You can monitor changes to revocation configurations by logging events to the Windows security event log. The Online Responder allows the configuration of the following revocation configuration–related audit events:
Changes to the Online Responder configuration. All Online Responder configuration changes, including audit settings changes, will be logged.
Changes to the Online Responder security settings. All changes to the Online Responder service request and management interfaces access control list (ACL) will be logged.
You must have Manage Online Responder permissions on the server hosting the Online Responder to complete this procedure. For more information about administering a public key infrastructure (PKI), see Implement Role-Based Administration.
|To configure auditing of changes to revocation configurations|
Open the Online Responder snap-in, and select the Online Responder.
Click Responder Properties on the Action menu, or click Responder Properties in the Action pane.
Click the Audit tab, select the Online Responder audit options that you want to have logged, and then click OK.
Audit events will be logged to the Windows security log only if the Audit object access policy is enabled.
You must be an administrator on the server hosting the Online Responder to complete this procedure. For more information about administering a public key infrastructure (PKI), see Implement Role-Based Administration.
|To enable the Audit object access policy|
Open the Local Group Policy Editor.
Under Computer Configuration, expand Windows Settings, Security Settings, and Local Policies, and then click Audit Policy.
Double-click the Audit object access policy.
Select the Success and Failure check boxes, and click OK.