surreptitiously, which may mean doing it several times until successful.

With some settings, simply enabling Success or Failure won’t actually cause any events to be logged. You also have to enable auditing on specific objects, such as a particular file, before events will be audited. This is useful because in some cases, such as files and folders, you may only want to audit certain ones. If auditing were enabled for all files, the amount of events would render auditing unfeasible.

Using a graphical user interface

1. Open the Local Security Policy snap-in.

2. In the left pane, expand Local Policies -> Audit Policy.

3. In the right pane, double-click the setting you want to enable, and check the box beside Success and/or Failure depending on the types of events you want to audit.

You can force new auditing settings to be applied by running the secedit command on Windows 2000 or the gpupdate command on Windows Server 2003.

Run the following command on Windows 2000:

> secedit /refreshpolicy machine_policy

And run this command on Windows Server 2003:

> gpupdate /target:computer

The events logged to the audit log (a plain text file) have the following format:

ID,Date,Time,Description,IP Address,Host Name,MAC Address

The DHCP Server monitors how the log files grow and the available disk space to determine if it should stop logging prematurely to prevent it from consuming too much space. There are two conditions that cause auditing to stop:

• When disk space runs below 20 MB on the filesystem the log files are on.
• When a single log file reaches the preset maximum size (the default is 1 MB).

Fortunately, you can modify these default values by editing the registry. There are three registry values that control DHCP Server disk monitoring located under HKLM\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters:

DhcpLogDiskSpaceCheckInterval

This specifies the number of audit entries recorded between disk verification checks. The default is 50, which means 50 events have to be recorded before the disk verification check occurs.

DhcpLogFilesMaxSize

The maximum size in megabytes for all seven log files. By default, this is 7, which means each log file can only grow to be 1 MB before the DHCP Server stops logging for that day.

DhcpLogMinSpaceOnDisk

The minimum size in megabytes that must exist on the filesystem for logging to continue. The default is 20, which means the DHCP Server will stop logging altogether if disk space goes below 20 MB on the filesystem.

You may need to create these values (as REG_DWORD) if they don’t already exist.

Using a graphical user interface

1. Open the DHCP snap-in.
2. In the left pane, right-click on DHCP and select Add Server.
3. Type in the name of the DHCP Server you want to target and click OK.
4. Right-click the server node and select Properties.
5. On the General tab, check the box beside Enable DHCP audit logging.
6. Click OK.

Using a command-line interface

Surprisingly, netsh doesn’t allow you to enable DHCP audit logging. You can only modify the audit log file path. However, this setting is controlled via the registry. The following command enables auditing by setting the ActivityLogFlag value:

> reg add HKLM\System\CurrentControlSet\Services\DhcpServer\Parameters /v
 ActivityLogFlag /t REG_DWORD /d 1

To disable auditing, use the same command except use /d 0 in place of /d 1.