Windows Auditing

Sie

............

dynamik

Actually, I think your company's security policy would be the best source to use for determining what you should audit.

Sie

............

Sie

............

blargoe

"What" are you intending to audit? In most cases, you will also have to enable the actual object (an OU, a file directory, or whatever) to be audited and which events to audit as well.

First, look at your company's security policy. Next, look at the actual requests you might get (for example, a file got deleted or modified in a certain secure area and you need to gather some info). Finally, audit where administratively useful to you. Don't just audit everything or you'll be wasting resources and though space might not be a concern, you could risk having a corrupt or unmanageable log file, which would be totally useless to you.

b

JDMurray

SP 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals has a section on security policies and auditing for Windows XP.

hypnotoad

So if i wanted to know whenever someone logs on or off a machine on the domain, and i don't care about the rest of it, what should i turn on? These things have always created too much noise for me.

dynamik

Account logon and/or logon depending on what you want to monitor.

Recent thread about the differences: http://techexams.net/forums/viewtopic.php?t=41009

Sie

............

blargoe

I would first bump up the size of the security logs a bunch on the DC and enable auditing on all of them to audit logons, and audit logons on any sensitive servers (the local security log would get any hits for local accounts as well as domain accounts), and any server that might have critical data like a file server, but there only selectively audit access to files/folders where necessary. Tweak from there.

You may want to check the logging on your IIS servers too, depending on what you have on them.

hypnotoad

What would be really cool is to get an email any time somebody logs on a DC locally or by RDP. Sounds like a job for some unknown third-party application.

Sie

............

blargoe

hypnotoad wrote:

What would be really cool is to get an email any time somebody logs on a DC locally or by RDP. Sounds like a job for some unknown third-party application.

This is actually very easy to set up in something like SCOM, if you know what the audited logon types mean. Alert on all successful logon events of logon type 10 on your domain controllers. Probably want to grab logon type 2 (interactive logon) as well.

Logon types
http://www.ultimatewindowssecurity.com/logontypes.html

blargoe

Sie wrote:

That would be useful in some circumstances and Im sure that wouldnt be too hard to do.

Another question for you all.

You can only pick one:

Success or Failure.

Would you rather know when someone has changed something or when they are trying to?

Take account management or system event for example.

Do you want to know when Joe Bloggs has added himself to the admin group or deleted the sec log or just when he tries to.

Success would show you when the threat was real and is happening / happened.

Yet failure would show you and warn you before it happened.....

Just a random thought while i have been going through all this!

Only being able to pick one doesn't make any sense to me, if it's that critical to keep track of that resource then you gotta log both success and failure. If forced to pick only one, I'd log successes and rely on my security and recovery processes I guess, that way you'd at least be able to track down exactly when the offending event happened.

Sie

............