PDF Archive

Easily share your PDF documents with your contacts, on the Web and Social Networks.

Share a file Manage my documents Convert Recover PDF Search Help Contact



Audit Policy and Best Practice .pdf



Original filename: Audit_Policy_and_Best_Practice.pdf

This PDF 1.3 document has been generated by HTML2FPDF >> http://html2fpdf.sf.net / FPDF 1.52, and has been sent on pdf-archive.com on 09/12/2014 at 10:30, from IP address 212.107.x.x. The current document download page has been viewed 368 times.
File size: 5 KB (3 pages).
Privacy: public file




Download original PDF file









Document preview


SolarWinds Knowledge Base
Audit Policy and Best Practice

Introduction Windows Audit Policy is used to determine the verbosity of Windows Security Logs on domain
controllers and other computers on the domain. The recommendations in this document have been found to
be most effective from both a best practice and compliance standpoint and are based on customer
experience and recommendations from Microsoft.

Requirements

Setting Windows Audit Policy for use with the SolarWinds Log & Event Manager requires the following.
Windows Server 2003 or higher. Permissions to change Windows Audit Policy at the domain controller and
domain level. An installation of the SolarWinds LEM or TriGeo SIM Console.

Windows Audit Policy Definitions

This section is adapted from information available at:
http://technet.microsoft.com
You can find relevant articles by searching for audit policy best practice from the page linked above.
Audit account logon events
Logon events represent instances of users logging on to or logging off from a computer that is logging those
events. Account logon events are specifically related to domain logon events and are logged in the security
log for the related domain controller.
Audit account management
Account management events are the “change management” events on a computer. These events include all
changes made to users, groups and machines.
Audit logon events
Logon events represent instances of users logging on to or logging off from a computer that is logging those
events. Events in this category are logged in the security log of the local computer onto which the user is
logging, even when the user is actually logging onto the domain using their local computer.
Audit object access
Object access events track users accessing objects that have their own system access control lists. Such
objects include files, folders and printers.
Audit policy change

1/3

Policy change events represent instances in which local or group policy is changed. These changes include
changes to user rights assignments, audit policies and trust policies.
Audit privilege use
Privilege use events track users accessing objects based on their level of privilege to do so. Such objects
include files, folders and printers, or any object that has its own system access control list defined.
Audit process tracking
Process tracking logs all instances of process, service and program starts and stops. This can be useful to
track both wanted and unwanted processes such as AV services and malicious programs, respectively.
Audit system events
System events include start up and shut down events on the computer logging them, along with events that
affect the system’s security. These are operating system events and are only logged locally.

Windows Audit Policy Best Practice

Windows Audit Policy is defined locally for each computer, but we recommend using Group Policy to manage
the Audit Policy at both the domain controller and domain levels.
To set Windows Audit Policy using Group Policy Object Editor:
Expand Computer Configuration > Windows Settings > Security Settings > Local Policies and select Audit
Policy in the left pane. Select the policy you want to define in the right pane and click Properties on the Action
menu. Select or clear Success and Failure according to the instructions below.
Default Domain Controllers Policy

Select Success and Failure for all policies except:
Audit object access Audit privilege use
For these, only select Failure.
Default Domain Policy

Default Domain Policy applies to all computers on your domain except your domain controllers.
For this policy, select Success and Failure for the following:
Audit account logon events Audit account management Audit logon events Audit policy change Audit system
events
You may also select Success and Failure for Audit process tracking to monitor critical processes such as the
AV service or unauthorized programs such as games or malicious executable files.
Note: Enabling auditing at the level of Audit process tracking will significantly increase the number of events

2/3

in the system logs. Therefore, Your LEM database will grow more quickly as it collects these logs. Similarly,
there could be bandwidth implications as well. This is wholly dependent upon your network’s traffic volume
and bandwidth capacity. Since agent traffic is transmitted to the manager as a real time “trickle” of data,
bandwidth impact is typically minimal.

http://knowledgebase.solarwinds.com/kb/questions/2833/

3/3


Audit_Policy_and_Best_Practice.pdf - page 1/3
Audit_Policy_and_Best_Practice.pdf - page 2/3
Audit_Policy_and_Best_Practice.pdf - page 3/3

Related documents


audit policy and best practice
mws format 15july
confi guring
fix error code 0x80070005
michaellucarelli splunksecurityassessmentedited
mysjc


Related keywords