If you enable a global policy in a GPO, this turns on all the corresponding subcategories. Microsoft has divided each global policy, such as Audit Directory ServiceAccess, into subcategories. Nevertheless, if these default GPOs are applied to a server in your domain, auditing is left enabled, unless otherwise configured locally.
#Windows server 2008 security auditing windows#
Windows Server 2008’s Default Domain and Domain Controllers Group Policy Objects (GPOs) leave all global audit policies undefined initially (Figure 1). Microsoft offers some useful advice online. There is no one-size-fits-all answer as to what should be audited. Do you need to store event logs? If so, for how long?.Will excessive logging create a trade off in server performance?.Do you have the resources to review the information collected in the logs?.Would it be useful to check the file system for deletion events?.Should you monitor attempts at unauthorized access to sensitive data by your own employees?.Would auditing help in the change-control or troubleshooting processes?.Do you want to audit for intrusion or malware detection?.Do you need to audit for regulatory compliance, such as Sarbanes-Oakley?.
#Windows server 2008 security auditing how to#
Before deciding how to configure auditing, you should define an audit policy for your company. The standard settings don’t audit every event, and that wouldn’t be a good idea anyway. Whether the default configuration provides a sufficient level of auditing depends on your organization’s needs. If server security is breached, you need to know how the machine was compromised. Computers don’t just stop working they stop working for a reason. Recording changes is important for integrity and troubleshooting. This includes actions such as creating a user account. For example, “user account management” events are audited by default in Server 2008. Windows Auditing monitors what’s been changed or accessed on a system - when and by whom - and records the details in the event log. Here’s a look at how to configure basic auditing in Server 2008, highlighting the improvements over earlier versions of Windows Server, including monitoring changes to Active Directory (AD) configuration. In Windows Server 2008, Microsoft provides new granular controls, making auditing more useful and manageable. Extraneous logging also made it difficult to find relevant information. Auditing capability in Microsoft Windows Server has always been a somewhat unsophisticated affair: either filling up event logs so quickly that they truncate or spiralling out of control.
0 kommentar(er)
