Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
Phone Get Quote
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Why do you need an audit policy?

Security incidents are on the rise, making it crucial for organizations to take the right measures to fortify themselves. An effective Windows audit policy ensures that appropriate events are logged for every security-related activity on your network. Carefully examining these events can help you detect a breach as soon as it occurs, limiting its damage. The audit data also serves as evidence for forensic analysis in the aftermath of any incident, and archiving it ensures that your organization complies with regulatory mandates. Here are seven audit policy recommendations to help meet your security and compliance requirements.

Top 7 audit logging best practices


Set audit policies on workstations

Any security log management strategy should include workstation monitoring. While servers and domain controllers are monitored strictly, it's imperative that workstations are also monitored, as they are usually the first point of a breach. Enabling audit policies on all your workstations can help identify security lapses before you take too much damage.


Identify critical events

Configuring the audit policy to audit every activity on your network can quickly flood your security logs with irrelevant information. This makes identifying critical events difficult for administrators. So, ensure that the most critical events that clearly point to unauthorized activities and do not represent false positives are prioritized for logging.


Configure advanced audit policies

Windows offers a binary choice between the nine audit policy categories and the advanced audit policy subcategories. The subcategories are preferable, as they enable you to limit the number of events from the related category, reducing noise. So, configure the subcategories for more granular control over which events are audited.

Note: To prevent the traditional audit category settings from overriding the subcategories, enable the Force audit policy subcategory settings (Windows Vista or later) to override the audit policy category settings security option located under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.


Configure SACLs to enable object-level auditing

Object-level auditing allows you to monitor changes to your Active Directory (AD) objects, files, and folders. Enable auditing on directory objects by configuring the System Access Control Lists (SACLs) in addition to the audit and advanced audit policies. This ensures that events are logged whenever any AD object or file-related activity occurs.


Choose whether to audit successes, failures, or both

Not all activities warrant both success and failure auditing. For example, for the Audit File Share setting, you have to audit both success and failure events to track all creation, deletion, modification, and access attempts to network shares. However, for the Audit Detailed File Share setting, you may enable only failure auditing to identify unauthorized access attempts, as auditing success events for this setting will lead to a high volume of benign events. This is why you should carefully assess the pros and cons of logging success and/or failure events for each subcategory while configuring your audit policy.


Allocate enough storage space

The audit data that is collected needs to be stored and retained for a specific period to comply with regulations. Based on your audit policy, audit data can quickly fill up your disk space. So, define your event log size and retention settings to prevent overwrites, and allocate enough space to archive the audit data after retention.


Test your audit policy before implementing it

Changes to your audit policy can impact the performance of your computers. After modifying the audit settings, use the Group Policy Results Wizard to view the list of audit policy settings that will be applied. Refine the settings as needed before implementing them in your AD environment.

AD auditing made easy
with ADAudit Plus

Using native tools to interpret and analyze the information contained in audit logs can slow down your forensic response to a security breach. ManageEngine ADAudit Plus is a user behavior analytics (UBA)-driven change auditor that helps keep your Windows Server ecosystem secure and compliant by providing full visibility into all activities.

Download a 30-day free trial.

ADAudit Plus Trusted By