AuditingNotes

Don't audit everything: that's being paranoid and creates huge overhead on your system (your security log will be full in no time). Instead, be selective in what you audit, focusing on auditing failures for security tracking and on successes for resource access. Also, don't configure auditing on every computer in your network. Each computer has its own specific roles, resources, and vulnerabilities. You don't want to spend all your nights and weekends reviewing security logs!

If you're going to audit successes for tracking resource usage, you should probably archive your logs regularly. This saves disk space. Also, remember that auditing is of no use if you don't regularly check your security logs for problems. Schedule a time when you can do this or it won't get done!

Before configuring an audit policy, check the settings for the security log in Event Viewer, and check the available space on your disk to make sure that old log events aren't overwritten unexpectedly.

Audit access by the Everyone group if you are concerned about unauthorized users attempting to access file and print resources or Active Directory objects.

Permission to Audit

To configure an audit policy, you must either be a member of the Administrators group or be granted the "Manage auditing and security log" right in Group Policy.

Multiple Audit Policies

Domain-level audit policies override locally configured ones. See Group Policy later in this chapter for how different levels of policies combine.

See Also

Event Logs , Group Policy