To design an audit policy, complete the following steps:
- Identify the objects that require auditing and the potential security threats.
- Enable the audit policy that records events related to the objects, events, and threats you’ve identified. Indicate whether to track success or failure (or both).
- If necessary, configure auditing for specific files and objects. You must configure auditing on specific objects to audit the following:
- NTFS file or folder access
- Printer access
- Active Directory object access
- Certificate Authority actions
- Registry hive, key, or subkey access
- IIS metabase object access
Although you might be tempted to audit everything, you should audit only those events that are necessary to ensure a secure network. Use the following guidelines when designing auditing.
- Audit only what’s necessary.
- Audit for Success only or Failure only if either one is sufficient to give you the information you need.
- Enable auditing on only the necessary objects. For example, enable auditing on specific files or registry keys rather than enabling auditing on an entire drive or registry hive.
Excessive auditing uses processor cycles and requires disk space for the audit log. In addition, auditing every event increases the number of entries in the log, making it harder to find those things you are looking for.
- Make sure you have modified the audit log size and characteristics so that you are saving the data you want to save where you want it.
- Archive audit logs so you can review past data if you suspect a problem.
- Identify actions that should always be audited. In addition, periodically audit other actions for short periods of time to catch any unforeseen problems.
- Design periodic reviews of audit logs. Auditing is useless if you do not read the logs.
- For investigative and evidentiary reasons, make sure that all pertinent events are getting recorded to the Security log. In addition to tracking the necessary events, make sure your logs are properly configured to save all of the necessary information.
- Use the Event Log policies in Group Policy to configure the Security log size and retention method.
- To preserve all logged actions, configure logs to not overwrite events. When logs are not configured to clear automatically, you must periodically save and clear the logs to make room for additional events.
- Enable the Audit: Shut down system immediately if unable to log security audits security option to prevent the system from being used if the log is full (this setting is also referred to as CrashOnAuditFail).