Chapter 12: Auditing Microsoft Windows Security Events

Chapter 12

Auditing Microsoft Windows Security Events

No security strategy is complete without a comprehensive auditing strategy. More often than not, organizations learn this the hard way only after they have experienced a security incident. Without an audit trail of actions made by the intruder, it is almost impossible to successfully investigate a security incident. As part of your overall security strategy, you must determine which events you need to audit, the level of auditing appropriate for your environment, how the audited events will be collected, and how they will be reviewed. There are several reasons to enable auditing and monitor audit logs:

  • To create a baseline for normal network and computer operations

  • To detect attempts to break into the network or computer

  • To determine which systems and data have been compromised during or after a security incident

In addition, by regularly monitoring audit logs, especially by using automatic event monitoring software, you can help prevent further damage to networks or computers once an attacker has penetrated the network but has not yet inflicted widespread damage.

Your organization might be subject to industry or government regulations that not only dictate that certain events must be audited but also specify how audit logs are handled and how long they are archived. Check with your organization s legal representatives to ensure that your strategy for auditing is in compliance with these regulations, if applicable.



Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net