You may download a printer-friendly version.
|Checklist: How to properly configure the audit policy|
|Configure multiple audit policies.|
|Understand that security-related events are recorded where they happen, and you may need to configure multiple policies in order to obtain the whole picture. To capture events|
|that happen on domain controllers, configure the audit policy in the default domain controller policy. To capture events on member servers and workstations, configure the|
|audit policy for a GPO linked to the container within which these computer accounts reside. If one policy fits all, the default domain policy is a good location. However, for maximum|
|flexibility, you may want to work with GPOs linked to different OUs. Download the Group Policy Management Console, a Microsoft freebie for the easiest approach to policy|
|configuration. An audit policy for standalone Windows computers can be configured in the StartControl PanelAdministrative ToolsLocal Security Policy.|
|Turn auditing on.|
|Windows NT, Windows 2000 and Windows XP do not have any auditing configured by default. Set one component in the audit policy to record success and/or failure events and|
|you have turned the audit policy on. Windows Server 2003 has auditing turned on by default. Hurrah! You should evaluate the default settings and adjust them to suit your organization.|
|Decide what to audit.|
|Table 1 lists the audit settings from Windows Server 2003 and their purposes. Earlier Windows audit policy may have slight differences in wording, but you'll be able to|
compare them. Table 2 provides my recommendations.
Table 1: Audit Policy Settings
Table 2: Audit Policy Recommendations
|Configure event log settings.|
|The default event log settings on Windows systems will probably require enlarging the log file size and other settings. This will be a topic covered next time.|
|After audit settings are configured, the Windows event logs will start to build a goldmine of information --- but understanding and using that information requires another checklist,|
|one that I'll soon supply.|
Windows Security Checklists offer you step-by-step advice for planning,
setting up and hardening your Windows security infrastructure.
E-mail the editor to suggest additional checklist topics.
|ABOUT THE AUTHOR: Go back|
|Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.|
This was first published in December 2004