Scribd
Upload
42 views6 pages

Audit - Policy - Best - Practices - Security Logs On Windows Servers

This document discusses audit policy best practices and how to implement audit policy in Windows. It provides recommendations for audit policy settings including account logon, account management, directory service access, logon, object access, policy change, privilege use, process tracking, and system events. It also discusses types of events that can be audited and considerations for collecting, storing, and analyzing audit data.

Uploaded by

Ahmed M. SOUISSI
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
42 views6 pages

Audit - Policy - Best - Practices - Security Logs On Windows Servers

This document discusses audit policy best practices and how to implement audit policy in Windows. It provides recommendations for audit policy settings including account logon, account management, directory service access, logon, object access, policy change, privilege use, process tracking, and system events. It also discusses types of events that can be audited and considerations for collecting, storing, and analyzing audit data.

Uploaded by

Ahmed M. SOUISSI
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Audit Policy

Best Practices
What is audit policy?
Windows audit policy defines what types of events are written in the Security logs of your Windows servers.
Establishing an effective audit policy is an important aspect of IT security. Monitoring the creation or
modification of objects helps you spot potential security problems, ensure user accountability and provide
evidence in the event of a security breach. The recommended settings provided are intended as a baseline
for system administrators starting to define AD audit policies.

Best practices for auditing


 Before you implement any audit processes, you should determine how you will collect, store and
analyze the data. There is little value in amassing large volumes of audit data if there is no underlying
plan to manage and use it.

 Remember that audit settings can affect computer performance. Therefore, you should perform
performance tests before you deploy new audit settings in your production environment.

 A final consideration is the amount of storage space that you can allocate to storing the data collected
by auditing. Depending on the setting you choose, audit data can quickly fill up available disk space.

How to implement audit policy


 Determine which types of events you want to audit from the list below, and specify the settings for
each one. The settings you specify constitute your audit policy. Note that some event types are
audited by default.

 Specify the maximum size and other attributes of the Security log using the Event Logging policy
settings. You can view the Security log with Event Viewer.

 If you want to audit directory service access or object access, configure the Audit directory service
access and Audit object access policy settings.

2
Types of events you can audit
 Account logon. User logon auditing is the only way to detect all unauthorized attempts to log in to a
domain. It is necessary to audit logon events — both successful and failed — to detect intrusion
attempts . Logoff events are not tracked on the domain controllers.

 Account management. Carefully monitoring all user account changes helps minimize the risk of
business disruption and system unavailability.
 Directory service access. Monitor this only when you need to see when someone accesses an AD
object that has its own system access control list (for example, an OU).

 Logon. Seeing successful and failed attempts to log on or off a local computer is useful for intruder
detection and post-incident forensics.

 Object access. Audit this only when you need to see when someone used privileges to access, copy,
distribute, modify or delete files on file servers.

 Policy change. Improper changes to a GPO can greatly damage the security of your environment.
Monitor all GPO modifications to reduce the risk of data exposure.

 Privilege use. Turn this on only when you want to track each instance of user privileges being used.

 Process tracking. Auditing process-related events, such as process creation, process termination,
handle duplication and indirect object access, can be useful for incident investigations.

 System. Configuring the system audit policy to log startups and shutdowns or restarts of the computer,
and attempts by a process or program to do something that it does not have permission to do, is
valuable because all such events are very significant. For example, if malicious software tries to change
a setting on your computer without your permission, system event auditing would record that action.

3
Recommended Audit Policy settings
Account logon

 Audit Credential Validation: Success and Failure

Account management

 Audit Computer Account Management: Success and Failure

 Audit Other Account Management Events: Success and Failure

 Audit Security Group Management: Success and Failure

 Audit User Account Management: Success and Failure

Directory service access

 Audit Directory Service Access: Success and Failure on DC

 Audit Directory Service Changes: Success and Failure on DC

Logon

 Audit Account Lockout: Success

 Audit Logoff: Success

 Audit Logon: Success and Failure

 Audit Special Logon: Success and Failure

Object access

 Enable this setting only if you have a specific use for the data that will be logged, because it can cause
a large volume of entries to be generated in your Security logs.

Policy Change

 Audit Audit Policy Change: Success and Failure

 Audit Authentication Policy Change: Success and Failure

4
Privilege use

 Enable this setting only if you have a specific use for the data that will be logged, because it can cause
a large volume of entries to be generated in your Security logs.

Process tracking

 Enable this setting only if you have a specific use for the data that will be logged, because it can cause
a large volume of entries to be generated in your Security logs.

System

 Audit Security State Change: Success and Failure

 Audit Other System Events: Success and Failure

 Audit System Integrity: Success and Failure

Detailed tracking (available in under Advanced Security Audit Policy Configuration)

 Audit Process Creation: Success

About Netwrix
Netwrix Corporation is a software company focused exclusively on providing IT security and operations
teams with pervasive visibility into user behavior, system configurations and data sensitivity across hybrid IT
infrastructures to protect data regardless of its location. Over 9,000 organizations worldwide rely on Netwrix
to detect and proactively mitigate data security threats, pass compliance audits with less effort and expense,
and increase the productivity of their IT teams.

Founded in 2006, Netwrix has earned more than 140 industry awards and been named to both the Inc. 5000
and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

For more information about Netwrix, visit www.netwrix.com.

5
Keep Tabs on What’s Happening
in Your IT Environment
with Netwrix Auditor

Monitor events with the critical who, what, when


and where details and before and after values

Simplify reporting with automated


subscriptions and a range of export options

Be notified about suspicious changes and access


attempts as they happen

Keep your complete audit trail for more than


10 years

Download Free 20-Day Trial

Corporate Headquarters: Phone: 1-949-407-5125


300 Spectrum Center Drive, Suite 200, Toll-free: 888-638-9749 netwrix.com/social
Irvine, CA 92618 EMEA: +44 (0) 203-588-3023

You might also like