Managing the Event Viewer
All OS security events in Windows NT, Windows 2000, and Windows XP are recorded in the Event Viewer security log. In addition, security-related events might be recorded in the application log and system log.
Before you enable audit policies, you must evaluate whether the default configuration of the log files in the Event Viewer are set properly for your organization. The default settings for the security event log are shown in Figure 12-1.
Figure 12-1. Security event log default settings
For each event log, you must determine the
Storage location
Maximum log file size
Overwrite behavior
Determining the Storage Location
By default, the security event log is stored in the %systemroot%\system32\ config\ directory in a file named SecEventevt. In Windows XP, you can change the log file location in the Properties dialog box. In Windows NT 4.0 and Windows 2000, you must edit the registry to change the storage location of each log file. The path and file name for the security log is stored in the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security.
By default, only the System account and the Administrators group have access to the security event log to ensure that nonadministrators do not have access to read, write, or delete security events. If you move the log to a new location, ensure that the new file has the correct NTFS file system permissions. Because the Event Log service cannot be stopped, changes to this setting will not take place until after the server is rebooted.
Determining the Maximum Log File Size
By default, the maximum size that the security event log can reach before the overwrite behavior is initiated is 512 KB. Because hard disk space is more readily available now than in the past, you will likely want to increase this setting. How much you increase this setting depends on your overwrite behavior, but a general guideline is to set the maximum size to at least 50 MB. The maximum size that you should set an event log to is 300 MB. Each security event is 350 500 bytes, so a 10-MB event log will contain approximately 20,000 25,000 security events.
You can change the maximum size of the log file on individual computers in the security event log Properties dialog box or by editing the registry. You can also change the maximum log file size on many computers by using Group Policy security templates . The maximum size for the security event log is stored in the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Eventlog\Security\MaxSize.
Configuring the Overwrite Behavior
When configuring the security event log settings, you must define what will happen when the maximum log file size is reached also known as the overwrite behavior. Windows NT 4.0 and later versions have three overwrite behavior settings:
New events will continue to be written when the log is full. Each new event replaces the oldest event in the log.
Retain events in the log for the number of days you specify before overwriting events. The default is 7 days.
New events will not be recorded, and the event log will need to be cleared manually.
In addition, you can configure the OS to shut down if security events cannot be written to the security audit log file. When this setting is enabled and events cannot be written to the security event log, the computer will initiate a stop error, commonly known as the Blue Screen of Death, with the following error message:
STOP: C0000244 {Audit Failed} An attempt to generate a security audit failed
After this stop error has occurred, only members of the local Administrators group will be allowed to log on, to troubleshoot why the events cannot be written to the event log. Until events can be written to the event log, the computer will not operate normally. This is an important setting for high-security environments because it ensures that all security events are recorded. However, a large number of security events generated by an attacker or network problem could cause a denial-of-service condition. Similarly, shutting down the server might not necessarily be in accordance with availability service level agreements (SLAs). If your organization has high security needs and high availability needs, you should implement a method of removing auditing events from the system programmatically.
You can configure Windows NT 4.0 and later versions to shut down if security events cannot be logged, by setting the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ CrashOnAuditFail to 1.
Unless you have a centralized auditing system, such as the Microsoft Operations Manager or the Microsoft Auditing Control System, you will need to carefully evaluate which overwrite behavior settings are best for your organization. In general, you will want to ensure that the security event log size is large enough to record all events that occur between the archival of events.