Developing a Good Audit Policy

You can only use the auditing feature effectively if you develop an audit policy that both generates the events that you are interested in seeing and generates few enough events that you can effectively manage the resultant logs.

Many administrators who have not yet used the feature to start by allowing all audit policy, only to be distressed in short order by the large volume of events that is generated.

As with any other form of security policy, the most effective results are usually achieved by analyzing the security threats that concern you the most and deploying the correct policy settings to mitigate that threat.

The temptation is strong to select audit policy settings as you might select things from a mail-order catalog or menu in a restaurant. Many of the settings look good, and nothing prevents you from choosing them all. However, as noted earlier, Windows is probably capable of generating much more audit than you are able to manage. Careful selection of just the minimum set of events that will mitigate your security risks will probably result in a much better experience.

On the companion CD to this volume you will find files containing the mapping of audit events to the category and subcategory of audit policy that causes the events to be generated. You can use this to help plan your audit policy settings.

After you have selected your audit policy, it is wise to host it on a small number of production computers and examine the resultant security log volume. If you find the volume to be higher than you are comfortable with, you should consider trying less aggressive auditing settings.

Event Viewer is a very useful tool in Windows Server 2008 for determining exactly which policy settings are causing your audit volume. The main Event Viewer window allows you to group events by Task Category, Event Source, Event ID, and other attributes. If you see a high volume event, look at a few instances of that event to verify that the event is telling you something that you find useful. If not, consider disabling the policy that causes that event to be generated.