Now that you know how auditing works, the first question that you should ask yourself is what really needs to be audited? As I mentioned, I always recommend auditing domain controllers, and if the situation applies, member servers and stand-alone servers. But what should you audit on those servers? I recommend that you audit the following items:
- Logon failures
- Policy changes
- Privilege use
- Account management
- Any directories that are confidential or sensitive (a file-level audit)
There are a couple of best practices that you should follow when using auditing. First, it’s a good idea to audit just about everything that members of the Administrator’s group do. The reason for this is that a hacker will typically try to gain administrative access before attacking your system. Therefore, such an attack would likely show up as an administrative action.
Another good practice is that when auditing users, you should audit the Everyone group instead of the Users group. The reason for this is that the Users group includes only authenticated users. It doesn’t cover anonymous users who may have slipped through your Internet firewall. The Everyone group, on the other hand, covers all users whether or not they are authenticated.
Review the security logs
One of the most important things that you need to know about auditing is that enabling auditing doesn’t automatically alert you to events that occur. It’s up to you to read and understand what the security log entries mean.
[tags]windows server 2003, audit policy, audit policies[/tags]