Nowadays Windows Server has over 50 categories of audit activity that you can enable for logging to the security event log. Which categories should you enable for each type of system including domain controllers, member servers and workstations?
You want to minimize the amount of “noise”events generated so that you don’t slow down audited systems, clog your log management solution and waste storage.
On the other hand, you must capture audit trails of security operations and procedures so that you can demonstrate compliance to regulators and auditors.
And of course it goes without saying that we want to use the security to detect intrusions.
Finally, when security incidents do occur, we need detailed logs available to support forensic analysis to determine the extent of intrusions, provide evidence backing up HR actions or to prosecute crimes in court.
That’s asking a lot of one technology – in this case our audit policy and security logs.
In this webinar, I will discuss each of Windows 9 top level audit categories and their respective subcategories (over 50 in all) and relate to each of the issues above to help you formulate your standard audit policy. In fact I’ll provide my suggested baseline audit policy for each major class of Windows system: domain controllers, member servers and workstations.
I’ll also show you how audit policy is configured in each current version of Windows and provide sample scripts for the use on pre-R2 Windows Server 2008 systems which can only be configured via the auditpol command.
In terms of reducing the noise generated by Windows auditing, you can only go so far so noise filtering is crucial piece of any log management solution. Therefore I’ll finish up by briefly talking to Isaac Thompson from Prism Microsystems about how they have implemented noise reduction features , data compression and other optimization techniques in EventTracker to deal with this issue.
This is real training for free (TM) - don’t miss it.