Direct Inward Dialing: +1 408 916 9892
Security incidents are on the rise, making it crucial for organizations to take the right measures to fortify themselves. An effective Windows audit policy ensures that appropriate events are logged for every security-related activity on your network. Carefully examining these events can help you detect a breach as soon as it occurs, limiting its damage. The audit data also serves as evidence for forensic analysis in the aftermath of any incident, and archiving it ensures that your organization complies with regulatory mandates. Here are seven audit policy recommendations to help meet your security and compliance requirements.
Any security log management strategy should include workstation monitoring. While servers and domain controllers are monitored strictly, it's imperative that workstations are also monitored, as they are usually the first point of a breach. Enabling audit policies on all your workstations can help identify security lapses before you take too much damage.
Configuring the audit policy to audit every activity on your network can quickly flood your security logs with irrelevant information. This makes identifying critical events difficult for administrators. So, ensure that the most critical events that clearly point to unauthorized activities and do not represent false positives are prioritized for logging.
Windows offers a binary choice between the nine audit policy categories and the advanced audit policy subcategories. The subcategories are preferable, as they enable you to limit the number of events from the related category, reducing noise. So, configure the subcategories for more granular control over which events are audited.
Note: To prevent the traditional audit category settings from overriding the subcategories, enable the Force audit policy subcategory settings (Windows Vista or later) to override the audit policy category settings security option located under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
Object-level auditing allows you to monitor changes to your Active Directory (AD) objects, files, and folders. Enable auditing on directory objects by configuring the System Access Control Lists (SACLs) in addition to the audit and advanced audit policies. This ensures that events are logged whenever any AD object or file-related activity occurs.
Not all activities warrant both success and failure auditing. For example, for the Audit File Share setting, you have to audit both success and failure events to track all creation, deletion, modification, and access attempts to network shares. However, for the Audit Detailed File Share setting, you may enable only failure auditing to identify unauthorized access attempts, as auditing success events for this setting will lead to a high volume of benign events. This is why you should carefully assess the pros and cons of logging success and/or failure events for each subcategory while configuring your audit policy.
The audit data that is collected needs to be stored and retained for a specific period to comply with regulations. Based on your audit policy, audit data can quickly fill up your disk space. So, define your event log size and retention settings to prevent overwrites, and allocate enough space to archive the audit data after retention.
Changes to your audit policy can impact the performance of your computers. After modifying the audit settings, use the Group Policy Results Wizard to view the list of audit policy settings that will be applied. Refine the settings as needed before implementing them in your AD environment.