Strategies for Auditing
Auditing enables you to monitor events associated with specific users, groups, and services.
These events are recorded to the security log. The capability to monitor these events is not only
useful for troubleshooting, but also is an important tool for monitoring and managing security.
You learned how you can keep tabs on the actions of specific users or groups and monitor
attempts at unauthorized access to the system or its resources.
Although you could audit every event, doing so wouldn’t be practical because you’d place an
undue load on the system and either end up with an enormous log file or spend all your time
worrying about archiving the logs. The following sections examine some specific scenarios and
how you might employ auditing.
Leaving auditing off
One option is to leave auditing off altogether, which is not a bad option in some situations.
If you’re not concerned with security, you have no real reason to enable or perform auditing.
Turning off auditing reduces system overhead and helps simplify log management; most
organizations are (or should be) concerned with security at least to some degree, however, so
this option is unlikely to fit your needs.
Turning all auditing on
At the other end of the auditing spectrum is complete auditing. If you’re very concerned about
security or shooting for C2 security certification, this may be an option. Bear in mind, however,
that your system is likely to generate a huge number of events requiring very active management
of the security log. As an alternative to full logging, consider logging only failure events and not
success events.
Auditing problem users
Certain users, for one reason or another, can become an administrator’s worst nightmare. In
some cases, it’s through no fault of the user, but instead results from problems with the user’s
profile, account, and so on. In other cases, the user can be at fault, frequently using the wrong
password, incorrectly typing the account name, trying to log on during periods when they are
not allowed, or even trying to access resources for which they have no permissions (or need). In
these situations, you can monitor events associated with the given user. You may even need to
retain the information for counseling or termination purposes.
Which types of events you audit for a given user or group depends on the problem area. Audit
account logon events, for example, if the user has trouble logging on or attempts to log on during
unauthorized hours. Track object access to determine when a user or group is attempting to
access a given resource such as a folder or file. Tailor other auditing to specific tasks and events
generated by the user or group.
Auditing administrators
Auditing administrators is a good idea, not only to keep track of what administrators are doing,
but also to detect unauthorized use of administrative privileges. Keep in mind, however, that
auditing affects system performance. In particular, consider auditing account logon events,
account management, policy change, and privilege use of an administrator only if you suspect
an individual. Instead, control administrators by delegating through the wise use of groups and
organizational units.
Auditing critical files and folders
One very common use for auditing is to track access to important folders and files. In addition
to tracking simple access, you probably want to track when users make or attempt to make
specific types of changes to the object, such as Change Permissions and Take Ownership. This
helps you monitor changes to a folder or file that could affect security.
