I second the windows 2003 security guide as giving you a good baseline for security auditing. Here are some other good links:
http://technet2.microsoft.com/WindowsServer/en/Library/5658fae8-985f-48c c-b1bf-bd47dc2109161033.mspx?pf=true http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing .html http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tc gch03n.mspx As Z said, what you audit for depends on your needs, but these should be some good resources to help you determine what you want to do. On top of that, if you can swing it, I would highly recommend a centralized log management solution, free or otherwise, to collect your event logs into one location. Makes it much easier for analysis and correlation. James Winzenz Infrastructure Engineer - Security Pulte Homes Information Services ________________________________ From: Ziots, Edward [mailto:[EMAIL PROTECTED] Posted At: Wednesday, March 12, 2008 12:45 PM Posted To: NTSysadmin Conversation: Windows Auditing... What do you audit? Subject: RE: Windows Auditing... What do you audit? Importance: High Depends on what you need to audit, for compliance or otherwise. Usually a good rule of thumb is the following: 1) Account Login ( Success and Failure) ( The downsize is that the noise from the success audits is going to fill the audit log quick if you don't have a way to archive it. ) ( also can use auditusr to only audit certain users reguardless of success auditing being turned on. ( Win2k3 only) 2) Account Management ( success and failure) ( domain accounts and local accounts if you are using them) 3) Audit Directory Service access ( success and failure) 4) Login access (Failure) ( Might want to do both success and failure at server level, again you are going to get a lot of audit entries with success turned on) 5) Audit policy change ( success and failure) 6) Audit Privilege Use ( Failure only) (If you turn on success your audit log with basically fill up and quick) 7) Audit Process tracking ( None) ( Failure if you really want to see information about processes, buty it will fill up quicker if you turn it on and definitely success will overflow it) 8) Audit System Events ( Success and Failure) Also look into Windows 2003 Security Guide they have good guidelines about baseline auditing. I can send you a home-grown auditing documentation guide offline, just email me... I am sure it will be a valuable resource. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: Matthew W. Ross [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2008 3:13 PM To: NT System Admin Issues Subject: Windows Auditing... What do you audit? Hey List. I'm learning about Windows auditing. As I read up on the subject, I'm curios what most of you guys are auditing... Login attempts? Failures? File access attempts for all users? Do you log only on the servers, or workstations as well? How big do you make your security event log? Is there a bunch of "noise" in the log from various cache files? Thanks for the info. --Matt Ross CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
