RE: Windows Auditing... What do you audit?

2008-03-12 Thread Ziots, Edward 
Also, take a look at Randy Franklin Smith's website. 

 

http://www.ultimatewindowssecurity.com
<http://www.ultimatewindowssecurity.com/> 

 

He is the guru of the security logs, 

 

Good insight, and good resources. And he gives you updates on the
risk-management of patching from Microsoft each month, which may or
may-not meet your needs. 

 

Edward E. Ziots

Network Engineer

Lifespan Organization

MCSE,MCSA,MCP,Security+,Network+,CCA

Phone: 401-639-3505

-Original Message-
From: James Winzenz [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 12, 2008 4:00 PM
To: NT System Admin Issues
Subject: RE: Windows Auditing... What do you audit?

 

I second the windows 2003 security guide as giving you a good baseline
for security auditing.  Here are some other good links:

 

http://technet2.microsoft.com/WindowsServer/en/Library/5658fae8-985f-48c
c-b1bf-bd47dc2109161033.mspx?pf=true

 

http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing
.html

 

http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tc
gch03n.mspx

 

As Z said, what you audit for depends on your needs, but these should be
some good resources to help you determine what you want to do.  On top
of that, if you can swing it, I would highly recommend a centralized log
management solution, free or otherwise, to collect your event logs into
one location.  Makes it much easier for analysis and correlation.

 

James Winzenz

Infrastructure Engineer - Security

Pulte Homes Information Services

 



From: Ziots, Edward [mailto:[EMAIL PROTECTED] 
Posted At: Wednesday, March 12, 2008 12:45 PM
Posted To: NTSysadmin
Conversation: Windows Auditing... What do you audit?
Subject: RE: Windows Auditing... What do you audit?
Importance: High
  

Depends on what you need to audit, for compliance or otherwise. 

 

Usually a good rule of thumb is the following: 

 

1)Account Login ( Success and Failure) ( The downsize is that
the noise from the success audits is going to fill the audit log quick
if you don't have a way to archive it. ) ( also can use auditusr to only
audit certain users reguardless of success auditing being turned on. (
Win2k3 only)

2)   Account Management ( success and failure) ( domain accounts and
local accounts if you are using them) 

3)   Audit Directory Service access ( success and failure)

4)   Login access (Failure) ( Might want to do both success and
failure at server level, again you are going to get a lot of audit
entries with success turned on)

5)   Audit policy change ( success and failure)

6)   Audit Privilege Use ( Failure only) (If you turn on success
your audit log with basically fill up and quick)

7)   Audit Process tracking ( None) ( Failure if you really want to
see information about processes, buty it will fill up quicker if you
turn it on and definitely success will overflow it) 

8)   Audit System Events ( Success and Failure) 

 

Also look into Windows 2003 Security Guide they have good guidelines
about baseline auditing. 

 

I can send you a home-grown auditing documentation guide offline, just
email me... I am sure it will be a valuable resource. 

 

Z

 

Edward E. Ziots

Network Engineer

Lifespan Organization

MCSE,MCSA,MCP,Security+,Network+,CCA

Phone: 401-639-3505

-Original Message-
From: Matthew W. Ross [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 12, 2008 3:13 PM
To: NT System Admin Issues
Subject: Windows Auditing... What do you audit?

 

Hey List.

I'm learning about Windows auditing. As I read up on the subject, I'm
curios what most of you guys are auditing...

Login attempts? Failures?
File access attempts for all users?
Do you log only on the servers, or workstations as well?
How big do you make your security event log?
Is there a bunch of "noise" in the log from various cache files?

Thanks for the info.

--Matt Ross

 

 

 


CONFIDENTIALITY NOTICE:  This email may contain confidential and
privileged material for the sole use of the intended recipient(s).  Any
review, use, distribution or disclosure by others is strictly
prohibited.  If you have received this communication in error, please
notify the sender immediately by email and delete the message and any
file attachments from your computer.  Thank you.

 

 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: Windows Auditing... What do you audit?

2008-03-12 Thread James Winzenz 
I second the windows 2003 security guide as giving you a good baseline
for security auditing.  Here are some other good links:

 

http://technet2.microsoft.com/WindowsServer/en/Library/5658fae8-985f-48c
c-b1bf-bd47dc2109161033.mspx?pf=true

 

http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing
.html

 

http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tc
gch03n.mspx

 

As Z said, what you audit for depends on your needs, but these should be
some good resources to help you determine what you want to do.  On top
of that, if you can swing it, I would highly recommend a centralized log
management solution, free or otherwise, to collect your event logs into
one location.  Makes it much easier for analysis and correlation.

 

James Winzenz

Infrastructure Engineer - Security

Pulte Homes Information Services

 



From: Ziots, Edward [mailto:[EMAIL PROTECTED] 
Posted At: Wednesday, March 12, 2008 12:45 PM
Posted To: NTSysadmin
Conversation: Windows Auditing... What do you audit?
Subject: RE: Windows Auditing... What do you audit?
Importance: High
  

Depends on what you need to audit, for compliance or otherwise. 

 

Usually a good rule of thumb is the following: 

 

1)Account Login ( Success and Failure) ( The downsize is that
the noise from the success audits is going to fill the audit log quick
if you don't have a way to archive it. ) ( also can use auditusr to only
audit certain users reguardless of success auditing being turned on. (
Win2k3 only)

2)   Account Management ( success and failure) ( domain accounts and
local accounts if you are using them) 

3)   Audit Directory Service access ( success and failure)

4)   Login access (Failure) ( Might want to do both success and
failure at server level, again you are going to get a lot of audit
entries with success turned on)

5)   Audit policy change ( success and failure)

6)   Audit Privilege Use ( Failure only) (If you turn on success
your audit log with basically fill up and quick)

7)   Audit Process tracking ( None) ( Failure if you really want to
see information about processes, buty it will fill up quicker if you
turn it on and definitely success will overflow it) 

8)   Audit System Events ( Success and Failure) 

 

Also look into Windows 2003 Security Guide they have good guidelines
about baseline auditing. 

 

I can send you a home-grown auditing documentation guide offline, just
email me... I am sure it will be a valuable resource. 

 

Z

 

Edward E. Ziots

Network Engineer

Lifespan Organization

MCSE,MCSA,MCP,Security+,Network+,CCA

Phone: 401-639-3505

-Original Message-
From: Matthew W. Ross [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 12, 2008 3:13 PM
To: NT System Admin Issues
Subject: Windows Auditing... What do you audit?

 

Hey List.

I'm learning about Windows auditing. As I read up on the subject, I'm
curios what most of you guys are auditing...

Login attempts? Failures?
File access attempts for all users?
Do you log only on the servers, or workstations as well?
How big do you make your security event log?
Is there a bunch of "noise" in the log from various cache files?

Thanks for the info.

--Matt Ross 

CONFIDENTIALITY NOTICE:  This email may contain confidential and privileged 
material for the sole use of the intended recipient(s).  Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately by 
email and delete the message and any file attachments from your computer.  
Thank you.

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: Windows Auditing... What do you audit?

2008-03-12 Thread Benjamin Zachary 
I typically set my logs at 32megs on the server for everything. Turn on
auditing for logon events, and file access success/failure. I think there
was one or two more but that's it for the most part. Trying to sift through
logs can be painful at best. If you are looking for particular items at a
particular time its not too bad, but the noise level is usually pretty high.


 

If you want general overall knowledge, and maybe some decent reporting over
time you definitely will want to get some kind of log viewer app to
centralize it and parse the data.

 

  _  

From: Matthew W. Ross [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 12, 2008 3:13 PM
To: NT System Admin Issues
Subject: Windows Auditing... What do you audit?

 

Hey List.

I'm learning about Windows auditing. As I read up on the subject, I'm curios
what most of you guys are auditing...

Login attempts? Failures?
File access attempts for all users?
Do you log only on the servers, or workstations as well?
How big do you make your security event log?
Is there a bunch of "noise" in the log from various cache files?

Thanks for the info.

--Matt Ross

 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Windows Auditing... What do you audit?

2008-03-12 Thread Ziots, Edward 
Depends on what you need to audit, for compliance or otherwise. 

 

Usually a good rule of thumb is the following: 

 

1)Account Login ( Success and Failure) ( The downsize is that
the noise from the success audits is going to fill the audit log quick
if you don't have a way to archive it. ) ( also can use auditusr to only
audit certain users reguardless of success auditing being turned on. (
Win2k3 only)

2)   Account Management ( success and failure) ( domain accounts and
local accounts if you are using them) 

3)   Audit Directory Service access ( success and failure)

4)   Login access (Failure) ( Might want to do both success and
failure at server level, again you are going to get a lot of audit
entries with success turned on)

5)   Audit policy change ( success and failure)

6)   Audit Privilege Use ( Failure only) (If you turn on success
your audit log with basically fill up and quick)

7)   Audit Process tracking ( None) ( Failure if you really want to
see information about processes, buty it will fill up quicker if you
turn it on and definitely success will overflow it) 

8)   Audit System Events ( Success and Failure) 

 

Also look into Windows 2003 Security Guide they have good guidelines
about baseline auditing. 

 

I can send you a home-grown auditing documentation guide offline, just
email me... I am sure it will be a valuable resource. 

 

Z

 

Edward E. Ziots

Network Engineer

Lifespan Organization

MCSE,MCSA,MCP,Security+,Network+,CCA

Phone: 401-639-3505

-Original Message-
From: Matthew W. Ross [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 12, 2008 3:13 PM
To: NT System Admin Issues
Subject: Windows Auditing... What do you audit?

 

Hey List.

I'm learning about Windows auditing. As I read up on the subject, I'm
curios what most of you guys are auditing...

Login attempts? Failures?
File access attempts for all users?
Do you log only on the servers, or workstations as well?
How big do you make your security event log?
Is there a bunch of "noise" in the log from various cache files?

Thanks for the info.

--Matt Ross

 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~