Active Directory 2008: Group Policy Auditing Design Facts…

To design an audit policy, complete the following steps:

  1. Identify the objects that require auditing and the potential security threats.
  2. Enable the audit policy that records events related to the objects, events, and threats you’ve identified. Indicate whether to track success or failure (or both).
  3. If necessary, configure auditing for specific   files and objects. You must configure auditing   on specific objects to audit the following:
    • NTFS file or folder access
    • Printer access
    • Active Directory object access
    • Certificate Authority actions
    • Registry hive, key, or subkey access
    • IIS metabase object access

Although you might be tempted to audit everything, you should audit only those events that are necessary to ensure a secure network. Use the following guidelines when designing auditing.

  • Audit only what’s necessary.
    • Audit for Success only or Failure only if     either one is sufficient to give you the     information you need.
    • Enable auditing on only the necessary objects.     For example, enable auditing on specific     files or registry keys rather than enabling     auditing on an entire drive or registry hive.

    Excessive auditing uses processor cycles   and requires disk space for the audit log.   In addition, auditing every event increases   the number of entries in the log, making   it harder to find those things you are looking   for.

  • Make sure you have modified the audit log size and characteristics so that you are saving the data you want to save where you want it.
  • Archive audit logs so you can review past data if you suspect a problem.
  • Identify actions that should always be audited. In addition, periodically audit other actions for short periods of time to catch any unforeseen problems.
  • Design periodic reviews of audit logs. Auditing is useless if you do not read the logs.
  • For investigative and evidentiary reasons,   make sure that all pertinent events are   getting   recorded to the Security log. In addition   to tracking the necessary events, make   sure   your logs are properly configured to save   all of the necessary information.
    • Use the Event Log policies in Group Policy     to configure the Security log size and retention     method.
    • To preserve all logged actions, configure     logs to not overwrite events. When logs are not configured     to clear automatically, you must periodically     save and clear the logs to make room for     additional events.
    • Enable the Audit: Shut down system immediately if unable     to log security audits security option to prevent the system from     being used if the log is full (this setting     is also referred to as CrashOnAuditFail).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s