Chapter 12
Auditing Microsoft Windows Security Events
No security strategy is complete without a comprehensive auditing strategy. More often than not, organizations learn this the hard way only after they have experienced a security incident. Without an audit trail of actions made by the intruder, it is almost impossible to successfully investigate a security incident. As part of your overall security strategy, you must determine which events you need to audit, the level of auditing appropriate for your environment, how the audited events will be collected, and how they will be reviewed. There are several reasons to enable auditing and monitor audit logs:
To create a baseline for normal network and computer operations
To detect attempts to break into the network or computer
To determine which systems and data have been compromised during or after a security incident
In addition, by regularly monitoring audit logs, especially by using automatic event monitoring software, you can help prevent further damage to networks or computers once an attacker has penetrated the network but has not yet inflicted widespread damage.
Your organization might be subject to industry or government regulations that not only dictate that certain events must be audited but also specify how audit logs are handled and how long they are archived. Check with your organization s legal representatives to ensure that your strategy for auditing is in compliance with these regulations, if applicable.