While Auditing is normally in place on servers, it isn’t usually performed on workstations unless there is a high risk of data theft. However, enabling a few auditing events locally on a workstation may prevent a larger problem in the future.

By selectively auditing a few key actions, you’ll have a place to start investigating theft or destruction of data if someone ever does compromise your workstation. Set up auditing on the following actions:

• Account logon events (success and failure)
• Account management (success and failure)
• Logon events (success and failure)
• Object access (success)
• Policy change (success and failure)
• Privilege use (success and failure)
• System events (success and failure)

[Diana Huggins]